Abstract
There is an abundance of research advice and practitioner guidance on how to manage risk in information technology (IT) projects. It seems that everyone knows what they should do with respect to risk management, and yet the promised payoffs from following risk management procedures do not eventuate: across industries and organizations, IT projects have an unenviable reputation, with projects failing outright or at least failing to live up to expectations. Does this failure result from inadequacies in the risk management guidance that organizations rely on, or is it a failure by organizations and their project managers to effectively implement this guidance? In this paper we discuss one organization’s innovative approach to making IT project risk management realistic, practical, and effective.
The IT project risk management approach presented here is the culmination of over five years of collaborative practice research within the Project Management Center of Excellence (PMCoE) of a large, municipal organization. The aim of the initiative was to improve the organization’s IT project success rate, and the PMCoE worked through three practical action research cycles to develop and refine a new approach to early risk assessment. The approach is well founded in research findings, and the PMCoE has been able to demonstrate its effectiveness through careful monitoring of project performance data.
The PMCoE’s contingency-based risk assessment process provides a visual aid for surfacing overall inherent risk at the early stages of IT projects, thereby enabling the proactive implementation of strategies to establish an appropriate level of oversight and to improve foundational elements of the project when it is still malleable. The PMCoE’s early risk assessment process, and the risk spider chart that is the primary tool in this assessment, involves a review of a small set of project dimensions known to be related to project performance, without requiring probability-impact estimates of individual risks, which often amount to little more than guesswork at the stages leading up to project launch. The dimension-based assessment provides an easily measurable determination of the overall risk level of a project at the very early stages of the project, and enables the PMCoE to make suggestions to improve the odds of success from the start. The risk assessment process and risk spider chart tool have now been used on over 100 projects, and the organization has been able to demonstrate a steady improvement in project metrics since 2006 when the work began.
The PMCoE’s early project risk assessment process is readily customizable for different organizations and project contexts, and provides a model for other organizations striving to engage in effective practices to improve IT project outcomes.
Keywords: IT project risk management; risk spider chart; project oversight; IT project success dimensions
Introduction
There is an abundance of research advice and practitioner guidance on how to manage risk in information technology (IT) projects. It seems that everyone knows what they should do with respect to risk management, and yet the promised payoffs from following risk management procedures do not eventuate: across industries and organizations, IT projects have an unenviable reputation, with projects failing outright or at least failing to live up to expectations (Sauer, Gemino, & Reich, 2007; Standish Group, 2005). Does this failure result from inadequacies in the risk management guidance that organizations rely on, or is it a failure by organizations and their project managers to effectively implement this guidance?
Most firms use some kind of risk assessment for their IT projects, using checklists for determining the risks that might threaten a particular project, and applying an evaluation, usually based on estimates of probability and impact, to rank the highest threats. However, there is considerable evidence that, while these risk assessments have a foundation in research findings and best practice recommendations, they are not being effectively applied in practice (Bannerman, 2008; de Bakker, Boonstra, & Wortmann, 2010). We know much less about why organizations are not applying risk management practices effectively, but it seems this is one point where the best practice and research recommendations break down. In theory, it should be straightforward to identify potential risks to a project and to assess these risks for the probability that they will actually arise and the impact if they do arise. In practice, however, accurate quantification of probability and impact of a risk is particularly difficult in the highly uncertain situations that are common for IT projects, especially in the early stages of the project (McConnell, 2006).
In this paper we discuss one organization’s innovative approach to making IT project risk management realistic, practical, and effective. The IT project risk management approach presented here is the culmination of over seven years of collaborative practice research within the Project Management Center of Excellence (PMCoE) of a large, municipal organization, the City of Seattle, Washington, USA. The aim of the initiative was to improve the city’s IT project success rate, and the PMCoE worked through three practical action research cycles, informed by extensive research findings on IT project risk, to develop and refine a new approach to early risk assessment. The PMCoE’s detailed collection and monitoring of project performance statistics was critical to the success of these initiatives, because it provided objective measures of the effectiveness of the PMCoE’s work. With a focus on continuous improvement, the City of Seattle continues to develop and refine its project management processes, and the work of the action research cycles described here has provided a stable foundation for these ongoing incremental improvements.
