Project Management

Risk Management in IT Projects: From Register to Real Action

Youssef Shahboun
Youssef Shahboun
August 7, 2012 · 2 min read · 377 words
Youssef Shahboun
Risk Management in IT Projects: From Register to Real Action

Every IT project team I have worked with maintains a risk register. Very few of them do anything useful with it. The risk register as typically practiced is a document that lists risks, assigns owners, and records mitigation plans that are written in the first week of the project and reviewed perfunctorily at monthly status meetings. This is not risk management — it is risk documentation. Real risk management is a continuous activity that changes project behavior in response to emerging threats before they become problems.

Identifying Risks That Actually Materialize

The risks that kill IT projects are not the risks on the register. They are the risks that were obvious in retrospect but were not on the register because no one asked the right questions or because they were uncomfortable to name. The most reliable way to surface real risks is structured risk workshops with people who have delivered similar projects, people who understand the organizational context, and people who are not invested in the project appearing low-risk. These people will name risks that the project team is motivated to minimize.

The risk categories that most consistently contain the risks that materialize in IT projects: stakeholder resistance, particularly from middle management whose authority is reduced by the new system; data quality problems discovered after implementation begins; key resource availability conflicts with operational demands; vendor delivery commitments that prove optimistic; and regulatory or compliance requirements discovered after scope is agreed.

From Assessment to Action

A risk response plan that stays in the register is not a response — it is an intention. Effective risk management converts the highest-priority risks into specific actions, assigned to specific people, with specific completion dates. For a risk that is being mitigated, the action is whatever is required to reduce the probability or impact of the risk. For a risk that is being accepted, the action is developing the contingency plan that will be executed if the risk materializes. For a risk that is being transferred, the action is the contractual or insurance arrangement that shifts the exposure. When these actions are tracked in the project schedule alongside technical deliverables, risk management becomes integrated into project execution rather than parallel to it.

Share this article:
Youssef Shahboun

Written by

Youssef Shahboun

IT Director & Enterprise Technology Strategist with 25+ years across ERP, digital transformation, infrastructure, and cybersecurity in 9+ industries across Egypt.

Let's Talk