Eight to Late

Sensemaking and Analytics for Organizations

Reasons and rationales for not managing risks on IT projects – a paper review

with 7 comments


Anticipating and dealing with risks is an important part of managing projects. So much so that most frameworks and methodologies devote a fair bit of attention to risk management:  for example, the PMI framework considers risk management to be one of the nine “knowledge areas” of project management.  Now, frameworks and methodologies are normative– that is. they us how risks should be managed – but they don’t say anything about how are risks actually handled on projects.   It is perhaps too much  expect that all projects are run with  the full machinery of  formal risk management, but it is reasonable to  expect that most project managers deal with risks in some more or less systematic way.  However, project management lore is rife with stories of projects on which risks were managed inadequately, or not managed at all (see this post for some pertinent case studies).  This begs the question:  are there rational reasons for not managing risks on projects?    A paper by Elmar Kutsch and Mark Hall entitled, The Rational Choice of Not Applying Project Risk Management in Information Technology Projects,  addresses this question.   This post is a summary and review of the paper.


The paper begins with a brief overview of risk management as prescribed by various standards. Risk management is about making decisions in the face of uncertainty. To make the right decisions, project managers need to figure out which risks are the most significant. Consequently, most methodologies offer techniques to rank risks based on various criteria.  These techniques are based on many (rather strong) assumptions, which the authors summarise as follows:

  1. An unambiguous identification of the problem (or risk) including its cause
  2. Perfect information about all relevant variables that affect the risk.
  3. A model of the risk that incorporates the aforementioned variables.
  4. A complete list of possible approaches to tackle the risks.
  5. An unambiguous, quantitative and internally consistent measure for the outcomes of each approach.
  6. Perfect knowledge of the consequences of each approach.
  7. Availability of resources for the successful implementation of the chosen solution.
  8. The presence of rational decision-makers (i.e. folks free from cognitive bias for example)

Most formal methodologies assume the above to be “self-evidently correct” (note that some of them aren’t correct, see my  posts on cognitive biases as project meta-risks and the limitations of scoring methods in risk analysis for more). Anyway, regardless of the validity of the assumptions,  it is clear that achieving all the above would require a great deal of commitment, effort and money.    This, according to the authors,  provides a hint as to why many projects are run without formal risk management. In their words:

…despite the existence of a self-evidently correct process to manage  project risk, some evidence suggests that project managers feel restricted in applying such an “optimal” process to manage risks. For example, Lyons and Skitmore (2004) investigated factors limiting the implementation of risk management in Australian construction projects. Similar findings about the barriers of using risk management in three Hong Kong industries were found in a further prominent study by Tummala, Leung, Burchett, and Leung (1997). The most dominant factors for constraining the use of project risk management are the lack of time, the problem of justifying the effort into project risk management, and the lack of information required to quantify/qualify risk estimates.

The authors review the research literature to find other factors that could reduce the likelihood of risk management being applied in projects. Based on their findings, they suggest the following as reasons  that project managers often offer as  justifications (or rationales)  for not managing risks:

  1. The problem of hindsight: Most risk management methodologies rely on historical data to calculate probabilities of risk eventuation. However, many managers feel they cannot rely on such data for their specific (unique) project.
  2. The problem of ownership: Risks are often thought of as “someone else’s problem”. There is often a reluctance to take ownership of a risk because of the fear of blame in case the risk response fails to address the risk.
  3. The problem of cost justification: From the premises listed above it is clear that proper risk management is a time-consuming, effort-laden and expensive process. Many IT projects are run on tight budgets, and risk management is an area that’s perceived as being an unnecessary expense.
  4. Lack of expertise: Project managers might be unaware of risk management technique.  I find this hard to believe, given that practically all textbooks and methodologies yammer on,  at great length, about the importance of managing risks. Besides, it is a pretty weak justification!
  5. The problem of anxiety:  By definition, risk management implies that one is considering things that can go wrong.  Sometimes, when informed about risks, stakeholders may decide not to go ahead with a project. Consequently, project managers may limit their risk identification efforts in an attempt to avoid making stakeholders nervous.

When justifying the decision not to manage risks, the above factors are often presented as barriers or problems which prevent the project manager from using risk management. As an illustration of (5) above, a project manager might say, “I can’t talk about risks on my project because the sponsor will freak out and throw me out of his office.”

Research Method

The authors started with an exploratory study aimed at developing an understanding of the problem from the perspective of IT project managers – i.e. how project managers actually experience the application of risk management on their projects. This study was done through face-to-face interviews. Based on patterns that emerged from this study, the authors developed a web-based survey that was administered to a wider group of project managers. The exploratory phase involved eighteen project managers whereas the in-depth survey was completed by just over a hundred  project managers all of whom were members of the PMI Risk Management Special Interest Group. Although the paper doesn’t say so, I assume that project managers were asked questions in reference to a specific project they were involved in (perhaps the most recent one?).

