Risk Management: Why IT Projects Need It More Than Ever

If you’ve spent time in IT delivery—whether implementing enterprise systems, integrating platforms, deploying cloud infrastructure, migrating data, or building custom solutions—you’ve probably wondered whether formal risk management truly earns its keep. IT work moves quickly. Requirements shift. Stakeholders rethink priorities mid-flight. Against this backdrop, structured risk processes can feel heavy, slow, or mismatched to the realities of modern IT delivery.

It is easy to justify skipping them. Your project may seem small. Your team may feel experienced. The technology might appear flexible enough to handle surprises. But recent research shows that these assumptions can be dangerously misleading.

A major new study comparing IT projects with 22 other types of large-scale projects demonstrates that IT work is not just risky—it is, by a significant margin, the most unpredictable and extreme-risk project category operating today.

What the Research Actually Found

Across a dataset of 11,011 projects, including 5,360 IT projects, the authors set out to test a straightforward question: Are IT projects fundamentally riskier than other forms of complex, high-value project work? The evidence indicates that they are.

1. IT projects exhibit uniquely extreme cost risk

Statistical modelling revealed that IT projects are the only category whose cost-overrun behaviour falls into the most extreme risk class. In practice, this means IT projects behave in a way that makes their outcomes impossible to reliably forecast using conventional methods. This is not a matter of being “a bit riskier” than construction or mining; the distribution of IT cost outcomes is mathematically different.

2. IT projects succeed often—but fail catastrophically

A striking nuance in the data is that many IT projects do finish on or near budget. However, when they fail, they fail spectacularly. A non-trivial proportion of IT projects end up with cost overruns large enough to overwhelm portfolios, derail organisations, or collapse programmes outright. These outsized failures—rather than the typical mid-range outcomes—define the true risk landscape of IT.

3. Six drivers explain why IT risk behaves this way

Four long-recognised factors are confirmed in the study:

• Immaturity: IT lacks the deeply standardised engineering disciplines found in older fields.

• Intangibility: Progress is hard to see, problems often surface late, and integration issues propagate unpredictably.

• Goal ambiguity: Requirements are fluid, often incomplete, and frequently reinterpreted.

• Stakeholder resistance: IT projects reshape processes and power structures, creating organisational friction.

The study adds two further explanations grounded directly in the data:

• Bespokeness: Unlike modular industries, IT solutions are typically custom-built or heavily tailored, increasing volatility.

• Think-fast decision making: IT projects are often planned and executed under speed and pressure, amplifying cognitive bias and optimistic assumptions.

Together, these drivers interact to produce the fat-tailed, nonlinear pattern of outcomes observed in the research.

What This Means for IT Leaders

IT projects do not behave like other projects. They cannot be reliably forecast using averages, historical norms, or intuition. Their risk profile is shaped not by the typical project but by the unusually large failures that loom in the tail of the distribution. For CIOs, project directors, and delivery leads, this means:

• You cannot assume your project is “normal.”

• You cannot depend solely on experience or gut feel.

• You must build processes that anticipate extreme, low-frequency, high-impact events.

This is exactly where structured risk management becomes essential—not as a bureaucratic add-on, but as a core defensive mechanism against mathematically inherent volatility.

Why IT Lives or Dies on Risk Management

Because IT risk is dominated by tail events, informal approaches are insufficient. A dedicated risk-management tool offers the visibility, consistency, and discipline required to manage the distinctive volatility of IT initiatives.

Such a tool helps teams:

• spot compounding risks early,

• monitor dependencies and integration points,

• track requirement drift and scope creep,

• identify stakeholder issues before they escalate, and

• ensure structured escalation and ownership across the organisation.

In short, IT projects fail differently—and often more dramatically—than other project types. A professional, well-integrated risk management practice is one of the few ways to meaningfully protect against this.

Risk Register by ProjectBalm

And this is why we created Risk Register by ProjectBalm.

Our goal was to automate best practice risk management techniques, and do so via an elegant, usable interface that works with you, and not against you. Risk Register will help you to identify, analyse, treat and monitor risks more easily and effectively than ever before.

If you are experienced at risk management, you will find in Risk Register a tool that works the way you want it to work. If you are new to risk management, our documentation and videos will take you through the whole risk management process, giving lots of useful examples.

Risk Register is fully compatible with risk management standards such as ISO 31000, and can also be used for governance, risk, and compliance (GRC) programs such as Sarbanes-Oxley and PCI. And, of course, Risk Register allows you to easily distinguish between opportunities and threats.

Over the last few years, we've grown to become the most popular risk management solution in the Jira marketplace and we are now an Atlassian Platinum Partner. Why not try out Risk Register by ProjectBalm for yourself?

Reference. Flyvbjerg, Bent, Alexander Budzier, Jon Aaen, Mark Keil, and M. Zottoli. “The Uniqueness of IT Cost Risk: A Cross-Group Comparison of 23 Project Types.” Project Management Journal, July 7, 2025.