‘Available online at waw.sciencedirect.com SciVerse ScienceDirect Procedia Technology Procedia Technology 5 (2012) 437— 444 CENTERIS 2012 - Conference on ENTERprise Information Systems / HCIST 2012 - International Conference on Health and Social Care Information Systems and Technologies: Risks Response Strategies for Supporting Practitioners Decision-Making in Software Projects Cristina Lépez**, Jose L. Salmeron* "School of Engineering, University Pablo of Olavide ‘Cia, Uirera, kn. 141013 Sevile, Spain Abstract ses make great efforts to adopt up-to-the-minute technologies and completely new systems. Despite these efforts, enema ose t mnapoent clues ar fen adn te ee ee i Se eae eee ee authors use the importance- performance approach to asses the risks factors identified. THEMES MO WeGuS To Ue ie THAStSURADICStateE TORY (© 2012 Published by Elsevier Lid, Selection and/or peer review under responsibility of CENTERIS/SCIKA ~ Association for Promotion and Dissemination of Scienifie Knovledge Open access under CC BY-NC-ND license. Keywords software projets; sks checklist IP approach: sks response strategies * Corresponding author, Tel: + 36 954977324; fax: + 3495434835, Email address: lopvae@upo.es 2212-0173 © 2012 Published by Elsevier Li. Selection andor per review under responsiblity of CENTERISISCIKA - Associaton for Promotion and Dissemination of Scientific Knowledge Open aeeess under CC BY-NC-ND license {oi 10.1016).protey-2012.09.048,a8 Cristina Lopes ind Jose L, Salmeron/Procedia Technology 5 (2012) 457 —464 1. Introduction In recent decades, companies across the world have adopted enterprise information systems by means of ISAT (Information Systems/Information Technologies) projets. These applications allow the modeling and automation of firms’ activites, providing relevant information for decision making. However, success of enterprise information s¥Stenis)aUGpU6R i) HEVEEYEURRERIEEA The outcomes obtained in ISAT projects terminates it However, as is indicated in [1], the nature of IS/IT projects creates many risks that must be managed Jiligently, A study eartied out by Standish Group Toternational consultaney shows that only 32% ofthe IS/IT oj in 209 is easel ECDL) Tis means at hey ished on ne, win let a the final result satisfied the needed requirements (3) To avoid unexpected results, the profes: luring the last few years, the IS/IT projects successful ratio has been improved [7], but this continue being low. Tr re ee eee nh xs Bh cs sv, Sr oT ER EER, Bre een. nacones ae flies to wales he WH of Thee as Te conta. we Bae nt SD roca reece cere According to this, our aim is to study IST project risks, To do this, we have used an Importance- Performance approach. Prior to that, we have identified the risk that threatens IS/IT projects. Subsequently, we ‘have applied the importance-performance analysis (IPA) technique. This allows to assess the risks from two dimensions: probability of occurrence and negative impact on the IS/IT projects outcomes [9]. The results indicate practitioners, what response strategy must select for managing each risks in more effective way 2, Risk management in IS/IT projects An IS/IT project is a Iarge-scale, unstructured and highly complex undertaking. In some cases, this even. requires the use of unfamiliar technologies and tools. Hence many controllable and uncontrollable risks can affect its outcome [10]. A risk is an event characterized by uncertainty because it may or may not occur, If this risk turns into a real problem, this may impact the project success. Hence, to avoid undesired outcomes, practitioners have to continuously manage in a proactive way the risks existing in their IS/IT projects [11]. The most used criteria to determine the importance of factors isthe risk of exposure [8] Risk management shows us the real situation in which our project is, being able to manage the threats in a proactive way. If the project team identifies, assesses, treats and monitors existing risks in such projects, the probability of failure decreases. Hence, it has given tise to a proliferation of studies about software projects risks, But research in the literature focus on the identification and assessment phases established in risks management methodologies (6, 9, 12, 13, 14, 15, 16, 17). ‘More specifically, in last years, evaluation models based on grey correlation [18], probabilistic terms [19]. fuzzy theory [20, 21], bayesian networks [22] have been developed to assess software project risks. Other studies identify and prioritize the existing risk factors in IT/IS projects from more to less problematic (23, 24] Even, a risk management application has also been created for the modeling, optimal adaptation and implementation of an enterprise system [25]. In contrast, scarce studies evaluate and identify the most effective strategies for managing IS/IT project risks.Cristina Lipes and Joe Le Salmeron/ Procedia Technology $ (2012) 437 84 From an IS/IT project begins, practitioners should follow specific strategies in order to effectively manage existing risks [26]. Despite, studies about strategies to deal with IT/IS projects risks is scarce in the literature ‘One study states mitigations strategies for mitigating risks from economic perspective [27]. However, other factors like the importance of risks also should be considered in this issue. In fact, information about the probability of occurrence and impact of risks on IS/IT project can support the practitioner to select a better risk management strategy (28] ‘Actually, the selection of the risks strategy followed depends on the manager's subjective judgments, To support the project managers’ work, we have realized a formal study about risks which impact the IST projects success. To do this, we have used an IPA approach. In this way, we identified the risk that affects ISAT projects development, Subsequently, experts assessed the importance of cach risk identified, The findings allowed us constructing an IP matrix. This indicate practitioners which strategy should follow to deal With each IT/IS projects risks in mote effective way 3. Research method ‘The main purpose of this study is to state the most effective response strategy for managing each IST project risk. With this in mind, firstly, we identified the tisks that affect the development of ISAT projects. To do this, we carried out a critical literature review of software risk management. The risks identified were checked removing duplicates climinating those factors which do not affect IST projects. In order to validate the factors identified, we consulted 12 experts in IS/IT projects. The optimal number of experts depends on the characteristics of the study itself, We can, however, say that the greater the heterogeneity of the group, the fewer is the number of experts recommended, 12 being a good size [29, 30] All experis’ opinions were considered to be of the same importance, Respondents were not chosen just because they were easily accessible, Thus, we oblained the list of IS/IT projects risks. Later, we evaluated the risks identified using the IPA method. This technique was introduced by [31] to selecting marketing strategies. IPA has also been applied in such different fields as tourism (32], banking [33], quality of service [34], e-Business [35], and education [36], among others, Its wide acceptance can be explained by its ease of application, simplicity and utility [34] IPA combines measures of importance of each factor (ie., a risk) and its performance into a two- dimensional grid or matrix. In our study, performance dimension refers to the risks’ impact on the development of IS/IT projects, meanwhile importance refers to the probability of occurrence of each factor. In order to estimate the probability of occurrence and impact of each risk, we again consulted the above- ‘mentioned experts. In this way, we sent a survey to the participants via email. Both probability of occurrence ‘and impact dimensions were measured on a 5-point likert scale, as is suggested in [31]. Basing on the replies received, we calculated the mean and the standard deviation for each risk, in each dimension (31, 35]. Finally, ‘we plotted each risk according its level of importance (mean value) and probability (mean value), on the IP ‘grid. Each quadrant refers to a different group of risks. Hence, practitioners have to follow different strategies for managing each group (quadrant) in more effective way. In the next section, we present the results obtained in this study. 4. Findings ‘The goals in our research were to analyze existing risks in IS/IT projects and identify the most effective strategies for treating those. In this way, 12 experts in this kind of projects activate participated in our study. ‘They started checked the risks identified in a critical literature review. The result was the checklist of IS/ project risks depicted in Table 1 43940 Cristina Lépez nd Jose Salmeron/Procedia Technology $ (2012) 457 — 464 ‘Table 1. IVI project sks eheclis. w Rr RD Ri Rt RS RS RT Re RO Ro Ri RI RB Ris Ris Ris RD Ris RIS R20 Ra 2 R25 Re Res R26 RD Ros R29 R30 RI 32 R33 Re as R36 Ry Ras B39 Reo Ral Re Res Res Res Rab Tae ert ae Tata oe a LLaceo endssers commits othe projet Tack of end-user suppor ‘ees constantly request farther changes “Tuget users are unfamiliar withthe chology and equiv addtional waning. Inadequate composition of project tea ‘Bxcesivefnsuffiiet pesonnel nthe project team Inexperenced project manage, Projet manager lacks required sil High eumover within poe ear, ‘Team members are snmotvaed oor internal cominiation “Team members ae unfair with he technology ‘Team members lack required sels Conflict ard no cooperation between the tam members Improper dfinison of role and responsibiies. “Lasko op management commitae tothe project Changes in organizational pronties. [Continuous change inthe organizational environment. “Top managers mae important decisions without consulting the others Confit between sere departs ‘Requistment specifications we illdefined Continally changing system requirements ‘Unclear or incomplete requirements Flue to manage end-ser expectations “Lago frozen requirements ‘Time too sora ln. Inadequate eimation of rogue resources ‘Unrealieae schedule Unrealsie projets outcomes. Projet milestones cannot be defined Poor estaishment of standard proces procedurs/methodslogy oor project planing. Ineffective project contol, Creal aetiis are not denied Lack a pope est Project prope snot mentored closely enough ‘Technology has not been understood bythe projet ea, Ismatre technology Excessive projet sie High level of tecnica complesiy Highly complex tak being automated ‘Complex excessively procedures Highly synchronized systems, Inadequate sytem doeameataon: incomplete o non-existent. “Lage neprauon between systems Soares 125, 35, 3,0] [25.37.38 4041.48) (2s, 37, 39,40, a1, 2,44) 125,40) (25,39, 2) (9.5.37, 381 (25.37. 42.48. 44) [25,38 39,4, (25, 38,48) [38,38 41, <2) 125.41) (25, 40,41) (39,4041, <2) 139,40, 41.42, 43, 441 (39,41, 38.4) a] (39, 41,25, 37,88, 42, 44) (39,41, a (39,40 4,42, 484 [25.43] 125. 37.38, 39,40, 41,447 (25, 37.39.40, 41,44) 19,38, 40,4142, 3,44) (25,39, 0,4 42] (2s, 37,4, «2 19.831 (9,38, 3) (9,25, 38, 41,43, 441 (9,38, 41, 43,44) (ai, 23) 125,38. 40, 42 (25,38, 0, (25,3940, 42,48) (25,39, 40,41 44) (aa 5) 125, a2, 4 (25,40, 41 44] fas, 38,39, 40, 9 [39,40 38) (b9.41) Iss) [39,4142] 21 Ist) 2 Subsequently, we assessed the risks identified in the checklist using the IPA approach, In this way, experts individually estimate the probability and impact of each factor. Table 2 shows the impact and probability of ‘occurrence ratings of the 46 risks.Cristina Lépes and Joe . Salmeron/ Procedia Technology 5 (2012) 437 84 ‘Table 2, Mean impact and probability ratings. Re 275 508 Ru 3 39 438 as RS Los Rio Los RIL 2.08 RIS 191 R26 1 RY 238 Impact and probability ratings determine the coordinates for each risk on the map and thus determine their placements, Specifically, the ratings were used to split the axes. We thus carried out the four-quadrant matrix showed in Fig. 1. The quadrant, in which a risk is placed, determines the most effective strategy to treating it So, the IP map yields the following strategic suggestions for managing risks in TT/IS projects * Quadrant I (high impact, high probability). These risks are the most critical. In fact, experts considered, that those strongly impact on project development. In addition, participant revealed that the probability of occurrence of these risks is high. Indeed, practitioners should follow the strategy "elimination of root- saan Cristina Lépez ond Jose Salmeron/Procedia Technology 5 (2012) 457 —464 cause” [18]. That is, they should identify and eliminate those elements, which can provoke its appearance in the IS/IT project, © Quadrant 2 (high impact, low probability). These risks do not usually appear in IS/IT projects. However, ‘when they convert into a real project problem, factors impact strongly on IS/TT projects development. In order to manage them, practitioners should follow a prevention strategy [18]. This consists in defining and applying a plan to control the occurrence of these risks in the project. © Quadrant 3 (low impact, low probability), These risks do not usually appear in IS/IT projects, as well as slightly impact on IS/IT project development. Therefore, in order to manage them, practitioners should follow a fix each error strategy [18]. This consists in treating risks when they convert into real problems. ‘© Quadrant 4 (low impact, high probability), These risks usually appear in IS/IT projects, although normally, they slightly affect IS/IT projects development. Therefore, in order to manage them, practitioners should follow a mitigation strategy [18]. This consists in estimating the time required to minimize these risks, if they would become real project problems. Ps ai seen on eas |e ” Fig, 1 PA mate 5. Conclusions A successful management of IS/IT projects requires EY (iting SKA The focus of IST project management studies is the risk assessment. This is explained why information about the importance of project risks supports the practitioners to select a better risk management swategy. With this in mind, this paper proposes the use of this way, we carried out a checklist of risks. Later, the factors identi were evaluated according to the definition of risk exposure, and placed in an IP matrix. The findings allow us {o identify the most suitable strategy for managing each risk in a more effective way. Acknowledgements ‘The authors wish to thank the Spanish Ministry of Science and Technology (MICINN-ECO2009.12853)Cristina Lépes and Joe Le Salmeron/ Procedia Technology 8 (2012) 437 —84 and the Andalusian Regional Government (CICE-PO7-SEJ-03080) for their financial support References [11 Kwak, Ya, Stoddard, J: Projo sk management: lestons lared from sfiwate development envionment. Technovation, 24, 215- “$20 2004) [2] The Standish group repost chaos, Standish Group Intemational, 2009, hpstwww standishgroup con/newsroom/chaos 2009 php Visitdo 28/6/2010 [3] Bark, H, Rivard. S, Talbot J: An integrative contingency model of software project risk management. Journal of Management Infrmaton Systems. 17, 37-69 (2001) [41 Baros, MOO, Weer, CMLL, Travasos, GH. Supposing risk in software projet management Journal of Systems and Sofware 70,21-35 00) [51 Charete, RI: Why sofware fil. IEEE Spectrum, 42, 42-49 2005) [6] Dorofee, AJ, Walker, 1A, Albers, C1, Higuera, RP, Muaphy, RL: Continous Risk management guidebook SEL, Camere ‘Mellon Univesity, Pitbargh (1996) [7] Emam, KE, Kor, AG A Replicated Suvey of IF Software Projet alles. IEEE Software. 25, $4-50 2008) [8] Bannerman, PL. Risk and sk management in software projects” A reassessrent Jorn of Sysems and Software. 81.2 (2008) [9] Boch, BW. Software sek management: principles and practices, TEBE Software 8,321 (1891) 10] MeFaslan, FW. Portfolio approach to information sytens. Harvard Busines Review, 59, M2150 (1981) 1] Charets, RN, Adams, LK, White. MB: Managing Risk in Software Majtenance- IEEE Software. 14, 43-50 (1997) [12] DoC, Risk management guide for doe adguision, Departament of defense USA, (2006) [13] Barley, R: Risk management fr software projects. IEEE Software 11, 57~67 (1894) [14] Gopuen, A, Reinga, A, Stoncbuner, G! Risk Management Guide for Information Teenologby Systems. National Insitute of ‘Standards and Teehaoiogy (2002) [15) Hall, EM Managing Risk: Methods for Sofware Systems Development. The SEI Series in Software Engineering, Hardcover 4998) [16] Konto, J. The Riskit Method fr Software Risk Management, version 100, Computer Seience (1997) [17] Van Loon, H: A Management Methodology o Reduce Risk and Inove Quality TT Profesional. 9, 30-35 (2007) [US] Qinghua, P: A Model of Risk Assessment of Software Project Based on Grey Theory. Ix: proceedings of th International ‘Conference on Computer Science & Bdncation. pp. $38-541 2008) [19] Bs, ¥. Li, M, Chen, F Impact propagation and risk assessment of requirement changes for software development projects hated on desig structure mati, Iteratonal Torna of Projet Management 30, 363-473 (2012) [20] Tang, A, Wang, R Software Project Risk Assessment Model Based on Fuzzy Theory. In: Itermational Conference on Computer ‘and Comunication Technologies in Agriculture Engineering. pp.328-381 (2010) [211 Salmeron, HL, Lopez, C:- Foreasting Rsk Impact on ERP Maintenance with Augmented Fuzry Cognitive Maps. IEEE ‘wansactions oo software engineering, 2, 439-152 (2012) [22] Fan, C. Yu, ¥: BBNCased software project sk management. Jounal of Systems and Softwae. 73, 193~208 2004) [23] Salmeton, TL, Lopez, C: A multtera approach for aks assesment in ERP matenance. Journal of Systems and Software. 83, 1941-1953 2010), [24] Han, WM, Huang, 8: An empitical analysis of risk components and performance on software projets. Journal of Systems and Software 80, 42-30 2007) [25] Zaioponlos, 1, Motaxots, K., Askounis, D= Dynamic risk management system forthe modeling, optimal adaptation and ‘plementation of an ERP eytem Information management & Secu. 13 212-24 (2005) [26] MeManus, J. Risk Management in Software Development Projects Elsevier. (2004) [27] Benaroch M., Goldstein, 1- An Integrave Heonomie Optimization Approach to Systems Development Risk Manageme, IEEE “Transactions on software engineering. 35, 638-653 (2009) [281 Xiaosong, L, Shushi, L., Wenyon, C, Songiiang. F's The Applicaton of Risk Matix to Software Projst Risk Management, In “nteratinal Forum on Information Technology and Applications. pp. 480.-483 2008) [29] Clayton, M: Delphi a echnigue to harness exper opinion for rial decision-making lass in education. Bdveatinal Psychology, orehesteron~ Thames. 17, 373-387 (1997) [30] Okot, C, Pawlowski, S: The Delphi method as a research too: an example, design considerations and applications. Information & ‘Management 42, 15-29 (2008) [51] Malla 18, James, 1C. Impetance-Performanee Analysis. The Journal of Maskesng. 4, 77~79 (1977) [32] Deng, W.: Using a revised importance-perfeemance apalysis approach: The ease of Taiwanese hot springs touism, Tousismm Management. 28, 1274-1288 (2007), [33] Yeo, AY C. Examining a Singapore bank's compstitive superiority using importanc-performance analysis, Journal of American ‘Academy of Business. 3, 155-181 (2003) [54] Abul, J. Vaca, J, Manzano, V Importance values fr lmportanee-Peformance Analyst: A farmula fr spreading out values 2153 333as Cristina Lépez ond Jose Salmeron/Procedia Technology 5 (2012) $57 —464 deve from preference rankings, Journal of Business Reseach, 60, 115-121 @007) [35] Magal, SR, Levenburg, NM. Using Inportance-Pesformance Analysis to Evaluate #-Busines Scateies among Small Business {hs 38th Annual Hawall Intemational Conference on System Seiences. pp. 1763~176a 2005) [5] Ford, 118, Joseph, MIB Importance-pecformance analysis asa erategic too for service maketes: the cate of service quality percpiions of business students n New Zealand andthe USA. Journal of Services Marketing 13, 171186 (1999) [SN Kell M, Cale, P, Lyytimen, K, Schmid, R= (framework for denying software project ak. Communication ofthe ACM, 41 “Th=83 (1998) (38) Siang, 1, Kein, Software development risks to projec effectiveness. Joumal of Systems and Software. 52, 3-10 (2000) (39) Wallice, L, Keil M. Ral, A: Understanding software project risk: «elute analysis Information & Management. 4, 115 (2003) [do] Huang, $1, Han, WM: Exploring the selationship between software project duration and risk exposure: cluster analysis. Information &e Management 45, 175-182 2008) [44] Nakatso, RT, lacovou, CLA comparative study of important sek factors involved in offhore and domestic outourcing of software development project: A twe-pane Delphi sty. Information and Management. 46, 97-58 2008) (4) Heematea, FJ. Kustets, RJ Dealing with isk’ a pratical approach Toural of Information Technology. I, 335-345 (1996) [13] Ropponen, J. Lyytinen, K: Component of Sotware Development Risk: How to Adress Them? A Projet Manager Survey. IEEE Transactions on Software Enginerng, 26, 88-112 2000) (4) Cale P. Schmidt. Lyytinen, K. Keil M. Strategies for Heading Of is Project Failure Information Systems Manag 9 2000) 5 me Nomenclature IS/IT Information Systems/Information Technologies IPA importance-performance analysis