ITAudit

BY SAM KHAN EDITED BY STEVE MAR

WHY IT PROJECTS FAIL

T
help improve the
success rate of echnology plays a used, while others fall short objectives (Standard 2110:
vital role in any orga- of achieving the original Governance). IT governance
technology initiatives.
nization’s strategic business intent. Despite this should address the progress
initiatives, yet every high failure rate, some orga- and decision-making of proj-
year countless initiatives fail nizations have found ways ects. At Volkswagen, gover-
to deliver value. Take Cover to deliver more projects on nance failed at the highest
Oregon, a $305 million time, on budget, and with levels, while there was no
health insurance exchange better outcomes. The Proj- single point of authority
website intended to help ect Management Institute’s overseeing its development
people find, and sign up (PMI’s) 2018 Pulse of the at Cover Oregon. These
for, health coverage. When Profession report calls these findings resonate with PMI
it failed in 2014, the state organizations champions research reports that show
resorted to paper forms and because of their 92 percent that an actively engaged
hired hundreds of workers to average success rate. Internal executive sponsor is a lead-
enroll people manually. auditors can learn from both ing factor in project success.
Such failure is not lim- the failures and successes of
ited to business applications. these organizations. Measuring Progress Proj-
Today, a new car has more ects do not fail overnight,
lines of code than Microsoft Governance but employees often do not
Office, and project failure can Governance is about mak- accurately report project
lead to death or, in the case of ing good decisions. Many status information or speak
Volkswagen, fraud. The com- organizations have an IT up when they see problems,
pany’s diesel emissions scan- governance function, which a Spring 2014 MIT Sloan
dal has cost it $30 billion. provides a formal structure Management Review article
Over the past two for aligning IT strategy asserts. According to “The
decades, about 70 percent with business strategy. The Pitfalls of Project Status
of IT projects have failed, International Standards for Reporting,” when employees
according to the Standish the Professional Practice of see negative outcomes for
Group, a Boston-based firm Internal Auditing requires others who have delivered
that researches software internal auditors to make bad news, they may fear that
development project perfor- sure IT governance sustains executives will “shoot the
mance. Some of these proj- and supports the orga- messenger.” Such was the
ects are canceled and never nization’s strategies and case at Volkswagen. Rather

SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve_mar2003@msn.com

16 INTERNAL AUDITOR APRIL 2018

than telling management that the engineers could not meet from using four vendors and numerous specification changes
the emission standards, they modified the software to manip- led to failure.
ulate the results, according to a whistleblower’s account. The most effective way to reduce complexity is to limit
Successful organizations do not hide problems. They the size of the project, the Standish Group advises. Based on
have a culture that encourages people to bring problems into evaluating more than 50,000 IT projects, the firm’s research-
the open where they are solved quickly. Internal auditors ers found that a small project, consisting of six team mem-
should assess the culture around project reporting to ensure it bers and completed in six months or less, works best. The
is transparent and honest. firm recommends turning large projects into a series of small
ones, which can dramatically increase the chances of success.
Decisions A $10 million IT project will have approximately Research from the Boston Consulting Group aligns with
15,000 decisions, the Standish Group estimates. With each these findings. The firm has developed an online tool called
bad decision, the odds of success diminish. Yet, the most criti- DICE that internal auditors and organizations can use to
cal decision is whether to start the project at all. For Cover assess the readiness of a project based on four elements:
Oregon, this first decision could have changed the outcome of ɅɅ Duration, or the interval between the project’s major
the project. The organization opted to develop a web applica- “learning milestones” if it lasts six months or longer.
tion from scratch when an existing solution was available. ɅɅ Performance integrity of the project team. This element
Internal auditors should review the criteria organizations encompasses both the overall skills and traits of the
use for evaluating, selecting, prioritizing, and funding IT team, and how the team has been configured.
investments. Decision-makers need an accurate picture of the ɅɅ Commitment to change shown by the senior manage-
resources needed for each proposed project, but estimating ment and the people actually undergoing the change.
these resources is difficult. People tend to be overly optimis- ɅɅ Additional local effort above normal working require-
tic. This is known as the planning fallacy, which can lead to ments that is needed during implementation of those
time overruns, cost overruns, and benefit shortfalls. undergoing the change, as opposed to the project team.
Internal auditors should counteract the planning fallacy
with a stress test. Research from Bent Flyvbjerg and Alex- Lessons Learned
ander Budzier, published in the September 2011 Harvard Although lessons learned are an important part of the project
Business Review, found that one in six of the nearly 1,500 management life cycle, it often is the most ignored part of a
IT projects they studied had a 200 percent cost overrun project. Organizations with poor success rates do not have
and almost 70 percent had a schedule overrun. Based on a good process for identifying and applying lessons to new
this data, they devised a stress test. An organization should projects. Many organizations have not established a repository
proceed with a large IT project only if it can absorb a budget for sharing knowledge across the business. As a result, valuable
overrun of 400 percent and is comfortable only achieving knowledge can be lost or forgotten and projects continue to
25 percent to 50 percent of the projected benefits. fail for the same reasons. Internal auditors can review whether
the organization has a culture of learning from mistakes and
Complexity how it shares and applies that knowledge to future projects.
Organizations also should consider ways to reduce the proj-
ect’s complexity. Technology is rarely the cause of project fail- Improving Success Chances
ure. It is the complexity of other factors that lead to failure. Despite the high risk of IT project failure, internal auditors
When planning any change initiative, the organization needs can help their organization beat the odds by reviewing the
to consider the impact the project may have on the existing governance, complexity, and lessons learned from projects.
organizational culture, the training resources needed, the Specifically, they should evaluate the risks related to large
effect of new regulations, changes to the business environ- technology projects and perform health checks during key
ment, the effort to change business processes, and how the project milestones defined in the project plan. Moreover,
organization will manage vendor relationships. they should benchmark the organization’s current project
Often, these factors fall prey to the planning fallacy, success rate against the PMI Pulse of the Profession. A future
which can quickly increase the complexity of a large IT proj- of more successful technology initiatives starts with improved
ect and reduce the chances of meeting the original business controls today.
intent. An example is the 2013 U.K. National Health Service
System, which overran costs by £11 billion ($15.3 billion) SAM KHAN, CISA, CRISC, is senior IT auditor at Oregon State
and was delivered nine years late. The complexity resulting University in Corvallis.

APRIL 2018 INTERNAL AUDITOR 17