Risk management in IT projects

blog post cover - Risk management in IT projects

Every undertaking is always associated with opportunities that lead to success, and threats that carry the risk of failure. The dynamic development of technology at an equal pace creates as many development opportunities as potential threats in software development. For this reason, risk management in IT projects is one of the main factors that can determine the success of a digital product.

In an ideal world, any threat could be foreseen in advance, simply to avoid it or prepare to successfully overcome an obstacle. However, this is only a Utopian wish, because we live in a reality where some things cannot be predicted.

Software development definitely belongs to this category of projects, where there is always a certain amount of uncertainty in the undertaking. Each project at Stepwise has a very individual character, and the large number of variables makes it necessary to properly manage risk. Such risk management will allow us to recognize potential threats, assess their effects and plan appropriate preventive actions. Thanks to this, we can significantly reduce the risk of their occurrence, prepare to overcome them and effectively protect our client’s investment.


What is risk in IT projects

Risk is basically any event that may happen in the future and adversely affect the developed undertaking. The risk may never materialize, of course, but the accompanying uncertainty and the possible scale of the problem speak for the need to prepare procedures that will allow us to deal with obstacles and implement the project in accordance with the adopted assumptions.

Risk in IT projects can be defined as a hypothetical event that may occur in the future and cause failure to meet deadlines, costs or specifications of a digital product. It is also important to determine the scale of a specific risk and relate it to the assumptions and goals of the project. This allows the Stepwise team to better assess to what extent their occurrence is acceptable or what resources will be required to deal with the problem.

An example of a risk in IT projects may be the future scenario of a situation where the main developer leaves the team during the MVP implementation. Another threat could be technology failure or hacking attacks. It is worth noting that due to the variety of potential event scenarios, when managing risk in IT projects, it is necessary to determine the probability of each of them occurring.

Every project is different. Those that are rigidly planned in advance carry less risk. At Stepwise, each project is carefully and individually analyzed using many potential development concepts. With each project carried out, we managed the risk effectively, assuming a large part of the responsibility for the success of the project. Thanks to these experiences, we are not afraid to cooperate on products with a high degree of risk, where not everything is certain. Such projects are the most interesting, and software development gives our specialists a lot of satisfaction.


How is Stepwise dealing with selected risk examples?

  1. Analysis and planning

The individual nature of each software development project requires a thorough analysis of business needs and requirements that a digital product should meet. There is a risk that the development team will misjudge the resources and time needed to develop the software.

Stepwise solution: From the very beginning, we recommend our clients an iterative approach to software development. We break the global road map (difficult to estimate) into smaller pieces that are easier to keep in check for a wider scope. It is possible to estimate a project broken into iterations much easier and more precisely. When working on sprints, our team (and the client) can closely monitor the progress of work in individual iterations.

  1. Unexpected increase in needs

During the development of the project, it is a natural phenomenon that new problems and expectations towards the product gradually emerge. Even seemingly harmless risks, ignored at the beginning of work, can turn into a barrier over time that will block the smooth development of the product.

Stepwise solution: Our team works on short iterations that can be flexibly managed, but each action is dictated by the broad context of the entire project. For this reason, at the very beginning of cooperation, we try to predict pessimistic scenarios of events, identify as many potential problems as possible and develop effective procedures that will allow you to eliminate the risk on an ongoing basis.

  1. Rotation of employees

A whole team of IT specialists works on the development of digital products. When developers leave the team, they take with them knowledge, competencies and some information about the project that may be crucial for the development of a digital product. As a result, the risk of exceeding the deadlines increases significantly. In extreme cases, such a situation may disrupt the entire project. 

Stepwise solution: Whenever possible, all members of the Stepwise team are involved in all design work, planning, estimation and ongoing documentation of the work. Additionally, as a conscious software house, we consciously maintain the so-called “Bench” where our programmers work on internal R&D, and when needed, they can support the design work. Knowledge in our organization is decentralized. Even unforeseen changes in the staff do not significantly affect the smooth implementation of projects.

  1. Conflict of requirements

During the course of the project, especially in the early stages of coding and integration, it may turn out that the product requirements do not match the business needs. One of the reasons for this may be communication disagreements between the software development service provider and the client.

Stepwise solution: The Stepwise team works in the Scrum methodology. The customer or the Product Owner selected by them has constant contact with the team to clarify any ambiguities on an ongoing basis. If the problem is more complex, we organize workshops with our specialists. Together, we get to the bottom of the problem and work out the best possible solution.

  1. Productivity level

In projects that are planned to be implemented over a long period of time, developers may be sluggish at the beginning. As a result, valuable time is lost, which may later be needed to refine solutions in a digital product. 

Stepwise solution: At the beginning of cooperation, we collect as much information as possible about what product our client expects. Thanks to this, we can plan a clear work schedule, divided into iterations (sprints). Our specialists focus on the current sprint so that all the functionalities that have been planned are delivered. What’s more, Product Owner, together with the team, constantly monitors the Global Roadmap established at the very beginning of software development. Usually after three sprints it is clear whether the action plan is fully implemented. 

  1. Compromise in project

Programmers’ rush in creating software may result in unnecessary acceleration of the UX or user interface design process. This phenomenon carries the risk of wasting the development potential of the created software. Inaccurate design may only seem to speed up work, but it will create unnecessary clutter and negatively affect the quality and consistency of key elements of the product. As a result, programmers will spend their time in redundant solutions.

Stepwise solution: In our projects, we educate our clients and recommend that as much time as possible be devoted to the precise design of both architecture and UX. Already at this stage, you can eliminate most of the risks related to the so-called over engineering.

  1. “Gold-plating” the product

Developers tend to showcase their skills by adding solutions that add nothing to the product. An example would be the use of the latest technology, which is still in Beta. Such a solution may be innovative, but it may make it difficult or even impossible to use the application by many users (e.g. those who use older devices). If you care about building the global potential of your digital product, you needlessly risk wasting developer hours.

Stepwise solution: We focus on simplicity and a pragmatic approach, understanding that behind every technological challenge there is a business sponsoring the project. Business value is sacred to us.

  1. Project risk

Day-to-day operational activities can be hampered by inappropriate implementation of project processes, unspecified priorities and a lack of a clear division of responsibilities.

Stepwise solution: We maintain a flat structure both in the company and in the project. Stepwise specialists are used to taking responsibility for actions taken and ensure full transparency of work for the client. If something does not go as planned, everyone takes responsibility for it. Less experienced team members have their mentors (to whom they answer), and also program, for example in pairs. 

  1. Technical risk

It happens that software houses limit the functionality of the software in order to fit within the adopted budget or implementation time. There will always be a risk of choosing between the maximum functionality of a digital product and other project performance indicators.

Stepwise solution: To reduce the risks associated with the technical solutions of digital products, Stepwise suggests solutions such as MVP. We apply the Pareto principle, according to which 20% of key system functions are responsible for 80% of end-user satisfaction. Already at the initial stages of cooperation, we try to clearly define what we can do for you. If the client’s budget is limited, we make a list of all the solutions that the product should contain. Then we divide them into three categories of solutions which:

  • we will certainly deliver
  • there is a good chance that we will deliver,
  • there is a slight chance we will deliver .
  1. Inevitable risk

The project environment is full of inevitable risks which are sometimes very difficult to predict. This includes political changes in the country, changes to the law, as well as obsolescence in software and technology. Software houses undertake more and more complex projects, and software development is developing so dynamically that the related risks are constantly intensifying. For this reason, the strategic approach of software development companies to planning and implementing digital projects becomes so important, that will allow for comprehensive and effective risk management in IT projects.

Stepwise solution: At Stepwise, we try to approach risk management holistically, combining many different methods. We examine the client’s needs, go beyond the typical software house scheme and thoroughly analyze its business. Then all our specialists involved in the project discuss together, identify potential problems, assess their impact on the project, estimate the probability and possible consequences of their occurrence. Later in this article, you will learn a lot more about what it looks like and how risk management is involved in the Stepwise software development process.

blog post picture - Risk management in IT projects

Selected methods of risk management in IT projects

Risk is an integral element of any project. They cannot be always avoided, but there are effective methods of reducing their occurrence and eliminating negative effects. 

One of the most common risks in digital projects are modifications to business assumptions resulting from changes in the current needs of customers or their incorrect formulation. This risk in IT project can be reduced by preparing appropriate documentation from the very beginning with action plans to be taken when assumptions and needs change. Project risk minimization involves similar verification of many other potential threats. 

Over the years, many solutions have been developed to help manage risk in projects. One of them is the model for estimating the number of staff-hours in the process of creating KOKOMO and Intermediate KOKOMO, created by Barry Boehm. Depending on the planned number of lines of software code, projects are divided into easy (max. 50 thousand code lines), moderate (max. 300 thousand lines of code) and difficult (usually more than 300,000 lines of code). Project size is closely related to project risk management because the larger or more complex the project, the greater the number and scale of problems that may arise.


Software development consists mainly of:

  • time needed for coding,
  • time needed to build an appropriate architecture and reduce project risk, and
  • time for the so-called rewrite, that is, correcting system errors, or rewriting the code if necessary.


All three factors must be considered in order to properly estimate the resources needed to create a digital product.

For the product to develop efficiently, it is necessary to establish the optimal level of risk management tailored to a given project. Why? Disregarding this aspect may result in negative consequences already during the implementation of the project (e.g. exceeding the budget or time needed to repair the code). But too much focus on all possible problems that may arise in the future will make the project go on forever.

The “Sweet spot” model is used to determine the optimal level of risk management, adjusted to a given project. “Sweet spot” allows us to estimate how much time and work of specialists should be devoted to building the appropriate software architecture and risk management in order to minimize expenditure on project implementation. We get an answer to the question of how much time is needed to rework (correct the code and fix bugs in the system), depending on the time we spend on architecture at various project scales.

The optimal ratio of these variables is shown in the graphs by special points, the so-called “Sweet spots”. “Sweet spots” show us how many percent of the time should be spent on planning architecture and risk management, so as not to incur huge amounts of time and money on software repair. The larger the project, the longer it should take to plan these aspects.

If, for example, we assume that the software development itself will take us 100 days, then according to the above models, we should add about 37% of this period for building the appropriate architecture and time for rework (code improvement and bug fixing). As a result, the entire project may take a total of approx. 150 days. Accurate assessment of such needs at the very beginning of the project allows you to optimally use the customer’s resources and use the best solutions in the project. Thanks to this, we avoid a situation in which instead of an additional 50 days at the beginning of the project, you have to allocate another 100 days to create the software from scratch after its completion, because the number of problems does not allow for an effective repair.

Using such models and research significantly minimizes the risk in IT projects, but it is definitely not enough.


Risk management in Stepwise software development process

The number of threats in IT projects and their scale is influenced by many factors. These may include the technological conditions of the applied solutions. Project risk may also be increased by the software house itself, e.g. due to low team morale or low experience of software developers. Threats are also created for reasons typically dependent on the client, e.g. by involving people in the project whose vision and decisions communicated to the software supplier differ from the assumptions of the employer (communication mistakes within the organization). 

The strategic and holistic approach to planning and solving potential problems at Stepwise allows us to maintain a high quality of risk management at every stage of software development. Together, we are able to identify risks that the client missed or that one person could not capture. What is the risk management process at Stepwise?


Risk management at Stepwise consists of the following steps:

  1. Risk management planning

Each project is different, so we approach them individually. At the beginning, we plan risk management and design the architecture. Comprehensive estimation of the resources necessary for the implementation of the project, in accordance with the “Sweet spot” model, should include the optimal ratio of time spent on architecture and threats to the time spent on code development and rework. To increase the effectiveness of risk management, Stepwise combines different methodologies and approaches. Such flexible hybrid methods are easily adapted to the individual conditions of each project. 

  1. Risk identification

The entire team of IT specialists jointly identifies potential threats that may adversely affect product development. We use brainstorming, so that we are able to find most of the risks in the software development process. However, we work on facts, which is why we thoroughly analyze the business, plans and assumptions of the project as well as all available documentation beforehand, searching for potential threats.

  1. Qualitative risk analysis

Once the project risks are identified, we evaluate the likelihood of their occurrence and the possible effects of such events. This allows us to determine how real the individual threats are. As a result, we can determine which of them can harm the client the most in the software development process.

  1. Quantitative risk analysis

At this stage, we clarify the existing arrangements. At Stepwise, we try to estimate the specific scale of the problems and verify the amount of outlays or reserves necessary to overcome potential obstacles. These activities help us assess the chance of implementing the project in the assumptions made at the beginning (in the adopted budget and deadlines).

  1. Planning risk response

Planning a risk response is a key step in effective risk management in IT projects. Stepwise, together with the client, makes decisions on the selection of specific strategies aimed at solving previously found problems and increasing the chance of implementing all assumptions of the project in accordance with the initial plan.


The most common risk response strategies are:

  • Acceptance of risk – a conscious decision of project managers to accept the possibility of a problem and bear its consequences. Active acceptance is accepting the risk but preparing an appropriate action plan or a retreat plan when the risk comes true. Passive risk acceptance is accepting awareness of the potential risk and taking no remedial action.
  • Risk mitigationinvolves taking specific actions to reduce the likelihood or effects of a given threat (for example, in the event of an increased risk of hacker attacks, moving the system to the cloud. The use of Google Cloud Platform and special system security solutions can significantly reduce the risk of an attack or its consequences).
  • Risk Avoidance – there are several approaches to avoiding a problem. A manifestation of avoidance may be postponing activities in time and taking them only when the problems become complicated, or the abandonment of certain assumptions or applied solutions. Another manifestation of risk avoidance is the replacement of some solutions or technologies with completely different ones. An example of the use of avoidance is also the creation of an MVP (Minimum Viable Product), focusing on the key functions of the system, which postpones the remaining functionalities. Thanks to this avoidance, we can focus on the most important aspects of the software, instead of spending time and money on things that are much less important at this stage.
  • Transfer of risk – this is when responsibilities and duties are transferred to someone else. This is the strategy that Stepwise customers use. By starting cooperation with us, the client transfers to us a large part of the responsibility and risk related to the software development process.


  1. Monitoring and controlling the risk

At this stage, Stepwise implements the risk management plan, monitors the occurrence of individual problems, assesses the effects of preventive actions, improves the plan and constantly looks for new potential risks in the project. Consistent monitoring and control allow you to constantly improve the risk management processes in the IT project.



Risk management in IT projects seems like a series of independent activities. In fact, however, it should be treated as a repetitive process that can loop even several times during the implementation of digital projects.

The purpose of risk management in software development is to obtain the information necessary to specify the goals of the project (costs, implementation time and a list of product technical requirements). By managing potential problems, Stepwise is much better able to manage the project and develop it much more efficiently, regardless of external conditions.

Every IT project carries the risk of failure. Proper management of this risk, thorough knowledge and understanding of specific problems that may occur, greatly increases the chances of the success of the undertaking.

Adequate specification of potential risks, determining their probability and scale allows us at Stepwise (and our clients) to thoroughly understand the threats, make better decisions and set priorities that will accelerate the effective implementation of projects.

Risk management in IT projects should be an integral part of every project. Even the best plan cannot predict all possible events and their consequences. That is why the right approach to managing those threats that we are able to identify is so important. Risk management at Stepwise allows you to prepare mentally and technically for many unexpected events. Our approach gives space for action and allows customers to make the right decisions to minimize possible losses and maximize the chances of product success.

    Let’s stay in touch!

    Sign up for our newsletter! You will receive a balanced portion of technological knowledge that you can easily transfer to the business world. In addition, once a week, a press with carefully selected information will be waiting for you!

    You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices please view our Privacy Policy.