{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T16:19:28Z","timestamp":1770999568424,"version":"3.50.1"},"reference-count":61,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2008,6,6]],"date-time":"2008-06-06T00:00:00Z","timestamp":1212710400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,6,6]]},"abstract":"Purpose<\/jats:title>This paper aims to present a study of Information Systems project risk management aimed at identifying a risk ontology and checklist that will enable decision making and mitigation strategy planning in information system (IS) development in the public sector. This sector is an ideal research field in risk management practices, due to the visibility that failure of IS\/IT projects has acquired as a consequence of the duty of accountability that characterises it.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The study is based on a qualitative approach anchored on a critical literature review, leading to the development of an analytical framework, followed by a thorough case\u2010study survey.<\/jats:p><\/jats:sec>Findings<\/jats:title>A project risk ontology was derived from the analysis of ten case\u2010studies in the UK, USA and New Zealand and was divided into five main categories: pre\u2010project, customer, project management, technological issues, and development methodology. The analysis found that a considerable number of risk factors are incurred before the start of the formal project and pre\u2010determine the future of the project and create predictable risks that can be avoided.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>This paper has focused on the pre\u2010implementation and implementation phases of IT\/IS projects and further research into IS post\u2010implementation is required.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The proposed ontology is designed to fit in real life systems development cycles and is aimed at supporting risk assessment and control. The findings suggest that risk thinking should start early in the project and not, as many modern design and development methodologies propose, solely as part of the development process itself.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810879636","type":"journal-article","created":{"date-parts":[[2008,6,21]],"date-time":"2008-06-21T07:00:27Z","timestamp":1214031627000},"page":"166-186","source":"Crossref","is-referenced-by-count":46,"title":["Supporting decision making in risk management through an evidence\u2010based information systems project risk checklist"],"prefix":"10.1108","volume":"16","author":[{"given":"Lihong","family":"Zhou","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ana","family":"Vasconcelos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Miguel","family":"Nunes","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022032020342002100_b1","doi-asserted-by":"crossref","unstructured":"Alavi, M. and Carlson, P. (1992), \u201cA review of MIS research and disciplinary development\u201d, Journal of Management Information Systems, Vol. 8 No. 4, pp. 45\u201062.","DOI":"10.1080\/07421222.1992.11517938"},{"key":"key2022032020342002100_b3","unstructured":"Bhandari, P., Nunes, M. and Annansingh, F. (2005), \u201cAnalysing the penetration of knowledge management practices in organisations through a survey of case studies\u201d, Proceedings of the 4th European Conference on Research Methodology for Business and Management Studies (ECRM 2005), Universit\u00e9 Paris Dauphine, Paris, France, April 21\u201022, pp. 37\u201045."},{"key":"key2022032020342002100_b2","doi-asserted-by":"crossref","unstructured":"Boehm, B., Bose, P., Horowitz, E. and Lee, M. (1995), \u201cSoftware requirements negotiation and renegotiation aids: a theory\u2010W based spiral approach\u201d, International Conference on Software Engineering. Proceedings of the 17th International Conference on Software Engineering, 1995, Seattle, WA, USA, pp. 243\u201053.","DOI":"10.1145\/225014.225037"},{"key":"key2022032020342002100_b8","doi-asserted-by":"crossref","unstructured":"Bostrom, R. and Heinen, J. (1977), \u201cMIS problems and failures: a socio\u2010technical perspective. Part 2: the application of socio\u2010technical theory\u201d, MIS Quarterly, Vol. 1 No. 4, pp. 11\u201028.","DOI":"10.2307\/249019"},{"key":"key2022032020342002100_b4","unstructured":"Bronte\u2010Stewart, M. (2005), \u201cDeveloping a risk estimation model from IT project failure research\u201d, Computing and Information Systems Journal, Vol. 9 No. 3, available at: http:\/\/cis.paisley.ac.uk\/research\/journal\/V9\/V9N3\/failure.doc (accessed March 14, 2007)."},{"key":"key2022032020342002100_b5","doi-asserted-by":"crossref","unstructured":"Brown, A. (1995), \u201cManaging understandings: politics, symbolism, niche marketing and the quest for legitimacy in IT implementation\u201d, Organisation Studies, Vol. 16 No. 6, pp. 951\u201069.","DOI":"10.1177\/017084069501600602"},{"key":"key2022032020342002100_b6","doi-asserted-by":"crossref","unstructured":"Brown, A. (1998), \u201cNarrative, politics and legitimacy in an IT implementation\u201d, Journal of Management Studies, Vol. 35 No. 1, pp. 35\u201058.","DOI":"10.1111\/1467-6486.00083"},{"key":"key2022032020342002100_b7","unstructured":"Brown, M. (2000), \u201cMitigating the risk of information technology initiatives: best practices and points of failure for the public sector\u201d, in Garson, G. (Ed.), Handbook of Public Information Systems, Marcel Dekker, New York, NY, pp. 153\u201064."},{"key":"key2022032020342002100_b9","doi-asserted-by":"crossref","unstructured":"Bryman, A. (2002), Research Methods and Organisation Studies, Routledge, London.","DOI":"10.4324\/9780203359648"},{"key":"key2022032020342002100_b10","unstructured":"Cadle, J. and Yeate, D. (2001), Project Management for Information Systems, Financial Times\/Prentice\u2010Hall, Harlow."},{"key":"key2022032020342002100_b11","unstructured":"Chapman, C. and Ward, S. (1997), Project Risk Management: Processes, Techniques and Insights, Wiley, New York, NY."},{"key":"key2022032020342002100_b12","unstructured":"Charette, R. (1989), Software Engineering Risk Analysis and Management, McGraw\u2010Hill, New York, NY."},{"key":"key2022032020342002100_b13","doi-asserted-by":"crossref","unstructured":"Clegg, C., Axtell, C., Damadoran, L., Farbey, B., Hull, R., Lloyd\u2010Jones, R., Nicholls, J., Seell, R. and Tomlinson, C. (1997), \u201cInformation technology: a study of performance and the role of human and organizational factors\u201d, Ergonomics Journal, Vol. 40 No. 9, pp. 851\u201071.","DOI":"10.1080\/001401397187694"},{"key":"key2022032020342002100_b14","doi-asserted-by":"crossref","unstructured":"Doolin, B. (2004), \u201cPower and resistance in the implementation of a medical management information system\u201d, Information Systems Journal, Vol. 14, pp. 343\u201062.","DOI":"10.1111\/j.1365-2575.2004.00176.x"},{"key":"key2022032020342002100_b15","doi-asserted-by":"crossref","unstructured":"Drori, O. (1997), \u201cFrom theory to practice or how not to fail in developing information systems\u201d, Software Engineering Notes, Vol. 22 No. 1, pp. 85\u20107.","DOI":"10.1145\/251759.251875"},{"key":"key2022032020342002100_b16","unstructured":"Drucker, P. (1975), Management: Tasks, Responsibilities, Practices, W. Heinemann, Ltd, London."},{"key":"key2022032020342002100_b17","doi-asserted-by":"crossref","unstructured":"Dvir, D., Lipovetsky, S., Shenhar, A. and Tishler, A. (1998), \u201cIn search of project classification: a non\u2010universal approach to project success factors\u201d, Research Policy, Vol. 27 No. 9, pp. 915\u201035.","DOI":"10.1016\/S0048-7333(98)00085-7"},{"key":"key2022032020342002100_b18","unstructured":"Easterby\u2010Smith, M. (2002), Management Research: An Introduction, Sage, London."},{"key":"key2022032020342002100_b19","unstructured":"Fielding, R. (2002), \u201cIT projects doomed to failure\u201d, VNUNET.COM News, November, available at: www.vnunet.com\/vnunet\/news\/2120858\/projects\u2010doomed\u2010failure (accessed March 14, 2007)."},{"key":"key2022032020342002100_b20","unstructured":"Finkelstein, A. (1995), \u201cReport of the inquiry into the London Ambulance Service\u201d, available at: www.cs.ucl.ac.uk\/staff\/A.Finkelstein\/las\/lascase0.9.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b21","unstructured":"GAO (2000), \u201cInformation technology management: SBA needs to establish policies and procedures for key IT processes\u201d, available at: www.gao.gov\/archive\/2000\/ai00170.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b22","unstructured":"GAO (2003), \u201cBusiness modernization: improvements needed in management of NASA's integrated financial management program\u201d, available at: www.gao.gov\/new.items\/d03507.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b23","unstructured":"GAO (2005), \u201cDOD business systems modernization: navy ERP adherence to best business practices critical to avoid past failures\u201d, available at: www.gao.gov\/new.items\/d05858.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b24","unstructured":"GAO (2006), \u201cDOD business transformation: defense travel system continues to face implementation challenges\u201d, available at: www.gao.gov\/new.items\/d0618.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b26","unstructured":"Gill, J. and Johnson, P. (1991), Research Methods for Managers, Paul Chapman, London."},{"key":"key2022032020342002100_b25","unstructured":"Glesne, C. and Peshkin, A. (1992), Becoming Qualitative Researchers, Longman, New York, NY."},{"key":"key2022032020342002100_b27","doi-asserted-by":"crossref","unstructured":"Harrin, E. (2007), \u201cBetween a rock and a hard place\u201d, IT Now, Vol. 49 No. 1, pp. 6\u20108.","DOI":"10.1093\/combul\/bwl089"},{"key":"key2022032020342002100_b28","doi-asserted-by":"crossref","unstructured":"Holland, C. and Light, B. (1999), \u201cA critical success factors model for ERP implementation\u201d, IEEE Software, Vol. 16 No. 3, pp. 30\u20106.","DOI":"10.1109\/52.765784"},{"key":"key2022032020342002100_b29","unstructured":"Hood, C. and Rothstein, H. (2000), \u201cBusiness risk management in government: pitfalls and possibilities\u201d, Centre for Analysis of Risk and Regulation at the London School of Economics and Political Science (CARR) Discussion Paper No. 0, available at: www.lse.ac.uk\/collections\/CARR\/pdf\/Business_Risk_Management_in_Govt.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b30","unstructured":"Hughes, B. and Cotterell, M. (2002), Software Project Management, McGraw\u2010Hill, London."},{"key":"key2022032020342002100_b31","unstructured":"Jackson, P. (1994), Desk Research, Market Research Series, Kogan Page, London."},{"key":"key2022032020342002100_b33","unstructured":"Jalote, P. (2002), Software Project Management in Practice, Addison\u2010Wesley Professional, Boston, MA."},{"key":"key2022032020342002100_b32","unstructured":"Jaques, R. (2004), \u201cUK wasting billions on IT projects\u201d, VNUNET.COM News, April, available at: www.computing.co.uk\/vnunet\/news\/2124833\/uk\u2010wasting\u2010billions\u2010projects (accessed March 14, 2007)."},{"key":"key2022032020342002100_b34","unstructured":"Kasser, J. (1998), \u201cWhat do you mean you can't tell me if my project is in trouble?\u201d, Proceeding of the First European Conference on Software Metrics (FESMA 98), Antwerp, Belgium."},{"key":"key2022032020342002100_b35","doi-asserted-by":"crossref","unstructured":"Keil, M., Cule, P., Lyytinen, K. and Schmidt, R. (1998), \u201cA framework for identifying software project risks\u201d, Communication of the ACM, Vol. 41 No. 11, pp. 76\u201083.","DOI":"10.1145\/287831.287843"},{"key":"key2022032020342002100_b36","unstructured":"Kirk, J. and Vasconcelos, A. (2003), \u201cManagement consultancies and technology consultancies in a converging market: a knowledge management perspective\u201d, Electronic Journal of Knowledge Management, Vol. 1 No. 1, pp. 33\u201046."},{"key":"key2022032020342002100_b37","unstructured":"Kliem, R. and Ludin, I. (2000), Reducing Project Risk, Gower Publishing Limited, Aldershot."},{"key":"key2022032020342002100_b38","doi-asserted-by":"crossref","unstructured":"Lawrence, M. (2003), \u201cAre you up to it?\u201d, The Computer Bulletin for Information Systems Professionals, Vol. 45 No. 2, pp. 22\u20103.","DOI":"10.1093\/combul\/45.2.22"},{"key":"key2022032020342002100_b39","doi-asserted-by":"crossref","unstructured":"Li, M., Huang, M., Shu, F. and Li, J. (2006), \u201cA risk\u2010driven method for extreme programming release planning\u201d, International Conference on Software Engineering. Proceeding of the 28th International Conference on Software Engineering, Shanghai, China, May 20\u201028.","DOI":"10.1145\/1134285.1134344"},{"key":"key2022032020342002100_b40","doi-asserted-by":"crossref","unstructured":"Lyytinen, K. (1988), \u201cExpectation failure concept and system analysts' view of information system failures: results of an exploratory study\u201d, Information & Management, Vol. 14 No. 1, pp. 45\u201056.","DOI":"10.1016\/0378-7206(88)90066-3"},{"key":"key2022032020342002100_b41","unstructured":"Mantel, S., Meredith, J., Shafer, S. and Sutton, M. (2001), Project Management in Practice, Wiley, New York, NY."},{"key":"key2022032020342002100_b42","doi-asserted-by":"crossref","unstructured":"Nah, F., Lau, J. and Kuang, J. (2001), \u201cCritical factors for successful implementation of enterprise systems\u201d, Business Process Management Journal, Vol. 7 No. 3, pp. 285\u201096.","DOI":"10.1108\/14637150110392782"},{"key":"key2022032020342002100_b43","unstructured":"NAO (2007), \u201cIdentity and passport service: introduction of e\u2010passports\u201d, available at: www.nao.org.uk\/publications\/nao_reports\/06\u201007\/0607152.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b44","unstructured":"Nunes, M. and Annansingh, F. (2002), \u201cThe risk factor\u201d, The Journal of the Institute for the Management of Information Systems, Vol. 12 No. 6, pp. 10\u201012."},{"key":"key2022032020342002100_b45","doi-asserted-by":"crossref","unstructured":"Orlikowski, W. and Baroudi, J. (1991), \u201cStudying information technology in organizations: research approaches and assumptions\u201d, Information Systems Research, Vol. 2 No. 1, pp. 1\u201028.","DOI":"10.1287\/isre.2.1.1"},{"key":"key2022032020342002100_b46","unstructured":"Pressman, R. (1997), Software Engineering: A Practitioner's Approach, 4th ed., McGraw\u2010Hill, New York, NY."},{"key":"key2022032020342002100_b47","doi-asserted-by":"crossref","unstructured":"Pritchard, C. (2004), The Project Management Communications, Toolkit Artech House, London.","DOI":"10.1002\/9780470172346.ch3"},{"key":"key2022032020342002100_b48","doi-asserted-by":"crossref","unstructured":"Remenyi, D., Williams, B., Money, A. and Swartz, E. (1998), Doing Research in Business and Management: An Introduction to Process and Method, Sage, London.","DOI":"10.4135\/9781446280416"},{"key":"key2022032020342002100_b49","unstructured":"Saunders, M., Lewis, P. and Thornhill, A. (2000), Research Methods for Business Students, Pearson Education Limited, Harlow."},{"key":"key2022032020342002100_b50","doi-asserted-by":"crossref","unstructured":"Shull, F., Rus, I. and Basili, V. (2000), \u201cHow perspective\u2010based reading can improve requirements inspections\u201d, Computer, Vol. 33 No. 7, pp. 73\u20109.","DOI":"10.1109\/2.869376"},{"key":"key2022032020342002100_b51","unstructured":"Small, F. (2000), \u201cMinisterial inquiry into INCIS\u201d, available at: www.justice.govt.nz\/pubs\/reports\/2000\/incis_rpt\/INCIS%20inquiry.pdf (accessed March 14, 2007)."},{"key":"key2022032020342002100_b52","unstructured":"Stufflebeam, D. (2000), \u201cGuidelines for developing evaluation checklists: the checklists development checklist (CDC)\u201d, available at: www.wmich.edu\/evalctr\/checklists\/guidelines_cdc.pdf (accessed March 12, 2007)."},{"key":"key2022032020342002100_b53","doi-asserted-by":"crossref","unstructured":"Sumner, M. (2000), \u201cRisk factors in enterprise wide information management systems projects\u201d, Special Interest Group on Computer Personnel Research Annual Conference Proceedings of the 2000 ACM SIGCPR Conference on Computer Personnel Research, 2000, Evanston, IL, pp. 180\u20107.","DOI":"10.1145\/333334.333392"},{"key":"key2022032020342002100_b54","unstructured":"Taylor, J. (2003), Managing Information Technology Projects: Applying Project Management Strategies to Software, Hardware and Integration Initiatives, American Management Association, New York, NY."},{"key":"key2022032020342002100_b55","unstructured":"Tsui, F. (2004), Managing Software Projects, Jones and Bartlett Publishers, Sudbury."},{"key":"key2022032020342002100_b56","doi-asserted-by":"crossref","unstructured":"Vasconcelos, A. (2007), \u201cThe role of professional discourses in the organisational adaptation of information systems\u201d, International Journal of Information Management, Vol. 27 No. 4, pp. 279\u201093.","DOI":"10.1016\/j.ijinfomgt.2007.02.005"},{"key":"key2022032020342002100_b57","unstructured":"Vidalis, S. (2003), \u201cA critical discussion of risk & threat analysis methods & methodologies\u201d, School of Computing Technical Report CS\u201004\u201003, School of Computing, University of Glamorgan, Wales, available at: www.comp.glam.ac.uk\/staff\/svidalis\/Technical%20Reports\/Threat%20&%20Risk%20TR.doc."},{"key":"key2022032020342002100_b58","unstructured":"Voyages (1996), \u201cUnfinished voyages, a follow up to the CHAOS report\u201d, The Standish Group, available at: www.standishgroup.com\/sample_research\/unfinished_voyages_1.php (accessed March 12, 2007)."},{"key":"key2022032020342002100_b59","unstructured":"Walliman, N. (2001), Your Research Project: A Step by Step Guide for the First Time Researcher, Sage, London."},{"key":"key2022032020342002100_b60","doi-asserted-by":"crossref","unstructured":"Whittaker, B. (1999), \u201cWhat went wrong? Unsuccessful information technology projects\u201d, Information Management & Computer Security, Vol. 7 No. 1, pp. 23\u20109.","DOI":"10.1108\/09685229910255160"},{"key":"key2022032020342002100_b61","unstructured":"Yin, R. (1984), Case Study Research: Design and Methods, Sage, Beverly Hills, CA."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810879636","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810879636\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810879636\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:05Z","timestamp":1753402145000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/2\/166-186\/184564"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,6,6]]},"references-count":61,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2008,6,6]]}},"alternative-id":["10.1108\/09685220810879636"],"URL":"https:\/\/doi.org\/10.1108\/09685220810879636","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2008,6,6]]}}}