Developing a risk framework for web-based application development

July 2011

Introduction

Recently one of our Project Managers returned from an initiation meeting with a large multinational company. As she had started to summarise the project risks the senior client cut her short abruptly, as this was "clearly for her as Project Manager to sort out". She returned to the office frustrated, given that a number of the potential risks concerned that organisation's poor record for supplying feedback on-time.

I've worked for over ten years in project management within large global web agencies and can say that situations like this are not unique, and that risk management is a contentious issue in web development projects. In our environment most projects are driven by the two main disciplines of 'technology' and 'creative'; sometimes in harmony but sometimes at odds. The challenge for Project Managers is both adhering to good project processes (PRINCE2, PMBOK etc.) without stifling the creativity that marketing clients look for in digital agencies. When I conducted independent research for an MSc in Software Development I was interested whether web project managers in agencies should manage 'just like IT projects', for which documented models exist, or take a differing approach. Broadly my research asked three questions focusing on risk identification:

  1. Are there differences between risks facing technical web projects and 'traditional' IT projects?
  2. If so, are these new and unique, or a matter of degree?
  3. What would a risk framework for technical web projects contain?

Organisational background

As part of an MSc in Software Development I sampled 10 project managers working in UK interactive agencies on technical web projects for IT, FMCG, Government and Banking clients. I developed a loosely structured email questionnaire and used 'critical incidence' techniques (Flanagan, 1954) to get each to recall a completed complex technical project. Using content analysis of their feedback I developed a more specific questionnaire which was completed by a further 30 Project Managers. I analysed all data by comparing it to three established IT risk frameworks from Moynihan (1996), Barki (1993), and Carr (1993) to determine overlap and differences.

Findings

Of the 13 themes identified there were five that were rated particularly highly and I have detailed some of their component risks below. Additionally the main risks identified are summarised as a table here.

1) Internal team / agency

The highest rated risk identified in the framework is 'lack of internal communication between team members'. This risk is internal to the organisations and may reflect the uncommunicative silos that creative, technical and other disciplines can find themselves inhabiting. Communication has been raised by only one of the three IT frameworks, yet is flagged regularly by practitioners such as Kendrick (2003) as being critical within projects. 'Lack of accountability' by different disciplines within project teams is also critical. This resonates with points raised by Steele and Carter (2001) who suggest web projects are unique because of the very different motivations and personalities of the parties involved. Two items cover 'novelty' - both with ways of working and with the project type being new to the organisation. Issues with new ways of working are not addressed in any of the existing IT frameworks; this links in to observations from researchers like Rodriguez (2002) and Reifer (2002) who comment on the high rate of change and short time-scales of web projects. Finally there was' agency over-committing'. As Reifer observes, the rate of change is so high in the web industry, combined with strong competition for contracts that inevitably leads to over-commitments to clients. None of the IT frameworks rate this as an issue, however in the modern competitive market place and bearing in mind the high level of IT project failures it may be an unfortunate omission.

2) The Client

Three risks raised refer to the client's web knowledge and experience. Whilst a certain lack of technical knowledge from the client is identified in all aforementioned IT frameworks, the issue of the client's lack of understanding of the impact of their requirements is covered only by Moynihan. Two items considering the clients' push for new functionality and change were identified repeatedly by web project managers, yet only Carr identifies the same issue for IT projects

3) Requirement and Specification

This covers risk items such as 'many unknowns' and 'insufficient initial budget to deliver what the client wants' and were only covered by one of the IT frameworks. 'Technical scope is too ambitious / optimistic' was however a universal issue, though researchers like Rodriguez still suggest that this is a greater issue for web projects due to the range of technologies used.

4) Technology

There is a large degree of overlap here between the web and IT risk frameworks, including 'Integration of many technologies', and 'Unfamiliar tools / technologies'. The web framework identifies compliance and policy as problematic whereas it is not covered by the IT frameworks; this may be partly down to the global and customer-facing nature of the web, though equally it may indicate a need to review the IT frameworks against the current regulatory environments.

5) Project timing

The final items relate to unrealistic launch dates, and to allocating insufficient time to tasks during planning. These risks are covered by only one of the IT frameworks. Once again attention is drawn to Rodriguez, who states that that time to market and product life cycles are much more pronounced in the case of web applications.

Other findings

Relative inexperience was not seen by web project managers as a risk, yet their average age of 32 was at least ten years younger than Moynihan's IT project managers. Anecdotal evidence suggests that web project managers are often younger and, critically, more inexperienced than in traditional IT delivery. The project managers sampled also didn't feel that training is an issue, yet only half have formal Project Management qualifications e.g. PRINCE2, ISEB etc., and only a third have academic qualifications covering relevant topics.

Summary

So are risks in web-based projects different from 'traditional' IT? My own conclusion is that the agencies sampled are in need of a different perspective due to their creative and marketing roots, as well as the demands of their clients. However many of the truths and learning from IT and project management are still valid and must be acknowledged in any context, such as the common technical heritage. Equally there are a number of risks identified here which have little or no overlap with the quoted IT frameworks, such as requirements uncertainty and volatility, organisational issues and internal staff accountability and communication. I see a case for some of these points to be considered for updated risk frameworks to help us understand and manage risk identification in web-based projects for the benefit of organisations and their clients.

The main risks identified above are summarised as a table here

| Home |