Does risk matter? Disengagement from risk management practices in information systems projects

This explored the use (or not) of established risk management practices and processes in 21 Information System (IS) projects in 10 organisations.

Key questions were:

  • To what extent do project managers adhere or disengage from prescribed risk management processes?
  • Why do managers stop practicing risk management in projects that have significant risks that could affect project performance?
  • To what extent do the core beliefs of project managers towards risk help to explain adherence or disengagement?

Findings were then discussed in terms of practical drift (cf. Scott Snook), routine-based reliability (conventional use of established/written and systematic risk management processes) and mindfulness-based reliability (drawing on HRO, resilience engineering and other concepts).

Results

All investigated projects reported on the implementation of standardised risk management procedures and processes but varied in actual approaches and level of detail in the processes. Importantly, of the 21 projects studied, “in all but five projects the manager had disengaged from prescribed risk management before executing risk responses” (p637).

Other findings included:

  • Formal stages of risk management processes were followed “up until the process was no longer inspected. At the point where some kind of surveillance of the risk management process ceased, so did the formal implementation of the risk management process” (p642).
  • Once risk management processes stopped in the project lifecycle for whatever reason, it was more than likely not renewed.
  • Over 2/3 of identified & assessed risks were not responded to when they materialised on the project in 17 out of 21 projects. That is, in most cases, formally identified and assessed risks “remained unallocated and untreated” (p643).
  • Some project managers (PMs) said that in many cases, risk management is an “evaluation exercise”, or as one PM said “Yes, we are doing a project risk assessment … it becomes an administrative process and as long as people feel there is a risk register somewhere and lip service is paid to it on a reasonably frequent basis, that they are managing risk” (p643).
  • Despite risk processes being available, there was a tendency for them to be used on the front-end of ID and administration without follow-through on risk response. It was observed that “In all but four of the projects examined, the project team had disengaged from proactive risk management before actually executing risk responses” (p643).
  • It’s said that PMs tended to depart from risk processes even with identified significant risks and the major obstacle in increasing risk management reliability isn’t about detecting changes in the environment but actually taking action to prevent the risks materialising.

The table below highlights which processes were adopted at each stage.

The departure of process wouldn’t be surprising if these were deemed acceptable risks, but interviews revealed that “the choice of disengagement from managing risks is driven predominantly by five beliefs: legitimacy, value, competence, fact and authority” (p643).

I’ve summarised only a small portion of each factor’s discussion:

Legitimacy: Standardised risk management processes are seen to provide a veneer of legitimacy, particularly for clients to see these methodologies in use. [Or, I suppose, at least be seen to be using some methodology irrespective of how it’s being used, if barely at all]

Value: PMs believe that the methodologies must be demonstrably useful. If value can’t be readily demonstrated, then PMs are likely to disengage from the process even if it’s valuable but more difficult to articulate benefits. E.g., the investment of time & money into risk management is clearly visible but the benefits may “remain hidden”. Some PMs and apparently their clients believed that risk management processes may be unnecessary and the resources better invested elsewhere

Competence: Doubt in a PMs ability to control risk drove disengagement from process. Further, reluctance to engage in the process was driven by the need to be positive, and raising potential issues may alarm or upset the client and reflect poorly on the PM (as being unable to properly avoid those issues). Some PMs preferred a head-in-the-sand stance to avoid raising anxiety of doubt in clients about whether they could deliver on the project; i.e. telling customers what they want to hear and reassure “certainty and a safe and predictable world” (p644).

Fact: PMs thought that risks (as in, the sources of uncertainty) needed to be tangible, perceptible and real. They were likely to disengage from process if the issues were thought to be “fictitious or imaginary or where information about risks was unreliable” (p644).

Authority: Disengagement was more likely if PMs thought they were powerless to address the issue or had limited authority to act. Perception of authority was largely driven by external stakeholders rather than political grounds. As noted before, it’s easier in some cases to ignore or discount an issue since once it’s identified that provider becomes responsible to address it.

In consistencies with any of the above five factors contributed to process disengagement. The findings are then discussed in the context of practical drift and other concepts (which I’ve skipped due to length). However, it’s highlighted that practical drift occurs with globally encoded written rules and systems, which are transformed into locally generated task-based routines to solve local issues. That is, adaptation occurs because people “organise around the immediate demands of work” (p646).

Quoting Dekker, it’s highlighted that people at the local level believe that they are largely compliant, and unofficial adaptations to process is seen as a sign of competence and expertise in ensuring work is completed. [Conversely, local adaptations can be at odds with higher-level safety or quality goals, as Snook explored in his analysis of the friendly fire U.S. Black Hawk accident.]

Of further interest is that while a “typical response to practical drift is enforcing more rules, compliance and greater inspection” (p646), use of risk management processes didn’t prevent PMs from uncoupling practice from process.

Authors: Elmar Kutsch, David Denyer, Mark Hall & Elizabeth (Liz) Lee-Kelley, (2013), 22:6, 637-649

Study link: https://doi.org/10.1057/ejis.2012.6

Link to the LinkedIn article: https://www.linkedin.com/pulse/does-risk-matter-disengagement-from-management-ben-hutchinson

Unknown's avatar

Published by Ben Hutchinson

Leave a comment