Abstract

Purpose – The aim of the research work that underpins this paper is, therefore, to examine the
impact of risk management on project performance and the importance of soft-skills within IT
companies to influence project performance.

Design/methodology/approach – Questionnaires were collected from respondents in different

IT companies in the PAKISTAN, in order to assess risk in IT projects. key success factors emerged
from the literature and the questionnaire survey as being susceptible to improvement with
increasing the project performance.

Findings – The results reveal that risk management can be improved by developing mitigation
measures which positively influence risk response for project performance. Based on these
results, a framework is proposed to improve the practical functioning of risk management.

Research limitations/implications – This study, however, reflects the general view but for
greater confirmation, in-depth investigation is required, and the suggestion is that more
primary data should be gathered by the survey method in other project organizations that have
adopted risk management maturity, in order to validate the preliminary findings in this paper.
This research is being carried out and will be reported in a future paper.

Originality/value – This framework provides a better view of risk management impact on

project performance. One of the unique features of the study is the creation of new knowledge
by focusing on the PAKISTAN and shows the importance of soft-skills on project performance.
At the same time, the use of risk management to handle IT delays risks provides new
knowledge for a wider audience.

Keywords​ Project management, Risk management, Soft Skills , PAKISTAN, Risk

Paper type​ Research paper

Introduction

Risk management is one of the nine knowledge areas propagated by the Project Management
Institute. Risk management in the project management context is a comprehensive and
systematic way of risk identification, risk analysis and risk response with a view to achieving the
project objectives. In the IT industry, risk is often referred to as the presence of potential or
actual threats or opportunities that influence the objectives of a project during
Implementation, commissioning, or at time of used.(Raz, Shenhar, & Dvir, 2002)
Mitigating risk by lessening their impact is a critical component of risk management.
Implemented correctly, a successful risk-mitigation strategy should reduce adverse impacts. In
essence a well-planned and properly administered risk mitigation strategy is a replacement of
uncertain and volatile events with a more predictable or controlled response (Chapman &Ward,
2007). The ability to govern or to set up control mechanisms for costs, schedule and quality in a
IT project reduces rapidly as you move through the project lifecycle (Wallace & Blumkin, 2007).
The control activities at the planning stage are risk profiling, validation, need identification and
validation and preliminary budget and schedule development (Wallace & Blumkin, 2007).
The relationship between risk management and project success or failure has been studied
extensively, particularly in the field of Information Technology (IT) (Ropponen and
Lyytinen​1997​, ​2000​; Yetton et al. ​2000​; Kwak and Stoddard ​2004​; Na et al. ​2004​; Zwikael and
Globerson​2006​; Han et al. ​2007​; Jiang et al. ​2009​; Bakker, Boonstra, andWortmann​2010​, ​2012​).
These studies have come up with controversial findings. Although some surveys have found
that risk management has a low impact on project performance, it is suggested that even
moderate levels of risk management planning be enough to reduce the negative effects of risk
on project success.
Soft skills involve the management of interpersonal relationships and the notion of project
ecology (Grabher​2004​).Furthermore, the organizational context can affect risk and uncertainty
management, e.g. organizational culture, organizational climate and demographics (Crawford
et al. ​2006​; Sharma and Gupta ​2012​; Söderlund and Maylor​2012​), as wellas individual aspects,
e.g. expectations, intuition and judgment, biases, power conflicts, trust and learning
(Gladwell​2006​; Söderlund and Maylor​2012​). According to Thamhain (​2013​), effective project
risk management requires broad involvement and collaboration across all segments of the
project team and its environment. Risk management requires more time and effort invested in
soft skills.
The purpose of this study is to clarify the relationship between risk management and project
success, considering the contingent effect of project complexity. This approach also combines
aspects of soft and hard skills, as suggested by Söderlund and Maylor (​2012​). This
methodological approach involves a literature review to underpin the conceptual framework
and a survey for empirical validation.
This paper offers an overview of the conceptual framework for project risk management, its
impact on project performance and the variable contingencies that may moderate this
relationship.(De Carvalho & Rabechini Junior, 2015)

Literature Review

All projects are unique in respect of their content and scope, but there are certain natural risks
that pertain to them all, and unexpected changes can occur with any project. Risk management
is a critical component of any winning management strategy. Risk management is one of the
nine knowledge areas propagated by the Project Management Institute (PMI). (Tesch,
Kloppenborg, & Frolick, 2007) The PMBOK® Guide recognizes nine knowledge areas typical of
almost all projects. The nine knowledge areas are (Project integration management, Project
scope management, Project time management, Project cost management, Project quality
management, Project human resource management, Project communications management,
Project risk management, Project procurement management)(Ft. Wainwright, 2015)