First, we present an overview of the City of Seattle and the types of IT projects in which it engages. Then we describe the processes that the city has developed to manage inherent risks across its IT project portfolio and point out how other organizations can readily adapt these processes to match their own organizational requirements. Finally, we discuss the ongoing performance measures used by the PMCoE to track their IT project performance progress.
The City of Seattle and its IT Projects
The City of Seattle comprises about 29 departments and municipal offices, has almost 10,000 full-time employees and an additional 4,000 part-time staff. The city provides services to an estimated 600,000 constituents within its boundaries and to many additional people and companies outside the city who need one of the many licenses, permits, or other services that are not exclusive to Seattle residents.
The City of Seattle’s IT projects cover a wide range of initiatives, ranging from small enhancements of previously implemented software to city-wide initiatives affecting thousands of users; from customized package implementations within and across departments to partnerships with state agencies for Internet portals for citizen access to IT services and benefits projects. Smaller projects have budgets in the US$100,000, whereas major projects may have multi-million dollar budgets.
IT Governance
Seattle has a partially distributed information technology governance structure (Sambamurthy & Zmud, 1999). The Department of Information Technology (DoIT) is charged with managing the city’s IT infrastructure to support communications technologies and services, and with providing IT leadership and governance throughout the organization. Within the DoIT, the PMCoE’s mandate includes oversight and monitoring of expensive and complex projects to ensure their completion within budget, schedule, and scope targets, as well as the promotion of consistent use of standard project management practices, with the aim of supporting the development of capable and experienced IT project managers. Individual departments are responsible and accountable for their own unique business software application projects, but share this accountability with the chief technology officer, and are expected to comply with project management oversight provided by the PMCoE. This structure introduces some tensions as individual departments seek to maintain their autonomy, while the PMCoE seeks to establish and coordinate strategic directions and to develop and implement common standards and policies for IT project management across all departments. The PMCoE has addressed this tension by adopting a consultative approach, seeking to enhance the quality of the city’s projects through collaboration with the departmental project managers, with the goal of developing project management competencies through the implementation of a set of standardized project management processes and methodologies across the organization.
Central to the DoIT’s mission was the establishment of a strategic framework of actions, including the development of a comprehensive inventory of Seattle’s IT projects; a project portfolio process to evaluate proposed projects to ensure that choices regarding application architecture, technology, security, project practices, and funding are in line with the city’s overall strategic IT directions; a project risk profiling review process administered by the PMCoE to assess the inherent risk in proposed projects and determine the appropriate level of central project oversight; and provision of project management consultative services and training. In this paper we focus on the risk profiling and subsequent oversight processes.
Dimensions of Project Success
A central challenge for the PMCoE in realizing its strategic objectives was the need to identify inherently risky projects early in the project lifecycle, typically before enough work has been done on the projects to have confidence in detailed risk assessments. At this early stage in the project life cycle, when detailed technical requirements are not available, traditional risk assessment approaches break down, with probability-impact assessments of individual risks amounting to little more than guesswork (McConnell, 2006). The alternative approach adopted by the City of Seattle is to focus on the overall inherent risk in each project. Instead of asking: “What is the probability and impact of each risk that could threaten this project?” The key question for the organization becomes: “How inherently risky is this project?” Projects that have higher inherent risk — regardless of which specific risk factors might apply — receive closer monitoring and oversight, and early actions can be taken to reduce the overall risk. Large, inherently risky projects can be broken down into smaller ones, and the requirements specification stage of complex projects can be split off into a separate project. Management can take steps to ensure the most experienced project managers are assigned to high-risk projects and that adequate sponsorship and mentoring are provided.
In order to assess the level of inherent risk in a project, a careful analysis of research and best practice literature was used to determine six key dimensions — criticality, uncertainty, complexity, size, project management maturity, and stakeholder involvement — associated with project success. The rationale for each dimension, and the attributes used to measure the dimensions, are shown in Table 1.
