As outsourced and multinational IT projects become more common, managing risks for these projects is increasingly important. The research reported here examined key risks identified by Hong Kong vendor project managers working on both local and international package implementation projects. In addition to the typical risks that threaten project outcome success, respondents noted additional client- side and vendor-side risks, as well as location-specific risks on their multinational projects. They also distinguished threats to the satisfactory process of the project, and threats to their own firms from competitors and from potential damage to their reputation arising from customer dissatisfaction with either the outcomes or the process of the project. This broader risk focus of vendor project managers is contrasted with the client perspective through the lens of agency theory. Traditionally, agency theory has been used to predict risks to the client-principal related to vendors’ profit goals in the outsourcing relationship. However, the findings of this study suggest that vendors’ higher-level concerns for their future business and reputation mitigate the risk to the client of vendor opportunistic behavior.
For over 30 years, reports about problems with IT projects have appeared regularly in the popular and academic literature including several well-publicized major failures (Drummond, 1996; Lyytinen, Mathiassen, & Ropponen, 1998). During this period there has also been a steady flow of advice in both the academic and practitioner literature on IT project management, development methodologies, and risk management techniques. Risk management practice has been identified as one critical factor of the success of IT development projects (Barki, Rivard, & Talbot, 2001; Boehm, 1991; Charette, 1996; Fairley, 1994; Heemstra & Kusters, 1996; Schmidt, Lyytinen, Keil, & Cule, 2001). A significant stream of research has focused on identifying risk factors for IT projects in order to aid managers in making decisions about risk mitigation in their software development projects (see, for example: Alter, 1996; Baccarini, Salm, & Love, 2004; Barki, Rivard, & Talbot, 1993; Barki et al., 2001; Boehm, 1991; Cooke-Davies, 2002; Keil, Cule, Lyytinen, & Schmidt, 1998; Moynihan, 1996; Schmidt et al., 2001). These studies have included surveys of managers from a variety of cultures, including Australia (Baccarini et al., 2004), Canada (Barki et al., 1993), Europe (Cooke-Davies, 2002), Ireland (Moynihan, 1996), and the US, Finland, and Hong Kong (Schmidt et al., 2001), and show substantial commonality of risk perspective across cultures.
While the body of work on risks in IT projects is extensive, the success rate for these projects continues to be poor (Standish Group, 2003). One increasingly popular risk mitigation option for organizations is the outsourcing of development and implementation of IT projects (Lacity & Willcocks, 1998; Levina & Ross, 2003; Willcocks, Lacity, & Kern, 1999), either by contracting specialist software development firms to build custom information systems, or by purchasing off-the-shelf software packages, typically with some customization to fit the client’s needs (Lacity & Willcocks, 1998; McFarlan & Nolan, 1995; Natovich, 2003; Rao, 2004; Russo, 2000). Software package projects are especially interesting in the context of IT risk management practice, in that their use is claimed to ameliorate or avoid many of the risks to client organizations associated with custom developments (Lassila & Brancheau, 1999; Martin & McClure, 1983). Such outsourced projects, which can be within country or offshore (Rao, 2004), offer the benefits of risk transference, cost reduction and improved performance (Clark Jr., Zmud, & McCray, 1995; Lacity & Willcocks, 1998; Loh & Venkatraman, 1995; Natovich, 2003).