Eight to Late

Sensemaking and Analytics for Organizations

On the social construction of IS project risks

with 6 comments


Most approaches to project risk management prescribe a structured approach to managing risks involving steps such as identification, analysis and response planning (see the PMBOK Guide, for example).  Implicit in this approach is the assumption that risks exist “out there” and   can be identified via systematic investigation.  Among other things, this leads to a view that it is possible – and indeed, desirable – to identify all possible risks on a project, and then manage these through the lifecycle of a project. Of course, new risks may emerge, but the underlying belief is that these too can be identified and managed using a structured approach.  In short, the fundamental assumption is that risks have an objective existence and can therefore be identified by an examination of the project and its environment.

In a paper entitled, The Limits of Risk Management – A Social Construction Approach, Bernd Stahl and co-authors argue that the traditional view of risk management is limited because:

  1. The assumption of objectivity leads to a false sense of security.
  2. It (often) ignores (or understates) risks that may be specific to certain organisations or situations.

Consequently, they suggest that it may be more fruitful to view risks as social constructs – perceptions of reality that are products of social interactions between stakeholders. In this post I explore this somewhat unusual view of risk. I’ll first illustrate the general idea of risk as social construct and then describe how some common IS project risks can be seen as social constructs. I’ll end with a brief look at the implications of this for project risk management.

Project risks as social constructs

The first step in classical (or standard) risk analysis is to identify all possible events that may affect the project.  However this, in principle, is impossible because there is no general method to do so. Consequently, risk managers usually compile lists of potential risks (based on prior experience, research literature, textbooks, brainstorming etc.) and use these as starting points for analysis.  The point is, all these methods are ad-hoc and, despite claims to the contrary, cannot guarantee a comprehensive coverage of all risks.  This point is made very clearly in a  paper by Lyytinen et. al. which examines four techniques of software project risk analysis and concludes that there are substantial differences between them.  Quoting from the conclusion to the Lyytinen paper:

…practitioners should be cautious with regard to the expected miracles of any risk management approach. Risk management approaches are neither complete nor risk-proof (my italics). Their value in the context of managing complex socio-technical change is that they put high premium on shaping management attention through learning new organizing schemes that help make sense of the development situations in new ways…

According to Stahl, the conclusions of the Lyytinnen (and a few other researchers)  support the idea that  risk s is a social construct that comes about as a result of  interactions and agreements between those involved in the project (and individual perceptions of these):

We believe that [the] objective concept of risk is flawed and threatens the success of the entire enterprise. A concept of objective risk raises the expectation that risks can be completely controlled. Also, it suggests that once the comprehensive list of risks is compiled, the end of the theoretical work is reached and managerial practice can take over. These factors can combine to create a false sense of security that will dull managers’ attention and can thereby create even bigger risks. We hold risk to be a social construction depending on social agreements and on individual perceptions. It must be ascribed to become real.

In my opinion there’s a big  leap of logic in the above paragraph:  I do not see how ”the expectation that risk can be completely controlled” and the “false sense of security this creates” implies that risk is a construct that depends on “social agreements  and individual perceptions.” Nevertheless, I do believe that the social constructionist view of risk is useful because most project risks have a social dimension. I’ll elaborate on this point via examples in the next section.

IS project risk as a social construct – some examples

Most of the research literature on social construction tends to be hard to read and devoid of examples that professional project managers can relate to. This is a shame because much of this work casts a critical eye on the implicit assumptions that underlie project management practice. So, instead of quoting from and paraphrasing hard-to-read papers, I’ll illustrate how some common project risks have a social dimension.

The risks I consider are drawn from a paper entitled, Early warning signs of IT project failure: the dominant dozen, by Leon Kappelman and his co workers.  The paper presents the top twelve early-stage project risks based on an analysis of data gathered from project professionals and a survey of research literature.  I’ll discuss how  four risks from Kappelman’s dominant dozen have social origins.

Lack of top management support

According to Kappelman et. al.  this is the number one risk in IS projects.  The point is that this risk most often arises because of (dysfunctional) politicking between managers. As  Kappelman et. al. state :

In many cases, IT projects get caught up in enterprise politics where there are fundamental disagreements about overall enterprise priorities. In these cases the resources and enterprise-wide commitment required for success are lacking. Middle managers do not see the project as being important to the enterprise or to their performance evaluations and therefore redirect resources and attention to activities that top management does support.

The point is: this risk is often a consequence of corporate politics, which is very much a social construct.

Lack of stakeholder involvement and/or participation

The following passage from the paper highlights the socially constructed nature of this risk:

If key project stakeholders do not participate in major review meetings, it signals they are not engaged in the project and therefore the project is not a high priority for them. Other stakeholders soon begin to disengage too. The project manager then finds it harder to get the participation and resources necessary for project success, especially from those who are not full-time members of the project team. Often such project team members get reassigned to other projects that are perceived to be more important.

The point is – key stakeholders, through their influence in the organisation, can cause a project to go awry.

Another common situation is one in which stakeholders lose interest in a project because they do not see the benefits of being involved. This point is well-recognised in traditional risk management which highlights the importance of getting stakeholder buy-in. The point here is that this risk is a consequence of individual perceptions, not of objective reality. In other words,  it is a social construct.

Lack of documented requirements and/or success criteria

This risk is an old classic, discussed and analysed by several well-known writers.  As Robert Glass  mentions in his book on the facts and fallacies of software engineering:

This problem is caused by the fact that the customers and users for the software solution are not really sure of what problem they need to have solved. They may think they know at the outset, only to discover as the project proceeds that the problem they wanted to solve is too simplistic or unrealistic or something else they weren’t expecting. Or they may really not know anything at the outset and are simply exploring solutions to a vague problem they know needs to be solved….