Two aspects of the dimensions are critical for the effective application of the risk profiling process. First is that each dimension is clearly linked to project performance, with a greater overall risk of poorer project performance for those projects that measure at the higher end of each dimension. The second key aspect is that the dimensions and their attributes can be assessed at the earliest stages of the project life cycle and are easily and objectively measurable, without the need for probability-impact estimates. For example, it does not matter whether the project manager considers that the budget is generous or tight, or how he or she assesses the probability of a cost over-run; if the project is a large one (in the context of the organization’s size) then it has more inherent risk (Martin, Pearson, & Furumo, 2007; Sauer et al., 2007). A 10% overrun on a small project has a much smaller impact on the organization than a 10% overrun on a large project. Projects with more dimensions assessed at the high end of concern (for example, high complexity or low project manager experience) are likely to have higher inherent risk and require closer oversight, even if it is not clear exactly which of the 50 or so risks on typical checklists will actually apply.
Dimension | Rationale | Attributes |
Criticality | Projects that are more mission critical for the organization will have higher inherent risk (Shenhar, Dvir, Levy, & Maltz, 2001), and determining the criticality of a project gives insight into how much risk should be tolerated in key areas of the project. High scores on criticality and visibility attributes also signal the need to examine all other dimensions to ensure the optimum strength of project disciplines is applied. | Safety/mission criticality Internal visibility External visibility |
Uncertainty | Uncertainty in any area of the project increases risk. (Howell, Windahl, & Seidel, 2010; Sommer & Loch, 2004). While uncertainty might initially appear to be a dimension that is not readily evaluated at the project initiation stage, the City of Seattle has found that two attributes — scope uncertainty and technology uncertainty — can be assessed with a reasonable degree of accuracy. An ill-defined scope introduces ambiguity to the boundaries around which the project is structured, planned, and estimated. When the team is unfamiliar with the technology — even if the technology itself is not new — planning and estimation accuracy declines, and the learning process usually uncovers new challenges. | Scope uncertainty Technology uncertainty |
Complexity | Complexity is closely related to uncertainty, in that uncertainties about scope and technology are often related to complexities of the proposed solution (Howell et al., 2010; Shenhar, 2001; Sommer & Loch, 2004). The complexity dimension is broken down into six attributes. Four of these — changes to business processes and rules, extent of customization and configuration, data conversion complexity, and application interface complexity — are assessed on a low-medium-high scale. The fifth attribute is the number of external project, process, or system dependencies, and for the City of Seattle, projects with four or more dependencies are viewed as high on this attribute. The final complexity dimension is the span of impact, measured by counting the number of departments or external agencies involved in the project, with five or more groups being viewed as high. | Changes to business processes and rules Customization/configuration Data conversion complexity Application interface complexity External dependencies Span of impact |
Size | Size matters! Larger projects inherently carry greater uncertainty and the larger the project in terms of cost, duration, and size of project team, the greater the risk of poorer project performance (Martin et al., 2007; Sauer et al., 2007). High duration, high budget projects are more difficult to estimate accurately. Longer timeline exposes the project to changes in technology, staff turnover, loss of executive support, and constantly evolving rules, regulations and business processes. Larger teams introduce greater communication and coordination challenges. Small variances in large estimates can add up to significant sums quickly. | Duration Budget Team size |
Project management maturity | The project management maturity addresses management competency and methodological issues. Projects that are not supported by experienced managers using mature methodologies are often challenged with issues resulting in costly rework and schedule slippage. (Herbsleb, Zubrow, Goldenson, Hayes, & Paulk, 1997; Jiang, Klein, Hwang, Huang, & Hung, 2004; Subramanian, Jiang, & Klein, 2007). In contrast, organizations where projects are led by experienced project managers with a track record of systematic project methodology application generally exhibit higher success rates (Sauer et al., 2007; Standish Group, 2005). | Project manager experience Project management maturity level |
Stakeholder involvement | The stakeholder involvement dimension also comprises two attributes — the match between the executive sponsor’s experience and the project, and the extent to which end-user involvement has been planned for and built in to the project plan. Strong executive sponsorship has long been recognized as a critical project success factor (Wallace & Keil, 2004; Wallace, Keil, & Rai, 2004), and this attribute assesses the sponsor’s commitment and availability and prior experience with similar projects. Similarly, end-user involvement has long been recognized as a critical factor in project success (Schmidt, Lyytinen, Keil, & Cule, 2001). | Executive sponsor experience End-user involvement |
The quantification of each attribute will vary depending on the organizational context. For example, the budget attribute can be measured in any organization, but the absolute dollar values associated with a large project budget will differ relative to the size of the organization. Similarly, some organizations might choose to merge the two visibility measures, whereas other organizations may argue that their projects never involve a life/safety critical component and so might use organization mission-critical as the maximum on the criticality scale. Organizations that rely on vendors for much of their project work would likely add a dimension for vendor uncertainty, with values ranging from ‘proven in our organization’ through ‘new to us but strong industry references’ to ‘unproven in the industry.’ With appropriate organization-specific customization, the overall set of dimensions is applicable to IT projects in any organization.
Determining the Level of Project Oversight
The project risk profile assessment is designed to assess the degree of overall inherent risk associated with each project, which, in turn, determines the level of oversight required during the life of the project. As shown in Figure 1, after reviewing the project risk profile, the PMCoE makes a recommendation to the chief technical officer (CTO) of one of four levels of oversight. For projects explicitly designated as no oversight required — typically minor projects with minimal risk — the local department is solely responsible for project outcomes. For all other projects, the PMCoE works with the local department to implement the final oversight decision.
Dashboard Reporting
All projects other than no oversight required projects are added to and tracked through a digital dashboard, with project managers required to report monthly progress on a set of pre-established metrics, including planned versus actual costs-to-date; planned versus actual schedule-to-date; achievement of projected work packages and milestones; and key project risks and issues. The PMCoE analyzes these dashboard reports and reviews them with the departmental project manager, checking for patterns of variance that could trigger more in-depth assessments or a move to a higher level of oversight. The dashboard reporting ensures regular monitoring of project health and also supports the collection of project metrics for finished projects, including cost at completion, and cost and schedule variance at completion.
Milestone Reviews
Projects considered to have medium levels of inherent risk receive additional oversight of critical milestones. An independent quality assurance consultant is assigned to the project to establish a set of significant milestones in consultation with the PMCoE and the department project manager and sponsor. At each of these checkpoints, the project manager and project sponsor meet with the independent quality assurance consultant to conduct a formal review of project management practices, deliverable progress, schedule and budget performance, project artifacts, project issues, and significant risks. Milestone review findings and any recommendations are reviewed with the project manager, project sponsor, executive sponsor, and the PMCoE. The PMCoE briefs the CTO on these quality assurance findings. The findings may include a recommendation for continuing the current level of oversight, or adjusting the level of oversight up or down.
Formal Quality Assurance
Projects assessed at the highest levels of inherent risk are required to have formal quality assurance throughout the project. An independent quality assurance consultant is assigned to the project to provide continuous review throughout the project life cycle. The quality assurance consultant works closely with the project sponsor, steering committee, and project manager, focusing on the project management processes applied, and monitoring identified risks and risk mitigation plans. The PMCoE attends Steering Committee meetings where QA reports are presented and may escalate issues if recommendations for addressing significant risks are not making progress. The goal of oversight on these projects is to ensure early identification of signs of unsatisfactory performance so that corrective action plans can be promptly developed in consultation with the executive sponsor and the CTO.
IT Project Risk Profiling in the City of Seattle
A key challenge for the PMCoE in implementing their strategic action framework was to gain buy-in from the local departments for the various levels of project oversight. Departments sought to maintain their autonomy, and since the formal level of oversight, in particular, is an added overhead for a project, there was considerable reluctance among some departments, who questioned the value of the oversight contribution. Although the PMCoE had a clear mandate from the CTO to deliver demonstrated improvements in the city’s IT project management, it chose to implement the proposed changes to project risk profiling and monitoring collaboratively, seeking to work cooperatively with local department staff to achieve the desired outcomes.
The collaborative risk profiling process begins at the project initiation stage. At this point PMCoE staff work with the local project manager to complete a questionnaire outlining the attributes of the various dimensions of the proposed project. Together, the PMCoE and the local project manager map the measures of the attributes on a risk spider chart (see Figure 2 for an example of a completed chart). The overall pattern of the attributes displayed on the chart helps to determine the risk profile assessment for the project, which in turn determines the project’s recommended oversight level.
The risk spider chart shown in Figure 2 is an example of a project scenario — the development of a work management system — used in training sessions. An oversight level of formal quality assurance with monthly independent project quality assurance reviews would be recommended for this project, due to its size, business, and technical complexity, span of impact, and internal and external visibility. A detailed description of this project scenario’s characteristics is presented in Appendix A, Table A1, and Table A2 contains the resulting preliminary risk identification and preventive and contingent risk planning for the project.
The attributes identified on the risk spider chart provide a starting point for preventive and contingent risk management planning, and also offer suggestions for immediate actions that may help to reduce the risk of projects with high levels of inherent risk. For example, when a moderate or significant gap is identified between project manager experience and the nature of the project, the PMCoE can recommend a mentoring arrangement, or provide a project advisor to support the project manager. Similarly, projects with very long planned durations can be decomposed into a series of smaller projects, and projects with high uncertainty around requirements can be split into an initial needs analysis project so that the implementation project can be more accurately scoped and estimated.
The use of a graphical tool to visualize the nature of the project risks is an integral part of the PMCoE’s risk profiling strategy. In earlier iterations of the early risk profiling strategy, the PMCoE presented a narrative assessment of the project and encountered considerable resistance, because project managers sometimes challenged each individual part of the assessment, rather than focusing on the overall level of risk. With the graphical risk spider chart, even if there is still debate about some of the individual measures, the visual presentation of the overall inherent risk of the project is very impactful, and enables the PMCoE to move quickly to discussions about the best way to manage and monitor the project from an overall risk standpoint.
The risk spider chart approach, together with the monthly dashboard reporting has also enabled the PMCoE to make progress on its other mandated task of provision of project management consultative services and training. The chart and monthly reports provide a useful conversation starter around project risks and risk mitigation strategies, both with project managers and project sponsors, and enable the PMCoE to provide mentorship and guidance to managers and sponsors on their roles and responsibilities. During the review process throughout the project life cycle, PMCoE staff members meet regularly with the department project manager to discuss project status, issues, risks, and progress. In addition, the larger, more complex projects, that have been assigned an oversight status of formal quality assurance, also undergo oversight by an independent project oversight consultant, who conducts more in-depth monthly reviews of projects. At completion, each project submits a project closure report, which provides information and data on project outcomes such as: scope delivered, objectives achieved, solution quality, customer satisfaction, cost and schedule performance, and lessons learned.
There are many dynamics that impact project performance, such as technical environments, business environments, management cultures, project manager and sponsor experience, maturity of methodologies and processes, and user group and team dispersion, to name just a few. While the PMCoE recognizes the limitations around reliably determining the key contributors to period-to-period changes, the information harvested from the monthly project reports, oversight activities, and the project closure report help to inform insights on key contributors to the overall performance.
City of Seattle Project Metrics
The City of Seattle has been tracking its IT project performance improvement since the introduction of its project review and oversight initiatives in 2004. The monthly dashboard reporting on IT projects enables the city to track IT project performance against budget and schedule. Project performance in 2006 was used as the original benchmark, with 57% of the 14 completed projects that year achieving less than 10% cost variance and 36% achieving less than 20% schedule variance. For the period from 2006 to 2011 a total of 76 projects were completed, and Seattle saw a steady improvement in performance. Project completion data as of 31 December 2011 show that, of these 76 projects, 75% achieved less than 10% cost variance and 46% achieved less than 20% schedule slippage. However, the tracking approach used during this period was to measure actual cost and schedule performance “at completion” against the estimates made at “initiation” when the project was chartered. Schedule and budget estimates at initiation stage carry high levels of uncertainty and can often be unrealistic, and there was some concern that the performance improvements may have been over-stated.
Thus, the PMCoE refined the tracking measurements to provide more accurate data by clearly establishing and clarifying the baseline benchmarks, and the tracking metrics were changed to capture actual cost and duration of a project “at completion” measured against the estimates developed from “planning stage” activities. If the project uses rolling wave planning, the first estimate is expected to be sufficiently realistic for completing all remaining phases. The revised performance tracking was initiated at the start of 2011 and there is now a base of 27 projects in the data. The current cost and schedule performance data as of 31 May 2013 are as follows:
- Cost Performance
o81% of projects were completed below or within < 10% variance to the planning phase budget, showing a 5 point improvement from the 76% at this time last year.
o15% were completed between 10% and 20% of planned cost estimate, representing a 3 point improvement from the 18% one year ago.
oNo projects exceeded 20% of planned costs set at the planning stage baseline.
o4% were completed with an undetermined variance to planned costs, down 2 points from the 6% one year ago.
- Schedule Performance
o11% of projects were completed below or within < 10% variance to the planning phase duration, showing a 1 point improvement from the 12% one year ago.
o30% were completed between 10% and 20% of planned schedule estimate, which is down 5 points from the 35% one year ago.
o56% were completed with variance in excess of 20% of the planned schedule estimates, which is an increase of 9 points from the prior year’s 47%.
o4% were completed with an undetermined variance to planned schedule, down 2 points from the 6% one year ago.
Staffing constraints formed the major challenge for schedule performance, due in part to tightened staffing policies during the recession. In particular, some of the longer projects suffered reduced priority for resources as new higher priority projects kicked off. The PMCoE expects cost performance to continue to improve as a result of their on-going mentoring and training of department project managers and the provision of improved tools, methodologies, and support. Additionally, as the economy improves, staffing issues should begin to stabilize.
In 2011, the PMCoE also began collecting information on scope performance, in particular, scope elements planned versus those actually delivered, the percentage of business and technical objectives achieved at the close of the project, and opinions on the quality of the solution and the level of user satisfaction. The goal with these measures was to begin to provide a basis for the evaluation of system benefits and to add emphases to these project attributes when the project leadership assesses project outcomes. A positive outcome already observed is that teams are beginning to learn that ambiguity in the specification of objectives developed early in the project makes it very difficult to accurately measure achievement at completion.
Conclusion
The PMCoE’s risk profiling and oversight process provides a visual aid for surfacing overall inherent risk at the early stages of IT projects, thereby enabling the proactive implementation of appropriate management strategies before problems strike. The PMCoE’s risk assessment process, and the risk spider chart that is the primary tool in this assessment, involves a review of a small set of project dimensions known to be related to project performance, rather than the detailed checklist of a large number of potential risk factors typically used in traditional risk assessments. The dimension-based assessment provides an easily measurable determination of the overall risk level of a project, without requiring probability-impact estimates of individual risks, which often amount to little more than guesswork. The tool has now been used on over 100 projects and the organization has been able to demonstrate a steady improvement in project metrics since 2006 when the work began. As with many organizations, the City of Seattle is continually working to achieve further process improvements; the risk profiling and oversight procedures described here have undergone, and will continue to undergo, refinements to fine-tune and further streamline the process. However, the work carried out by the PMCoE over the past 10 years has provided a solid foundation to support ongoing incremental development and improvement in their IT project risk management processes.
The City of Seattle’s project risk assessment process is a model for other organizations striving to engage in effective practices to improve IT project outcomes. The tool is readily customizable for different organizations and project contexts. A key outcome has been the insight gained into overcoming the practical barriers that may have hindered the implementation of extensive IT risk management research findings in practice.