IT Project Management Discipline isn’t working!

In 1994, Standish group dropped a bombshell on the rapidly growing IT industry by publishing the gob-smacking rate of only 16% successful IT projects in the prior 12 months. They suggested that the reason was a lack of project management discipline for IT projects; akin to the kinds of project management discipline that engineers use to build skyscrapers, cruise liners and bridges. Standish’s conclusion: “IT needs its own project management methodology and the skills and tools to deploy it!”

The impact was dramatic. A number of efforts began across the world to develop a suite of standards and methodologies that could help project managers and their stakeholders improve the chance of IT project success. Some (e.g. PRINCE2) were based on embryonic existing methodologies, whilst others were genuine efforts to develop new methodologies from the ground up.

Over the first few years of the Standish Group results, the new project methodologies were still maturing and adoption was slow. Most practitioners did not hear of PMBOK or Prince2 until some 4 or 5 years later, so widespread adoption of these methodologies (and therefore their potential impact) lags their development. However, that initial report was 25 years ago now and we have since developed globally-adopted and widely practiced standards in (i) project management, (ii) program and portfolio management, (iii) business analysis, (iv) change management and (v) benefits realisation. Indeed an entirely new multi-billion dollar education, training and certification industry has arisen to service this apparently pressing skills gap.

So, if Standish was right and it was methodology and project discipline that was the problem, then we should by now see a significant improvement in IT project success hit rates. So lets take a look:

No alt text provided for this image

Analysis: The first few Standish Reports had changing definitions and sampling frames which explains the initial fluctuations particularly between the “challenged” and “failed” categories. However, eventually the rate of “failed” projects has settled to around 20%, “challenged” to around 45% and “succeeded” to around 25%. What looked like improvements up to 2012 have since turned around and have generally headed in the wrong direction for the last few years. Some have suggested the apparent improvements up to 2012 were actually due to the increased proportion of smaller projects in the survey (particularly post-GFC). Smaller projects have always shown a higher rate of success throughout the entire period. Indeed comparing 1996 vs 2015 shows an increase of just 2% of projects successfully completed (27% to 29%).

A 2% improvement is scant justification for the enormous investment in training, standardisation, certification, discipline and management effort. The project management education industry is now a multi-billion dollar industry globally, but as far as we can tell from the above analysis, it is not contributing to improved IT project success rates. If so, then how is all of this investment and effort contributing to the economy beyond John Meynard Keynes’s hole diggers.

Us humans do lot of things because they sound right. If it has a good story (see Beware of the “just-so” Use Case Stories) that’s good enough for entire industries and academic disciplines to continue working away for years and even decades before its noticed that it is all based on nothing tangible. I’m afraid that the evidence is in:

Project Management discipline has not improved the success rate of Corporate IT projects!!

A common reaction is to just do things harder. The story that project discipline improves projects must be true. So the lack of empirical results is simply evidence of a lack of effort/discipline/application: If we just hired a more qualified/experienced/talented project manager…if we just documented user requirements more thoroughly!…if we just applied more management effort toward realising the benefits in the business case! “The floggings will continue until morale improves”. No! The problem is that Standish, even though it sounded right at the time, have proven to be wrong and there are other (much more important and prevalent) causes for such widespread IT Project failure rates. So we must look more widely for clues as to why we still have such high project failure rates. I believe some clues can be found here (over-generalisation of success in different domains) and here (the planning fallacy).

Do you agree that project management methodologies have been oversold as a panacea for IT project failure rates?


Privacy for Corporations

Are Corporations People?

“Corporations are people, my friend” said Mitt Romney in 2011 during his ultimately unsuccessful presidential campaign against Barack Obama. But we all know that he is not correct. Corporations (or any disembodied entity like companies, trusts, partnerships etc) cannot be embarrassed about an unexplained lump on an inconvenient body part, or feel the need to hide a secret love of Rick Astley tunes from their friend group, or, perhaps more importantly, have a need to suppress public knowledge of racial or cultural origins, a current or prior disability or of a personal religious belief for fear of vilification. Let alone the inability to have their liberty curtailed by spending time behind bars for breaking the law.

What is Privacy Protection For?

Indeed privacy is primarily about these issues. Privacy helps protect minority individuals from persecution by ensuring that they are the only one’s who can reveal their private information… to whom they desire & if and when they so choose . The other purported benefits such as protection from identity theft or reduction in being hassled by telemarketing companies are, in fact, primarily treated via other legislation. Note that the right to ensure that data held about you is accurate (and therefore decisions based on such are well informed) is related to privacy, but actually does not relate to the right to have that data restricted from distribution.

Fair Use vs Privacy

Fair use (not privacy) is the concept that it is a form of con job if you ask for someone’s information for one purpose and then use it for another purpose, which may be harmful to that person. The idea being that if the person had known the other secondary purpose was a potential use and that that secondary use may result in a negative outcome for them, then they must be allowed to have chosen to restrict the provision of the information in the first place. But what if the secondary use is for regulatory compliance checking or criminal investigation. If such information collection is compulsive then the individual could not have chosen to not provide to the second use. So secondary use, in such cases, is simply a more efficient method than compulsively re-asking for the same information.

Privacy as a means to hide criminal activity

Privacy rights do not imbue an individual (nor their agent) the right to restrict access to information based on the argument that it may reveal the individual’s illegal activity and therefore result in a negative outcome for them. This is called obstruction of justice. So, if a regulator or police investigator is attempting to detect, prevent or discourage illegal activity, individuals do not have the right to prevent data about them being used for this purpose. This is doubly so for corporations, partnerships, companies, and trusts etc. Firstly, privacy does not apply to these disembodied entities as explained above and secondly these organisations are simply legal entities which possess publicly recognised and accepted associations between multiple individuals. These associations (e.g. a corporation) and the entity’s rights and privileges are bestowed by community licence. Therefore their privacy is anathema to the community’s ability to oversee whether the community licence should continue to be granted.

Privacy should not be granted to corporations (only to the individuals inside them)!


This is particularly important for regulators; whether they be regulators of markets, industries, elections or parts of government. If they are conducting regulatory compliance assessment activity they are looking for non-compliance with regulation. Mostly this is regarding the actors within a market or industry that are corporations or are, at most, individuals as it pertains to their activity in a market. None of this should be considered private information. So regulators, government agencies and 3rd party data holders should be able to share data about corporate activity without having to consider the corporation’s “privacy”. Even sole trader’s data will only be of interest in so far as it relates to the sole trader’s activity in the market. Such activity needs to be transparent to regulators and so, it too, should not be subject to privacy.

Similarly corporations cannot claim commercial-in-confidence as regulators are not competing with them. Such data, of course, should not be shared by regulators with competitors nor shared publicly; but it can be safely used for regulatory compliance analytics work.

If the data required to assess regulatory compliance is inextricably inter-twined with an individual’s preferences for Rick Astley tunes, then we may have a problem.

So does your organisation separate the information about individuals from that of disembodied entities (e.g. corporations) and treat these cohorts differently with regard to privacy legislation or is at all treated in the same way?

This article is the second in a Regulatory Analytics series. The first, titled Auto-Compliance is about the concept of Presumed Omniscience and the power this confers to make markets and other community interactions fairer and more productive (see )