P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML
Management WL040/Bidgoli-Vol III-Ch-19 June 23, 2003 16:22 Char Count= 0
234 RISKMANAGEMENT ININTERNET-BASEDSOFTWAREPROJECTSin the previous section of this chapter reveals that these
risks cannot be controlled in this manner. For example,
the project manager cannot secure a 100% guarantee that
all of the team members will stay with the project through
completion. Even iron-clad contracts cannot counteract
sickness, injury, or death.
Most managers take a rather simple approach to risk
planning. They consider risks in three general categories:
those that come from a source within their control, those
that are beyond their control, and those that are a shared
responsibility (Schmidt et al., 2001). Their behavior to-
ward each category is based on their desire to manage the
expected outcome of the risk down to zero. For factors
beyond their control, managers are apt to take no action
whatsoever (March & Shapira, 1987). For those within
their control, managers have confidence in their ability to
handle each risk effectively. Managers spend most of their
time and effort on the risk factors that have a source that is
a shared responsibility. This categorization of risks suffers
from one serious flaw: It does not consider the probability
of the occurrence of a given risk.
For example, the project manager would probably view
the exit of a team member from the project as a factor
beyond his or her control. Even though managers spend
considerable effort on retention of team personnel, little
or no effort would be expended to prepare for the even-
tuality that a team member would leave. Turnover in the
IT field is high, however: In IT projects it runs to nearly
30% (Keil et al., 1998). Considering the budgetary and
political impact of a serious delay in project completion,
the expected outcome of a team member’s exit is high. In
their survey of American managers, Schmidt et al. (2001)
found that this risk factor did not even make the list of
risk factors to be ranked for potential action.
The manager must be aware of such biases and prepare
plans accordingly. An important technique in this regard
is to use a classification scheme that is free of bias. Once
properly classified, the manager can choose the appropri-
ate strategies for dealing with each class of risks.Classifying Risks
There are numerous ways of classifying risks. One simple
method is to look at the sources of the risks. Schmidt et al.
(2001) identified 14 risk sources and sorted their 53 risk
factors according to these sources. Dealing with risks in
this manner immediately suggests some actions that can
be taken to control the sources of the risks. It also provides
the manager with an indication of where to direct action.
Keil et al. (1998) suggested a four-quadrant approach
to classifying risks (Figure 1). They use two dimensions,
the level of expected outcome and the level of control the
manager has over the source of the risk, to map a 2× 2
grid. Each quadrant of the grid then suggests some general
approaches to controlling the risks associated with the
quadrant.
Cule et al. (2000) took a similar approach but further
suggested that appropriate coping behavior for the four
quadrants should be effective for any risks in those quad-
rants. In such case, it would not be necessary to identify
and assess every individual risk. By treating each class of
risks rather than individual risks, the risk management
process is greatly simplified.Perceived Level of ControlLow HighHighModeratePerceive d
Relative
Importance
of RiskCustomer
MandateScope and
RequirementsEnvironment Execution1243Figure 1: Risk Classification Framework. From Keil,
et al. (1998).©c1998 ACM, Inc. Reprinted by permission.Regardless of the approach taken to cope with risk,
the classification of risk factors into four quadrants has
considerable merit. It is obvious that no project manager
could possibly attend to 53 or more risks, and it is doubt-
ful that full attention could be paid to 14 sources of risks.
Although a few large projects have used risk mitigation
teams to cope with large numbers of risk factors, the vast
majority of projects are too small to afford such an ap-
proach. By grouping the sources according to the scheme
devised by Keil et al. (1998), the project manager can de-
vise coherent strategies to counter the more serious risks
facing the project.
It is important to understand that a specific risk factor
might be assigned to a different quadrant from project to
project, depending on its expected outcome and the as-
signment of authority. Consequently, the coping strategy
chosen will shift from case to case for the same risk factor.Choosing Appropriate Strategies
The highest priority group of risks to consider is risk fac-
tors that have a large negative expected outcome and are
outside the direct control of the project manager. For
example, if users and general managers develop a lack
of trust in the project team, they may reject the team’s
work, leading to project cancellation or significant, costly
delays. Coping strategies for such risks require relation-
ship management, trust-building, and political skills (Keil
et al., 1998). Because this is a high-threat category of risks,
project managers must be prepared to take on these re-
sponsibilities.
But beyond the nature of these skills, the project man-
ager must choose a specifically targeted approach to mit-
igate the anticipated risk. In the case of detached users
and management, more rigorous scheduling and intensive
performance tracking for reviews are necessary. A detailed
communication plan should be in place to help mitigate
this risk.
The remaining risk factors with a large negative ex-
pected outcome are directly under the control of the
project manager. These risks largely can be controlled by