I won’t dwell any more on the research methodology;  the paper has all the  details.

Results and interpretation

Four of the eighteen project managers interviewed in the exploratory study did not apply risk management processes on their projects. The reasons given were interpreted by the authors as cost justification, hindsight and anxiety. I’ve italicized the word “interpreted” in the previous sentence because I believe the responses given by the project managers could just as easily be interpreted another way. I’ve presented their arguments below so that readers can judge for themselves.

One interviewee mentioned that, “At the beginning, we had so much to do that no one gave a thought to tackling risks. It  simply did not happen.” The authors conclude that the rationale for not managing risks in this case is one of cost justification, the chain of logic being that due to the lack of time, investment of resources in managing risks was not justified. To me this seems to read too much into the response. From the response it appears to me that the real reason is exactly what the interviewee states –  “no one thought of managing risks” – i.e. risks were  overlooked.

Another interviewee stated, “It would have been nice to do it differently, but because we were quite vulnerable in terms of software development, and because most of that was driven by the States, we were never in a position to be proactive. The Americans would say “We got an update to that system and we just released it to you,” rather than telling us a week in advance that something was happening. We were never ahead enough to be able to plan.” The authors interpret the lack of risk management in the this case as being due to the problem of hindsight – i.e.  because the risk that an update poses to other parts of the system could not have been anticipated, no risk management was possible. To me this interpretation seems a little thin – surely, most project managers understand the risks that arbitrary updates pose. From the response it appears that the real reason was that the project manager was not able to plan ahead because he/she had no advance warning of updates. This seems more a problem of a broken project management process rather than anything to do with risk management or hindsight. My point: the uncertainty here was known (high probability of regular updates),  so something could (and should) have been done about it whilst planning the project.

I’ve dwelt on these examples because it appears that the authors may have occasionally fallen into the trap of pigeon holing interviewee responses into their predefined rationales (the ones discussed in the previous section)  instead of listening to what was actually being said.  Of course, my impression is based on a reading of the paper and the data presented therein. The authors may well have other (unpublished) information to support their classification of interviewee responses. However, if that is the case, they should have presented the data in the paper  because the reliability of the second survey  depends on the set of predefined rationales being comprehensive  and correct.

The authors present a short discussion of the second phase of their study. They find that no formal risk management processes were used in about one third of the 102 cases studied. As the authors point out, that in itself is an interesting statistic, especially considering the money at stake in typical IT projects. In cases where no risk management was applied, respondents were asked to provide reasons why this was so. The reasons given were extremely varied but, once again, the authors pigeon-holed these into their predefined categories. I present some of the original responses and interpretations below so that readers can judge for themselves.

Consider the following reasons that were offered (by respondents) for not applying risk management:

  1. We haven’t got time left.”
  2. No executive call for risk measurements.”
  3. Company doesn’t see the value in adding the additional cycles to a project.” (?)
  4. Upper management did not think it required it.”
  5. Ignorance that such a thing was necessary.”
  6. An initial risk analysis was done, but the PM did not bother to follow up.”
  7. A single risk identification workshop was held early in the project before my arrival. Reason for not following the process was most probably the attitude of the members of the team.”

Interestingly, the authors interpret all the above responses (and a few more ) as being attributable to the cost justification rationale. However, it seems to me that there could be several other (more likely) interpretations.  For example: 2, 3, 4, 5 could be attributed to a lack of knowledge about the value of managing risks whereas 1, 6, 7 sound more like simple (and unfortunately, rather common!)  buck-passing.


Towards the end of the paper   the authors make an excellent point about the  rationality of a decision not to apply risk management. From the perspective of formal methodoologies such a decision is irrational. However, rationality (or the lack of it) isn’t so cut and dried. Here’s what the authors say:

…a decision by an IT project manager not to apply project risk management may be described as irrational, at least if one accepts the premise that the project manager chose not to apply a “self-evidently” correct process to optimally reduce the impact of risk on the project outcome. On the other hand, … a person who focuses only on the statistical probability of threats and their impacts and ignores any other information would be truly irrational. Hence, a project manager would act sensibly by, for example, not applying project risk management because he or she rates the utility of not using project risk management as higher than the utility of confronting stakeholders with discomforting information….”

…or spending money to address issues that may not eventuate, for that matter. The point being  that people don’t make decisions based on prescribed processes and procedures alone; there are other considerations.