Although these knowledge areas are all equally important from a project manager’s point of
view, in practice a project manager might determine the key areas which will have the greatest
impact on the outcome of the project.(Wu, Nisar, Kapletia, & Prabhakar, 2017) Each PMI
knowledge area in itself contains some or all of the project management processes. For
example, project risk management includes, Risk management planning, Risk identification,
Qualitative risk analysis, Quantitative risk analysis, Risk response planning, Risk monitoring and
control. Risk management techniques can be broken down into two methods — assessing and
controlling risk. Assessing risk involves formally identifying risk variables during the project
scope (or pre-planning phase) and controlling risk builds planning and resolution into the
project. During the initial phases of project planning, the project team has the opportunity to
analyze the risk variables and design and plan for alternative solutions to help mitigate risk
during project implementation.(De Millo, 2005)

Risk management is probably the most difficult aspect of project management. A project
manager must be able to recognize and identify the root causes of risks and to trace these
causes through the project to their consequences. Furthermore, risk management in the IT
project management context is a comprehensive and systematic way of identifying, analyzing
and responding to risks to achieve the project objectives. The use of risk management from the
early stages of a project, where major decisions such as choice of alignment and selection of IT
methods can be influenced, is essential. The benefits of the risk management process include
identifying and analyzing risks, and improvement of IT project management processes and
effective use of resources.(Carbone & Tippett, 2004)
The risk analysis and management techniques have been described in detail by many authors. A
typical risk management process includes the key steps, Risk identification, Risk assessment,
Risk mitigation, Risk monitoring(Tesch et al., 2007)

Risk identification is the first and the most important step in the risk management process, as it
attempts to identify the source and type of risks. It includes the recognition of potential risk
event conditions in the IT project and the clarification of risk responsibilities. Risk identification
develops the basis for the next steps: analysis and control of risk management. (Iqbal,
Choudhry, Holschemacher, Ali, & Tamošaitienė, 2015) Corrects risk identification ensures risk
management effectiveness. It is stated that the detection and mitigation of project risks are
crucial steps in running successful projects. The PMBOK® Guide defines a project risk as “an
uncertain event or condition that, if it occurs, has a positive or negative effect on at least one
project objective”. (Carbone & Tippett, 2004)There are many possible risks which could lead to
the failure of the IT project, and through the project, it is very important what risk factors are
acting concurrently, too many project risks as undesirable events may cause IT project delays,
unnecessary spending, unsatisfactory project results or even total failure. Many approaches on
risk classification have been recommended in the literature for effective IT project risk
management. Risks categorized into two groups in accordance with the nature of the risks, i.e.
external and internal risks. Combining the blurry logic and a work breakdown structure, the
authors grouped risks into six subsets: local, global, economic, physical, political and
technological change. Risks classification depends mainly upon whether the project is local or
international. The internal risks are relevant to all projects irrespective of whether they are
local or international. International projects tend to be subjected to the external risk such as
unawareness of the social conditions, economic and political scenarios, unknown and new
procedural formalities, regulatory framework and governing authority, etc.(Ft. Wainwright,
2015)

Project risk management and the process of risk management

According to Baloi and Price (2003), a direct relationship exists between effective risk
management and the achievement of project success factors or criteria, particularly since risks
are assessed by their potential effect on project objectives. Notably, risk management does not
mean eliminating uncertainty but rather reducing the negative effect of risks (Maylor, 2010).
Furthermore, Nicholas and Steyn (2008) even propose that “project management is risk
management” to underline the significance of risk management. Risk management is
considered as the process of identifying, sequencing potential risk factors and coming up with
corresponding strategies which can effectively alleviate risk consequences(Hashim Motaleb &
Kishk, 2014) Buertey et al. (2012) categorizes the tools and techniques that researchers
commonly used into two groups. Qualitative risk management techniques consist of risk
probability and impact assessment, probability and impact matrix, and risk data quality
assessment. Quantitative risk management involves tools such as sensitivity analysis, decision
tree analysis, fuzzy set theory, artificial neural networks, and so on. In a recent study, data
collected between 2002 and 2012 on 82 federal technology projects across 519 quarterly time
periods indicated that early stage complexity risk and later stage execution risk have a
significant negative effect on a composite measure of schedule-cost performance, while the
negative effect of the procurement-related contracting and subcontracting risk on
schedule-cost performance is much weaker (Mishra et al., 2016). The same study also argued
that increasing levels of process maturity with the CMMI (a process maturity framework)
assisted projects with mitigating the negative effect of project risks on schedule-cost
performance. Thus, the following hypothesis is presented:

H1. There is no relation between project success and risk factor.

A formal risk management process (RMP) is important during the project life cycle according to
Chapman (1997). PMBOK, a professional guide to managing projects and ANSI standard
recognizes the importance of risk and identified as one of the key knowledge areas for
managing projects successfully. A large amount of project RMPs have been put forward. Boehm
(1991) proposed that RMP contains two main steps: risk assessment and risk-control. Risk
assessment involves identification and analysis while risk control includes risk management
planning, risk resolution, risk monitoring planning, tracking, and corrective action. The PMI also
describes four steps for RMP, namely, identification, quantification, response development, and
control (Project Management Institute (PMI), 2008). Chapman (1997) presented a concrete
RMP structure, which includes nine phases: define, focus, identify, structure, own, estimate,
evaluate, plan, and manage. Kahkonen (1997) simplified the process to consist of organization
and scope, risk identification, risk analysis, risk strategy, response planning, continuous control,
and feedback. Carr and Tah (2001) improved it into manipulation of the generic risk data,
identification, assessment, analysis, handling, and monitoring. Generally, PRM contains four
main steps: risk identification, risk assessment, planning risk response, and risk monitoring and
control. Whilst the so-called hard side of risk management is important for managing
foreseeable uncertainties and variability, more recent research has argued that the soft side, or
soft skills are also significant for managing unforeseeable uncertainties (Carvalho and Rabechini
Junior, 2015).
This notion extends to the supply chain, and implies that the understudied social aspects of
inter-firm information sharing and trust have an impact on the management of risk (Huong Tran
et al., 2016).
Risk management and project success

Several studies have focused on identifying the state of project risk management practices. One
of the most recent and comprehensive studies was conducted by Zwikael and Ahn (​2011​) in
three countries (New Zealand, Israel and Japan), involving 701 project managers in seven
industrial sectors. The study highlights the importance of project context, considering the
industry’s and country’s levels of project risk. The authors suggest that even moderate levels of
risk management planning will suffice to reduce the negative effects of risk on project success.
Bakker, Boonstra, and Wortmann (​2012​) support these findings and emphasize the importance
of identifying risks as having more widespread effects on project success, followed by risk
reports.
Risk identification stands out in two recent studies. In the survey conducted by Bakker,
Boonstra, and Wortmann (​2012​), most of the stakeholders (over 75%) claimed this is the most
important factor. Bakker, Boonstra, and Wortmann (​2012​) indicate that the main concerns of
stakeholders include (in descending order) risk reports, risk records, risk allocation, risk control
and risk analysis.
Reeves et al. (​2013​) argue that inefficiencies in the process of identifying risks in the
development of complex systems are the cause of failures. According to these researchers, the
way in which this process is handled often fails to lead to the identification of events and
circumstances that truly challenge project performance, thus generating additional costs and
schedule delays. Bakker, Boonstra, and Wortmann (​2012​) suggest that risk management
activities contribute to project success via four different effects: action, perception, expectation
and relation. Action effects are instrumental to the stakeholders’ ability to cause and stimulate
an effective action. Perception and expectation effects involve the stakeholders’ ability to
establish a consensual view of the final expected outcome and to motivate their behavior
during execution of the project to deal with objective and subjective differences.(Reed &
Knight, 2013) The researchers conclude that in addition to the instrumental effects of risk
management, communication effects play a key role by establishing a shared vision of the
project’s uncertainties and the expectations for its success. Other studies also highlight
communication in assessing project performance, identifying the impact of information sharing
and managing the gaps in perception of the interested parties about the project’s success
(Browning et al. ​2002​; Han et al. ​2007​; Chen et al. ​2009​; Jiang et al. ​2009​). Söderlund and
Maylor (​2012​) support this view by stating that, ‘To implement projects successfully, it is
necessary to combine both hard and soft skills’.
The above suggests the following hypothesis:

H2: The soft side has a significant and positive impact on the hard side.
A set of studies in the area of IT established a link between risk management and project
performance (Yetton et al. ​2000​; Kwak and Stoddard ​2004​; Na et al. ​2004​; Han et al. ​2007​; Jiang
et al. ​2009​). However, their findings are controversial because some of these studies found that
risk management has a low impact on project success (Ropponen and Lyytinen​1997​, ​2000​;
Zwikael and Globerson​2006​).
Notably, most of the studies cited in this literature review (as a proxy for the construct of
performance/project success) adopt the triad of compliance to deadlines, budget and delivery
requirements, which is usually called the iron triangle. A few risk and success studies expand on
this proxy, e.g. Jiang and Klein (​2000​), who include the impact of risks on team performance.
Bakker, Boonstra, and Wortmann (​2010​) identified this characteristic in their review of the
literature about the impact of risk management on the success of IT projects. In their survey,
they concluded that 62% of the studies usually adopted the traditional definition of success, i.e.
compliance to deadlines, cost constraints and requirements.
However, the dimensions for project success have been the target of fruitful discussion in the
project management literature, in particular, with the relevant contributions of Israeli
researchers Shenhar and Dvir. Based on a literature review and empirical studies, Shenhar and
Dvir (​2007​) grouped five dimensions of success: efficiency, impact on clients, impact on staff,
direct business and success, and preparation for the future. However, they point out that these
five dimensions are not applicable to all types of projects and that they vary over time (short
and long term). Thomas and Mullaly (​2008​) discussed a shift to a more strategic value
perspective to evaluate project management, from financial metrics such as ROI to strategic
maps (Balanced Scorecard – BSC) and organizational project maturity models assessment.
Another important issue in the literature of project success is the distinction between the
success of project management and that of its product/service, as emphasized by several
authors (Pinto and Slevin​1988​; Wit ​1988​; Cooke-Davies ​2002​; Shenhar and Dvir​2007​; Barclay
and Osei-Bryson ​2010​).In addition to the dimensions proposed by Shenhar and Dvir (​2007​), a
sixth dimension which appears in several publications is included, particularly in the
construction industry, involving sustainability-related topics (Kometa,Olomolaiye, and Harris
1995​; Kumaraswamy and Thorpe ​1996​; Chan and Chan ​2004​; CII ​2006​).The above discussion
leads us to propose the following hypotheses:

H3a: The hard side of risk management has a significant and positive impact on project success.
H3b: The soft side of risk management has a significant and positive impact on project success.

References
Carbone, T. A., & Tippett, D. D. (2004). Project risk management using the project risk fmea.
EMJ - Engineering Management Journal​, ​16(​ 4), 28–35.
https://doi.org/10.1080/10429247.2004.11415263
De Carvalho, M. M., & Rabechini Junior, R. (2015). Impact of risk management on project
performance: The importance of soft skills. ​International Journal of Production Research,​
53(​ 2), 321–340. https://doi.org/10.1080/00207543.2014.919423
De Millo, A. (2005). Risk management strategy: A practical guide for risk awareness and its
cause and effect on project deployment. ​Journal of Digital Asset Management,​ ​1​(2),
88–95. https://doi.org/http://0-dx.doi.org.fama.us.es/10.1057/palgrave.dam.3640015
Ft. Wainwright, A. U. N. (2015). Risk management in construction projects. ​Technological and
Economic Development of Economy,​ ​21(​ 1), 65–78.
https://doi.org/10.3846/20294913.2014.994582
Hashim Motaleb, O., & Kishk, M. (2014). Assessing risk response maturity. ​International Journal
of Managing Projects in Business,​ ​7​(2), 247–262.
https://doi.org/10.1108/IJMPB-03-2013-0013
Iqbal, S., Choudhry, R. M., Holschemacher, K., Ali, A., & Tamošaitienė, J. (2015). Risk
management in construction projects. ​Technological and Economic Development of
Economy,​ ​21​(1), 65–78. https://doi.org/10.3846/20294913.2014.994582
Raz, T., Shenhar, A. J., & Dvir, D. (2002). Risk management, project success, and technological
uncertainty. ​R&D Management​, ​32(​ 2), 101–109.
https://doi.org/10.1111/1467-9310.00243
Reed, A. H., & Knight, L. V. (2013). Project Duration and Risk Factors on Virtual Projects. ​The
Journal of Computer Information Systems,​ ​54​(1), 75.
https://doi.org/10.1080/08874417.2013.11645673
Tesch, D., Kloppenborg, T. J., & Frolick, M. N. (2007). IT Project risk factors: The project
management professionals perspective. ​Journal of Computer Information Systems,​ ​47(​ 4),
61–70. https://doi.org/10.1080/08874417.2007.11645981
Wu, Z., Nisar, T., Kapletia, D., & Prabhakar, G. (2017). Risk factors for project success in the
Chinese construction industry. ​Journal of Manufacturing Technology Management,​ ​28​(7),
850–866. https://doi.org/10.1108/JMTM-02-2017-0027