Regardless of the causes or the outcome, the point is that Ill defined scope means that different stakeholders have different interpretations of what’s to be delivered.  Consequently, project objectives become a matter of interpretation and opinion. This shows how even something as basic as project objectives are actually social constructs – they depend on individual stakeholder perceptions. Seen in this light it isn’t a stretch to say that there can be  as many objectives as there are stakeholders!

Communication breakdown among stakeholders

This risk is perhaps the most obvious social construct – communication is not only the lifeblood of a project, it is also the basis on which professional and social relationships are built. Communication becomes all the more important on projects environments where diverse stakeholders and ongoing change are the norm. As Kappelman et. al. state:

Any significant project has multiple stakeholders and requires an ongoing choreography of various tasks and resources.  Change over the life of the project is inevitable — business environment, competitor strategic and tactical moves, laws and regulations, management team, staff turnover, resource availability, and cost — to name just a few possibilities. If all stakeholders do not  communicate and work together on an ongoing basis, the project team will be pulled in multiple directions…

Communication breakdowns can occur for a variety reasons, but most of these arise because of conflicting viewpoints of those involved. As I have written in a post on project communication, “A shared world-view –  which includes a common understanding of tools, terminology, culture, politics etc. –  is what enables effective communication within a group.”


The above examples show how common project risks have a social dimension, even if they are not entirely social constructs.  The social aspects of risk are often ignored because they are hard to handle –   it is much easier to follow a process than to deal with stakeholders who are (or might get) upset. Consequently risks such as communication breakdown or lack of management support are not broached because of the high cost of speaking up.  I contend that many project risks remain unaddressed because of this.

The implications of a social constructionist view of risk can be summed up as follows:

  1. It is impossible, in principle, to compile authoritative lists of all possible risks.
  2. Risks should be studied in the context of a particular project and its environment. This includes technical, social and organizational aspects of the environment.
  3. Particular emphasis should be given to relationships between stakeholders as these may present barriers to an honest assessment of risks.

These implications suggest that a participatory approach involving open deliberation is mandatory for successful  risk management. As Stahl et. al. put it:

Indeed, a checklist of risks is just a starting point for an ongoing debate on risk. Management should identify the stakeholder of risky decisions and engage in a free discourse about the nature and the evaluation of risks. The stakeholder discourse could be used to define responsibilities . The stakeholders as parties interested in the process are presumably best suited to identify risk factors. Ideally this process would lead to a consensus concerning the risks. Similar approaches have been suggested in the literature, however, we wish to emphasise that only when managers understand that risk is a social construct will the complex and costly process of stakeholder discourses as a way of dealing with risk make sense (my italics).

Summing up

The mathematical and analytical machinery of risk management can obscure the fact that  managing risks  is as much an art as a science, calling for skills in dealing with people as well as probabilities. Organisational politics, individual perceptions and interactions between different stakeholder groups play a role in creating risks.  In other words, risks are not objective entities, they have a social dimension.

Written by K

December 2, 2010 at 5:33 am

6 Responses

Subscribe to comments with RSS.

  1. […] This post was mentioned on Twitter by Dux Raymond Sy, PMP, Kailash Awati. Kailash Awati said: On the social construction of IS project risks: http://bit.ly/gKd3XE […]


  2. I agree entirely. Risk does have social dimension. In a reactive business organisation priorities change overnight, therefore ensuring participation by key decision makers in major review meetings is unrealistic. The downward impact of this is immeasurable. If one of the remaining forum has their own perspective (interests), and little understanding of the strategic objective of the project, momentum can be lost entirely.



    December 2, 2010 at 9:00 am

    • Absolutely. This ia a major issue in reactive organisations. Unfortunately project managers have little or no say in setting organisational strategy. However, they can attempt to get early warnings of changes by keeping informal channels of communication open – a ear to the ground, so to speak. They can then address potential stakeholder disengagement and/or its consequences (if it is inevitable) before it starts to become a real problem.





      December 2, 2010 at 6:45 pm

  3. I find this discussion of social impact on risk interesting.

    When I think of project risk I think of levels of uncertainty.

    What I mean is that involved stakeholders (or the entire team as a collective unit) has some degree of uncertainty about X, Y and Z.

    Let’s assume we have identified X so that there is little to no uncertainty as to what it represents. If the impact of X is uncertain I think that’s where the social impact comes in (especially as it relates to evaluating or reducing uncertainty). If the impact of X is more certain then the social impact decreases.

    In identifying or coming to a shared understanding as to what X represents I see considerable social impact. However in the same sense if X is well known/understood by the involved parties then I see little social impact (or importance) in the identification.

    So what I am suggesting is that we really have the identification of risks as two parts. The first is what the risk represents and the second is what it’s impact is.

    Do you disagree with looking at risks in these ways? This is how I work through risk management in my head or with people – focusing on the first part of identification and then focusing on the second part. In terms of actually mitigating or taking actions on risks I think we all have models that are clearer for that.


    Richard Harbridge

    December 7, 2010 at 6:44 am

  4. Richard,

    Thanks for your comment. You’re right – the first two steps in risk management – identification and analysis – have a social dimension. However, I think even response planning can have a social aspect – for example, a manager might address the risk of late delivery by enlisting external help but a developer who has read The Mythical Man-Month may not approve of this action!

    The other thing I would like to mention is that many risks actually result from (dysfunctional?) social interactions- I’ve discussed a few of these in the post. Consequently they really are social constructs.

    Thanks again for taking the time to read and respond to the post- I truly appreciate it.





    December 7, 2010 at 10:38 pm

  5. I’ve already faced the “Lack of stakeholders involvement”. It’s a real risk that could destroy the project or at least delay it.


    Anass Khochtaf

    December 12, 2010 at 5:44 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: