Microsoft Word - 04_TI_Kornelius_rev2.docx


Risk Management in Information … (Kornelius Irfandhi) 191 

RISK MANAGEMENT IN INFORMATION TECHNOLOGY PROJECT: 
AN EMPIRICAL STUDY 

 
 

Kornelius Irfandhi 
 

Master of Information Technology, Binus Graduate Program, Bina Nusantara University, 
Jl. Kebon Jeruk Raya No. 27, Kebon Jeruk, Jakarta Barat, 11530 

kornelius.irfandhi@binus.ac.id 
 
 

ABSTRACT 
 
 

The companies are facing some risks due to changes in a dynamic environment. If risks are not 
managed properly, it will have some negative impacts on the companies at the present and the future. One 
important function of the Information Technology (IT) governance is risk management. Risk management in IT 
project aims to provide a safe environment for IT projects undertaken. Risk management becomes an important 
process for the success of IT projects. This article discussed the risk of IT project and whether there was a 
relationship between risk management and the success of the project. The method used was performing a 
literature review of several scientific articles which published between 2010 and 2014. The results of this study 
are the presence of risk management and risk manager influence the success of the project. Risk analysis and 
risk monitoring and control also have a relationship with the subjective performance of IT projects. If risk 
management is applied properly, the chance of the success of the projects undertaken can be increased. 
 
Keywords: risk, risk management, IT project 
 
 

INTRODUCTION 
 
 

The companies are facing some risks due to changes in a dynamic environment.It allows 
emerging new risks, both derived from the internal environment or the external environment of the 
company. If the risks are not managed properly, it will bring the negative impacts on the company's 
present and future (Talet, Mat-Zin, & Houari, 2014). 

 
One of the important functions of Information Technology (IT) is the governance of risk 

management. Risk management has been applied in various fields, one of which is an IT project. Risk 
management in IT project aims to provide a safe environment for IT projects. IT projects generally 
have a high level of risk. Risks are encountered in the financial risk. However, the risks that might 
occur in the implementation of IT projects not only the risks associated with the financial aspects, but 
also all conditions of uncertainty that may impact negatively or positively on the project objectives, 
including time, cost, scope of the project, or the quality of the project results (Talet, Mat-Zin, & 
Houari, 2014). 

 
Risk management becomes an important process for the success of the IT project. Risk 

management provides significant benefits for companies, projects, and stakeholders associated with 
the implementation of the project. It can not be achieved without the introduction of the importance of 
risk management at every level of the business. Risk management becomes a management tool that is 
important for a project manager to increase the chance of success of the projects (Didraga, 2013) and 
can be moved more quickly to resolve the issue before the risk becomes a major problem that could 
threaten the project objectives (Talet, Mat-Zin, & Houari, 2014). 



192   ComTech Vol. 7 No. 3 September 2016: 191-199 

IT projects are characterized by a high level of risk and can have different risk management 
approaches. Many literatures from the published articles between 2010 and 2014 shown that many 
researchers have discussed the risk of IT project, any approaches for IT project risk management, and 
whether there is a relationship between risk management and the success of IT project. The author will 
compile the findings based on the result of the literature review in this empirical study. 

 
Sharif, Basir, and Ali (2014) in their article said that the risk is generally defined as the 

possibility of loss that describes the impact of the project, could be the poor quality of the software, 
increased costs, failure, or pending completion. Risk can be reduced, managed, and maintained in 
accordance with the planning and assessment. 

 
The study which is conducted by Chawan, Patil, and Naik (2013) found that the risk can be 

grouped into three categories, namely: (1) known risks that can be found after assessing project plans, 
environmental technology, and other trusted resources carefully, such as unrealistic delivery time, 
there is no demand and software bundle. (2) Unknown risks that might actually appear, but it is very 
difficult to be identified first. (3) Predicted risks that can be inferred from previous experiences, such 
as personnel adjustments and there is no communication with the customers. 

 
The risks are associated with the events that can be identified which will have a negative 

impact. The uncertainties are related to the source of the risks that may impact negatively or 
positively. Risks must contain two elements, namely uncertainty and loss (Talet, Mat-Zin, & Houari, 
2014). 

 
The level of uncertainty of the project becomes an important dimension in the context of the 

implementation of the project. A major source of uncertainty in the IT project is about the scope or the 
project specifications. The study which is conducted by Thakurta (2014) provides uncertainty into four 
categories, namely: (1) variation refers to the many influences that produce a wide range of 
possibilities for a range of values on a project. For example, the variation of duration of the specific 
project takes between 10 to 15 days. If the changes are made, then the duration of the project will also 
change. (2) Foreseen uncertainty refers to all the uncertainties that have been previously identified that 
may or may not occur during the implementation of the project. (3) Unforeseen uncertainty refers to 
all the uncertainties that can not be identified during the project planning. (4) Chaos refers to the 
uncertainty of the project because the projectsdo not have the definite basic structure plan so that the 
project’s outcomes different from the original intent of the project. 

 
Talet, Mat-Zin, and Houari (2014) said that risk management on the project is used to manage 

the project risks. Risk management is generally regarded as a way to reduce the uncertainty and the 
impact of uncertainty, thus increasing the chance of the success of the project. Risk management aims 
to prevent or reduce the impact of the risk. 

 
Most of the projects or businesses are in a dynamic environment (can be changed) that may 

impact negatively on the success of the project. The project is to be successful if the project was done 
and meet the requirements which are specified by the stakeholders, such as security, efficiency, 
reliability, manageable, capabilities, integration, and other requirements. A literature review which is 
conducted by Talet, Mat-Zin, and Houari (2014) said that 35% of quite projects are not unnecessary 
until the project implementation stage. This means that project managers do a poor job of identifying 
projects or terminating projects that are likely to fail because of the risks faced during the project life 
cycle. 

 
The concept of risk management is applied in all aspects of the business, including planning 

and project risk management. Before discussing the concepts of risk management more deeply, need 
to know first about the definition of the threat and vulnerability. Threats can be defined as unwanted 
incidents on the system or organization that can damage the assets owned by system or organization. 



Risk Management in Information … (Kornelius Irfandhi) 193 

Vulnerabilities are weaknesses in procedure, architecture, and implementation of the system and other 
causes that can be used to exploit the security systems and unauthorized access to the information 
(Talet, Mat-Zin, & Houari, 2014). 

 
Risk management (Talet, Mat-Zin, & Houari, 2014) is a process consisted of (1) identify 

vulnerabilities and threats to information resources which are used by the organization in achieving 
business objectives, (2) conduct a risk assessment to determine the probability and the impact, and (3) 
identify the various controls that might be done to reduce the risk to an acceptable level. Many 
approaches that can be used in identifying risks. A literature review which is conducted by 
Sarigiannidis and Chatzoglou (2011) said that there are four approaches to the identification of risk, 
namely: (1) ad-hoc approach provides an assessment of the risk when the first symptoms appear on the 
project. (2) Informal approach involves the discussions with people involved with the project either 
directly or indirectly on some of the issues emerging risks or risks that might appear. (3) Periodic 
approach involves the use of repetitive procedures for the identification and specification of risk. (4) 
Formal approach identifiesthe risks and performs an evaluation of each risk. 
 

Didraga (2013) found in his study that there are three approaches that can be used in IT project 
risk management. They are: (1) evaluation approach answers the questions of what can cause the 
project to fail. This approach aims to make predictions in new projects that will be done by using the 
information on the risks and causes of project failure that has been collected from previous projects. 
(2) Management approach answers the question of how to handle the risks to prevent the failure of the 
project. Risk management is required in this approach. Risk management is a process that consists of 
certain stages starting from the identification, analysis, response, monitor, and control the risks. (3) 
Contingency approach will embed risk management in the different processes and procedures. 

 
Currently, there are any tools that can be used to provide a risk assessment on the project 

(Sharif, Basri, & Ali, 2014), such as Capability Maturity Model Integration (CMMI), Risk Assessment 
Visualization Tool (RAVT), Risk Assessment Tool (RAT), MATLAB, and Project Risk Assessment 
Decision Support System (PRADSS). 

 
 

METHODS 
 
 

The method used is conducting a literature review of any published articles between 2010 and 
2014. The articles used are any articles that discussed the risk, risk management in the project, 
particularly the IT project and whether there is any relation between risk management and the success 
of the project. 

 
 

RESULTS AND DISCUSSIONS 
 
 

The IT project in this discussion is associated with software development projects. IT projects 
are characterized by a high level of risk. Advances in technology quite rapidly result changes in 
business processes that can create unexpected shift, for example in terms of costs. This was revealed in 
a study by Thakurta (2014) that the chance of a software project to fail is still high at 44%. Other 
studies said that many IT projects fail (Talet, Mat-Zin, & Houari, 2014; Thakurta, 2014). IT projects 
are potentially more likely to fail than other types of projects, such as the construction projects. The 
main cause of IT project failure is the use of technology that is changing quite rapidly. Other reasons 
for this failure include the complexity associated with software development and the uncertainty 
characteristics of the project development environment. IT organizations need to keep the project to 



194   ComTech Vol. 7 No. 3 September 2016: 191-199 

meet the planned schedule and budget for IT projects susceptible to the failure, additional costs, and 
schedule delays (Talet, Mat-Zin, & Houari, 2014). 

 
IT projects can have different risk management. Risks were created from many factors 

involved in the project. Each factor will depend on the type and the purpose of the project. One of the 
classic problems that could potentially cause a risk in many IT projects is when the new technology is 
developed when the project is running (Talet, Mat-Zin, & Houari, 2014). 

 
Arnuphaptrairong (2011) conducted a study to determine the list of risks in software projects 

from any literatures. The results showed that there are 27 software risks that are categorized into six 
dimensions (see Table 1), namely user, requirements, project complexity, planning and control, team, 
and organizational environment. 
 
 

Table 1 Six Dimensions of Software Risks 
 

Risk Dimension Software Risk 
User 1. Users resistance to change 

2. Conflicts between users 
3. Users with negative attitudes toward the project 
4. Users not committed to the project 
5. Lack of cooperation from users 

Requirements 1. Continually changing requirements 
2. System requirement not adequately identified 
3. Unclear system requirements 
4. Incorrect system requirements 

Project Complexity 1. Project involves the use of new technology 
2. High level of technical complexity 
3. Immature technology 
4. Project involves the use of technology that has not been used prior 

to project 
Planning and Control 1. Lack of effective project manage technology 

2. Project progress not monitored closely enough 
3. Inadequate estimation of required resources 
4. Poor project planning 
5. Project milestone not clearlydefined 
6. Inexperience project managers 
7. Ineffective communications 

Team 1. Inexperience team members 
2. Inadequately trained developmentteam members 
3. Team members lack specialized skill required by the project 

Organizational Environment 1. Change in organizational management during the project 
2. Corporate politics with negativeeffect on the project 
3. Unstable organizationalenvironment 
4. Organization undergoing restructuring during the project 

 
 

Based on the literature study which is conducted by Arnuphaptrairong (2011), so it was found 
that the largest frequency of software risk dimension on planning and control (27), followed by 
requirement (17), user (14), team (9), environmental organizations (9), and project complexity (4). 
Arnuphaptrairong (2011) also found that there are seven software risks which often occur, such as 
misunderstanding in the requirement, lack of commitment and support from top management, lack of 
user involvement, failed to get the commitment from the users, failed to manage the expectations of 
the end users, and lack of effective project management methodologies. 



Risk Management in Information … (Kornelius Irfandhi) 195 

The survey which is conducted by more than 1.000 organizations in Canada found that the 
main reasons for IT project failure are inadequate risk management and immature project plans. Risks 
faced by IT projects not only related to financial risk. IT project risks are divided into nine categories, 
including financial risk, technology risk, security risk, information risk, people risk, business 
processes risk, management risk, external risk, and success risk. Due to the interviews with IT 
professionals from leading organizations in Western Australia, found that there are five most 
important risks, namely lack of personnel, unreasonable project schedule and budget, unrealistic 
expectations, incomplete requirements, and the delay in software delivery (Talet, Mat-Zin, & Houari, 
2014). 

 
A literature review which is conducted by Sarigiannidis and Chatzoglou (2011) showed that 

the risk of software project consists of interrelated dimensions. These risk dimensions are project size, 
technology experience, project structure, user, system requirement, project complexity, planning and 
control, team, and organizational environment. 

 
Chawan, Patil, and Naik (2013) stated that there are several types of risks that may be 

encountered in a software project, namely: (1) technical risk includes the problems with the 
programming language used, the project size, the project functions, platforms, methods, standards, or 
process. Technical risk can be derived from the use of excessive constraint or less well-defined 
parameters. (2) Management risk includes lack of planning, lack of management experience and 
training, communication problems, organizational problems, lack of authority, and control issues. (3) 
Financial risk includes cash flow, capital and budget problems, and Return on Investment (ROI). (4) 
Contractual and legal risk include changing requirements, health and safety issues, government 
regulations, and product warranty issues. (5) Personnel risk includes the staff performance, experience 
and training problems, ethics and moral issues, staff conflicts, and productivity issues. (6) Another 
resource risk includes the unavailability or delay in delivery of equipment and supplies, inadequate 
equipment and facilities, unavailability of computer resources, and slow response time. 
 

Based on their research about the project risk, these can be summarized as shown in Table 2. 
Also, there is the most mentioned risk in their different research result, namely user requirement, 
project complexity, planning and control, team, organizational environment, technology, and financial 
risk. 

 
 

Table 2 Summary of IT Project (Software) Risks 
 

Authors Year IT Project Risks 
Arnuphaptrairong 2011 User requirements, project complexity, planning and control, team, 

organizational environment 
Sarigiannidis & 
Chatzoglou 

2011 Financial risk, technology risk, security risk, information risk, people 
risk, business processes risk, management risk, external risk, and success 
risk 

Chawan, Patil, & Naik 2013 Project size, technology experience, project structure, user, system 
requirement, project complexity, planning and control, team, 
organizational environment 

Talet, Mat-Zin, & Houari 2014 Technical risk, management risk, financial risk, contractual and legal risk, 
personnel risk, other resource risk 

 
 

The success of the project can generally be defined as a comparison between the project 
planning and the final outcome of the project (time, budget, and requirements). When all is appropriate 
or even better than the planning, the project was successful. The success of the projectis the same for 
every stakeholder who are involved in the project. 



196   ComTech Vol. 7 No. 3 September 2016: 191-199 

Risks in the project can be managed by making and provide a list of the relevant risk to the 
project based on the impact on the success of the project. A poor requirement also can be the cause of 
the failure of the project (Bakker, Boonstra, & Wortmann, 2010). Many IT projects are experiencing 
the uncertainty in the success of the project. Determining what can be delivered in the project at the 
beginning of the project is not easy as seen in Figure 1. The changes in project requirements will 
almost certainly occur. These changes may be a risk of the project. 

 
 

 
 

Figure 1 Definition of the Success of the Project 
(Source: Bakker, Boonstra, & Wortmann, 2010) 

 
 

Junior and Carvalho (2013) did a research aimed to know whether there is a relationship 
between risk management and the success of project. Their research involved the survey of 415 
professionals involved in project management (between 2008 and 2009) at any levels of complexity in 
different industry sectors in four Brazilian states. The sample unit and respondents were selected based 
on the ease of access and their availability to respond to this research. There are four hypotheses to be 
tested, namely: (1) H1: Project risk management does not influence the perception of project success. 
(2) H2: Company revenue does not influence the perceptionof project success. (3) H3: The type of 
project does not influence the perceptionof project success. (4) H4: The presence of a risk manager 
does not influenceproject success. 

 
 

Table 3 Junior’s and Carvalho’s Hypotheses Testing Result 
 

Hypothesis Description Result 
H1 Project risk management does not influence the perceptionof project success Rejected 
H2 Company revenue does not influence the perceptionof project success Accepted 
H3 The type of project does not influence the perceptionof project success Accepted 
H4 The presence of a risk manager does not influenceproject success Rejected 

 
 

Risk managers become an essential element in the project risk management. Risk managers 
are the people who are entitled to perform the risk management (to identify, assess, and control the 
risks). Based on the results of hypothesis testing that has been performed by Junior and Carvalho 
(shown in Table 3), it can be concluded that the presence of risk management and risk managers 
influence the success of the project. The project is said to be successful when the result of the project 
is appropriate or better than the planning (shown in Figure 1). A good risk management can lead the 
project to its success, only if the risks and how to control them in project have been identified before 
the project was started. 



Risk Management in Information … (Kornelius Irfandhi) 197 

The study which is conducted by Sarigiannidis and Chatzoglou (2011) stated that the 
definition of the software projects performance can be divided into two main categories, namely: (1) 
subjective performance which refers to the efficiency and effectiveness of the software when the 
project has been completed according to the people involved in the project. (2) Performance objective 
includes some quantitative metrics such as the advantages in terms of cost, effort, and schedule. 

 
The above performance categories should be used together to measure performance that is 

quite important for software developersand users (Sarigiannidis & Chatzoglou, 2011). 
 
Didraga (2013) made a research model (shown in Figure 2) to determine the relationship 

between risk management and IT projects performance. Therefore, Didraga (2013) made two major 
hypotheses to be tested related to his research, namely: (1) the first hypothesis (H1): Risk management 
practices are correlated with the subjective performance of IT projects. (2) The second hypothesis 
(H2): Risk management practices are correlated with the objective performance of the projects, as seen 
in Figure 2. 
 
 

 
 

Figure 2 Didraga’s Research Model 
(Source: Didraga, 2013) 

 
 

Target of the population consisted of project managers, IT managers, and IT Analyst at IT 
companies in Romanian. The samples derived from convenience method and snow-ball method on a 
database of 361 companies between June 10, 2012, and July 11, 2012. 

 
Didraga (2013) used the online questionnaire instrument by using Google Docs and processed 

it using Microsof Excel 2007 and IBM @ SPSS 19. He received 108 responses from 72 companies. 
The variables used were risk management practices used in IT projects, the subjective performance, 
and the objective performance of IT projects. Each of these hypotheses to be tested by Didraga (2013) 
has several sub-hypotheses and different sub-hypotheses results. The results can be seen in Table 4 
and Table 5. 
 
 

Table 4 Didraga’s First Sub-Hypotheses Testing Result 
 

Hypothesis Description Result 
H1a Risk identification is correlated with the subjective performance of the IT project Rejected 
H1b Risk analysis is correlated with the subjective performance of the IT project Accepted 
H1c Risk response planning is correlated with the subjective performance of the IT project Rejected 
H1d Risk response monitoring and control are correlated with the subjective performance 

of the IT project 
Accepted 



198   ComTech Vol. 7 No. 3 September 2016: 191-199 

Table 5 Didraga’s Second Sub-Hypotheses Testing Result 
 

Hypothesis Description Result 

H2a1 Risk identification is correlated with cost overrun  Rejected 
H2a2 Risk analysis is correlated with cost overrun Rejected 
H2a3 Risk response planning is correlated with cost overrun Rejected 
H2a4 Risk response monitoring and control are correlated with cost overrun Rejected 
H2b1 Risk identification is correlated with schedule overrun  Rejected 
H2b2 Risk analysis is correlated with schedule overrun Rejected 
H2b3 Risk response planning is correlated with schedule overrun Rejected 
H2b4 Risk response monitoring and control are correlated with schedule overrun Rejected 
H2c1 Risk identification is correlated with effort overrun  Rejected 
H2c2 Risk analysis is correlated with effort overrun Rejected 
H2c3 Risk response planning is correlated with effort overrun Rejected 
H2c4 Risk response monitoring and control are correlated with effort overrun Rejected 

 
 

Based on Table 4 and Table 5, Didraga (2013) concluded that the first hypothesis (H1) 
partially accepted that risk management (risk analysis and risk response monitoring and control) has a 
relationship with the subjective performance of IT projects. While the second hypothesis (H2) was 
rejected because of risk management practices, have no relationship with the objective performance of 
IT projects in terms of cost, schedule, and effort which were required in IT projects. A good risk 
management doesn’t affect the cost, schedule, and effort overrun. Cost, schedule, and effort are 
correlated and defined in the project planning. Conversely, a good risk management (in the context of 
risk analysis and risk response monitoring and control) can lead the project to achieve its subjective 
performance. 

 
 

CONCLUSIONS 
 
 

IT projects (in the context of software) have the risks and the uncertainties. Risks can be 
mitigated, managed, and maintained in accordance with the planning and assessment. The common 
risks in several literatures might be the user requirement, project complexity, planning and control, 
team, organizational environment, technology, and financial risk. 

 
The processes in risk management begin with identifying vulnerabilities and threats to 

information resources, risk assessment, andrisk control identification that might be done to reduce the 
risk to an acceptable level. If the risk management is applied properly, the chance of the success of the 
project is done can be increased. This was proven through Junior’s and Carvalho’s research (2013) in 
Brazilian. Their study found that the presence of risk management and risk manager influence the 
success of the project. Meanwhile, Didraga’s study (2013) in Romanian showed that risk management 
(especially risk analysis and risk response monitoring and control) has a relationship with the 
subjective performance of IT projects. 

 
Through this study, it was found that there is a relationship between risk management and the 

success and the subjective performance of IT projects. The project is said to be successful when the 
result of the project is appropriate or better than the planning. A good risk management can lead the 
project to its success, only if the risks and how to control them in project have been identified before 
the project was started. A good risk management also can lead the project to achieve its subjective 
performance. Conversely, a good risk management doesn't affect the cost, schedule, and effort overrun 
because these three are correlated and defined in the project planning. 



Risk Management in Information … (Kornelius Irfandhi) 199 

REFERENCES 
 
 

Arnuphaptrairong, T. (2011). Top Ten Lists of Software Project Risks: Evidence from the Literature 
Survey. Proceedings of the International Multi Conference of Engineers and Computer 
Scientists, 1. Hong Kong. 

 
Bakker, K. D., Boonstra, A., & Wortmann, H. (2010). Does risk management contribute to IT project 

success? A meta-analysis of empirical evidence. International Journal of Project 
Management, 28(5), 493-503. 

 
Chawan, P. M., Patil, J., & Naik, R. (2013). Software Risk Management. International Journal of 

Advances in Engineering Sciences, 3(1), 17-21. 
 
Didraga, O. (2013). The Role and the Effects of Risk Management in IT Projects Success. Informatica 

Economica Journal, 17(1), 86-98. 
 
Junior, R. R., & Carvalho, M. M. (2013). Understanding the Impact of Project Risk Management on 

Project Performance: an Empirical Study. Journal of Technology Management & Innovation, 
8(6), 64-78. 

 
Sarigiannidis, L., & Chatzoglou, P. D. (2011). Software Development Project Risk Management: A 

New Conceptual Framework. Journal of Software Engineering and Applications, 4(5), 293-
305. 

 
Sharif, A. M., Basri, S., & Ali, H. O. (2014). Strength and Weakness of Software Risk Assessment 

Tools. International Journal of Software Engineering and Its Applications, 8(3), 389-398. 
 
Talet, A. N., Mat-Zin, R., & Houari, M. (2014). Risk Management and Information Technology 

Project. International Journal of Digital Information and Wireless Communications, 4(1), 1-
9. 

 
Thakurta, R. (2014). Managing Software Projects Under Foreseen Uncertainty. Journal of Information 

Technology Management, 25(2), 40-52.