The authors then go on to say,

PMI and APM claim that through the systematic identification, analysis, and response to risk, project managers can achieve the planned project outcome. However, the findings show that in more than one-third of all projects, the effectiveness of project risk management is virtually nonexistent because no formal project risk management process was applied due to the problem of cost justification.

Now, although it is undeniable that many projects are run with no risk management whatsoever,  I’m not sure I agree with the last statement in the quote. From the data presented in the paper, it seems more likely that a lack of knowledge  and “buck-passing”  are the prime reasons  for risk management being given short shrift on the projects surveyed. Even if cost justification was  offered as a rationale by some  interviewees,  their quotes suggest that the real reasons were quite different. This isn’t surprising: it is but natural  to attribute to unacceptable costs that which should be attributed to oversight or failure.  I think this may be the case in a large number of projects on which risks aren’t managed. However,  as the authors mention, it is impossible to make any generalisations based on small samples .  So, although it is incontrovertible that there are a significant number of projects on which risks aren’t managed, why this is so remains an open question.

Written by K

November 25, 2009 at 11:07 pm

7 Responses

Subscribe to comments with RSS.

  1. Kailash,
    I’d conjecture that the statistic of 1/3 of all projects failed to show the effectiveness of risk management is ill-structured in the absence of a baseline assessment of the process they applied and the sample space of all projects applying risk management.

    As a programmatic risk manager, the processes we are guided by are rarely applied on IT projects. These process start with the DoD Risk Managers Guide and flow into other agencies.

    The anecdotal examples of IT risk management I have seen locally revolve around, “we have a list of risks, which 1/2 are actually issues, not risks. We have ranked then and when the occur we’ll do something about them.”

    Weak at best, non compliant to any risk management process – DoD or SEI CRM.


    Glen B. Alleman

    November 26, 2009 at 1:13 pm

    • Glen,

      You’re probably right: the two-thirds who claimed to have used risk management processes would very likely have used subjective techniques to score and rank risks. As you say, these are weak at best; they are also downright misleading at worst (I’ve discussed this point in another post).

      Your observation regarding risks vs. issues is spot on: many IT projects managers tend to take a reactive approach in that they end up managing issues rather than risks.





      November 26, 2009 at 9:37 pm

  2. K – concur with your opinions.

    Also – Risk management can not be effectively run without support from stakeholders and sponsors.

    Risk management is essentially an outward facing process. If those people on the border of your project team and beyond aren’t interested in participating, how can you run a formal risk management process/

    Which leads to informal risk management which is/can be practiced as an alternative.



    November 26, 2009 at 2:08 pm

    • Craig,

      Absolutely – risk management would be largely ineffective without stakeholder buy-in. I guess this is why lack of stakeholder support is a commonly offered rationale for not managing risks. However, even in cases where stakeholders aren’t interested, it does help to apply a process (whether formal or informal) to identify risks and monitor them.





      November 26, 2009 at 10:01 pm

    • Craig and K,
      I’d start with the internal view. The external view is “informative,” the internal view is “actionable.”

      Remember Tim Lister’s quote – “Risk Management is How Adults Manage Projects.”


      Glen B. Alleman

      December 1, 2009 at 12:27 pm

  3. Hi, Kailash!

    Nice post!

    Yes, I also think risk management is how adults manage projects. Keeping this in mind, I have a couple of questions for you:

    1. I don’t know how far you’re keeping up with RM in (the construction sector) in India – we’re preparing to host the C’wealth Games next year and nothing is really ready here. Development/ construction costs will easily top $ 1 billion. Its a mega project, not only in terms of cost, but reputation to us.
    How much RM do you think they attempted?

    2. Based on the earlier question, and your comments on stakeholder buy-in, how far do you think public and private sector organisational attitudes obstruct smooth development?




    Narendra Khanna

    December 4, 2009 at 9:58 pm

    • Narendra,

      Thanks for your comments.

      I haven’t been following the preparations for the CWG, but after your question I did a bit of digging around and found the Site Evaluation Commission Report for the 2010 Commonwealth Games published in 2003, before Delhi was awarded the games (the other site was Hamilton, Ontario). I think you’ll find the report interesting. What caught my attention was that Hamilton had budgeted USD 2.3 million for legal/risk management explicitly (see page 49) whereas Delhi’s budget does not have a line for risk management. Although one shouldn’t read too much into this, I think it says something about the differing attitudes to risk held by the respective authorities.

      Regarding your second question: organisational attitudes are absolutely critical in determining how particular processes and activities are viewed within the organisation. In general. organisations that are open and have flat hierarchies are better at assimilating new processes. Risk management is no exception. Rigid bureaucracies are the worst: denial is the norm until it is much too late.





      December 5, 2009 at 6:13 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: