By: Kareem Shaker

Risk management is the heart and soul of project management and failing to practice it in the right manner can have fatal consequences on IT projects – whether it is a CRM roll-out, business intelligence or even a nation-wide integration project. Proper risk planning can save the entire investment and increase the likelihood of project success. However, planning alone is not enough if monitoring of risks is not performed thoroughly. Here are the top 7 pitfalls of IT project risk management and the actions to avoid them:

1- Disregarding Enterprise Risk Management

Enterprise Risk Management (ERM) specifies the processes, frameworks, and methodologies an organization uses to identify and manage all risk types such as operational, strategic, financial, compliance, etc. One needs to consider the enterprise-wide risks and study the threats the organization is likely to encounter during the project lifetime. While building the risk management plan it is imperative to consult the Chief Risk Officer. It can have a mammoth impact on the risk management plan which needs to be congruent with ERM probability and impact scales, risk appetite, risk quantification, and risk management software.

2- Using Incomplete Risk Breakdown Structure

Risk Breakdown Structure (RBS) is the catalyst to identify large number of risks. This should be used to identify risks and stimulate the creativity of stakeholders participating in the risk identification workshops. RBS can be developed by listing root causes of potential risks. RBS highly depends on the project domain and technology used. As an IT project manager, one can start with an existing template and customize it based on lessons learnt in past projects.

3- Ignoring Subjectivity

Subjectivity can make risk management lose its essence. Risk averse stakeholders often identify large number of risks; in contrast, risk takers may be oblivious to critical risks. Identification is the first step of risk management that accounts for 60% of the entire risk management cycle. Once the risks are identified, the subsequent activities can be planned and executed smoothly. The top problem of risk management is subjectivity wherein different people perceive risks in different ways. For instance, a financial risk may not grab the IT manager’s attention and a technical risk is very unlikely to be deemed as a risk by a finance manager. IT manager has to minimize subjectivity and maximize quality of risk information. One can avoid subjectivity by using Delphi Technique, as it keeps the views of different subject matter experts (SME) anonymous.

4- Assigning All The Risks to the IT Project Manager

Risk ownership has to be communicated to the risk owners. Meticulous follow-up on unresolved risks is equally important. The project manager should never own all risks. Potential risk owners may be reluctant during risk identification stage to accept responsibility of the risks they identify. Creating a risk management RACI (Responsible, Accountable, Consult, and Inform) Matrix will ensure that roles and responsibilities are clearly identified and communicated.

5- Neglecting Risk Management Benefit Cost Analysis

Not all risks have to be managed. Some risks just need to be accepted. The response strategies of negative risks (yes, there are positive risks, known as opportunities) are Avoid, Transfer, Mitigate, and Accept. However, often times the acceptance strategy is never considered. A risk might be accepted if cost of mitigation outweighs the potential impact.

6- Misusing Contingency Reserve

Contingency reserve can only be determined after completion of multiple revisions of the project management plan. It should only be used when a planned risk, whether known or unknown materializes. It is not efficient to use contingency quota of one risk at the expense of another risk unless the latter has been resolved.

7- Doing it Once

Risk management is an iterative process and should be practiced at all stages of the project. Many IT project managers conduct risk identification at the beginning of the project and shelve risks until they turn into issues. Leadership teams should promote risk management culture amongst team members and encourage them to actively report new risks and always have risk management as top item on their agenda.


IT project managers need to safeguard their projects against critical risks that might jeopardize the success of the project. Identification of the right risks plays a pivotal role to ensure efficient and effective risk management. Always keep in mind the common pitfalls and remember that the biggest risk in IT project management is failing to identify the right risks.

KAREEM SHAKER, PMP, PMI-RMP is a Project & Enterprise Risk Senior Manager at Dubai World.