Hurdling Risk

Hurdling Risk

Botched or cancelled IT projects cost companies enormous amounts of money.

Applying some basic principles of finance to your IT investments will help you better manage these risky ventures As any investor knows, stocks are riskier investments than bonds. Investors thus require a higher rate of return for investing in stocks. In fact, most investors are risk averse -- for a small increase in risk, they need a large increase in expected return. The additional amount added to a return to compensate investors for risk is referred to as a risk premium. Just as stock investors expect higher returns to compensate for taking on higher levels of risk, executives should factor in the potential for risk as well as for return when deciding whether to fund an IT project. Yet most companies do not apply these basic finance principles to IT investments, especially to internally developed software projects, which are inherently some of the riskiest investments they make.

Hurdle Rates

A hurdle rate is the minimum ROI a company requires for investments. If the projected ROI on a proposed project is greater than the hurdle rate, the project is considered a desirable use of funds. If the projected ROI is less than the hurdle rate, the project will be given lower priority. Hurdle rates are set somewhat arbitrarily, but those who set rates usually try to take risk into account. This is why hurdle rates for IT investments are usually higher than the cost of capital. Not all companies use hurdle rates, of course, and some industries use them more than others. "Manufacturing firms tend to have more of a hurdle-rate mentality. Service firms have less of one," says Ron Shevlin, senior analyst in the leadership strategies service of Forrester Research in Cambridge, Massachusetts. He also notes that hurdle rates are inappropriate for most infrastructure investments because some are not optional; therefore ROI doesn't apply (and a hurdle rate is thus not a decision criterion). Additionally, some analysts argue that because an ROI calculation does not always include the intangible benefits of some projects, strict adherence to a hurdle rate would discriminate against such projects.

But many companies do use hurdle rates as a guideline for some or even all of their IT investments. The fact is that many IT investments are optional and are proposed primarily to reap some economic benefit. In such cases a hurdle rate is a completely valid decision criterion.

The problem is that most companies do not adjust the hurdle rate for risk nearly enough. Estimates of average hurdle rates vary widely. "The typical hurdle rate for IT investments is in the range of 15 per cent to 18 per cent for the North American firms we talked to," says Bruce Stewart, vice president in the management strategies and directions service of GartnerGroup in Stamford, Connecticut. Thomas Oleson, research director at Framingham, Massachusetts-based International Data Corp, provides a higher range: "The [US] hurdle rates I looked at were more in the 30 per cent to 50 per cent range, depending on the nature of the application." Oleson attributes the higher numbers to a possible difference in IDC's clients. DHS & Associates' research, on the other hand, uncovered few hurdle rates above 30 per cent. If the risk premium is fully incorporated into the hurdle rate, we find that these hurdle rates may be far too low. IT investments are risky -- there are uncertain benefits, potential cost overruns and possible cancellations. In fact, the cancellation rate of large projects exceeds the default rate of most junk bonds. (See "IT Cancellation Rates".) Unless US hurdle rates begin to reflect these risks, companies will continue to gamble their money on IT projects that, with better risk management, they might have nixed at the starting gate.

Risk and Return

One way to assess whether IT investments are worth the risk is to borrow a graphing technique from modern portfolio theory (MPT), the science of portfolio management developed in the 1950s. MPT shows, among other things, how one can derive the risk and return of a portfolio given the risk and return of the individual investments and how to optimise the investments of a portfolio for a given risk and return. I asked executives how they'd evaluate an IT investment of about $3 million and plotted how high an expected return they'd require before investing, given different probabilities of a negative return. As you can see from "Risk/Return Profiles", the CFO of this insurance company would accept a 15 per cent chance of a negative return if the expected return -- the probability-weighted average of all possible returns -- was about 50 per cent.

The CIO, on the other hand, would need about a 150 per cent return for a 15 per cent chance of a negative return. The "just barely acceptable" points on the resulting graph delineate the investment boundary, or the risk aversion (or risk tolerance) of each executive. Taking these risk/return profiles at face value and comparing them with some of the known risks of IT has an interesting consequence. Consider the cancellation risk of projects shown in "IT Cancellation Rates". Depending on a company's cost per work month, a $3 million software development project may require about 300 to 500 work months of effort. Based on data from Capers Jones, chairman of Software Productivity Research in Burlington, Massachusetts, who has been tracking several thousand software development projects in a database, this project would have a 25 per cent to 30 per cent risk of cancellation. If we plot the chance of cancellation, which counts as a negative return, against some risk/return profiles (shown on page 53), we see that a risk-adjusted hurdle rate could easily be 100 per cent or higher. In fact, the CIO and CFO profiled in the chart apparently consider this risk too high even for a return of 300 per cent.

And remember that cancellation is not the only possibility for a negative return as uncertain costs can exceed uncertain benefits. This means that the real hurdle rate of the company -- adjusted for risk -- could easily surpass 100 per cent or more for a $3 million investment. Can this be right? Are the real hurdle rates for some projects in excess of 100 per cent? The only way to deny this is to either argue that IT risks are actually not that high or that the subjective risk/return preferences for the investors are off-base and should be much more lenient. The problem with the first objection is that much empirical evidence supports the fact that IT investments have significant chances of cancellation, cost-overruns and unrealised benefits. Your company may be one of the exceptions because some organisations will do better than average. On the other hand, some firms will do worse. The problem with the second objection is that if we compare the risk aversion of executives purchasing IT to the risk profiles of other types of investors we find that they are not at all out of line. In fact, many IT purchasers are relatively risk tolerant when compared to other investors.

IT Portfolios and Risk

MPT suggests that the risk of portfolios with a few large investments is much more than the risk of portfolios with several small investments. One can always diversify risk by spreading it out among several types of investments.

Unfortunately, IT portfolios are not typically diverse. Often the one or two biggest IT investments in a company make up more than half of the portfolio with the rest of the portfolio made up of projects of decreasing size. You may accept a 20 per cent chance of a negative return to achieve a 25 per cent expected return for an investment of $500,000, yet your required return for a $50 million investment would be much higher than 25 per cent for the same chance of a negative return. Ironically, even as you become more risk averse for larger investments, risk increases as IT investments become larger. (See "IT Cancellation Rates".) This compounding effect means that even hurdle rates of several hundred per cent are possible for the largest projects in a portfolio. It is also possible to have a project that is so large and risky that no expected return -- no matter how large -- would compensate the investor for the risk.

Consequences for Decision Makers

When evaluating software development projects, using a fixed hurdle rate that does not change with risk is dangerous. Because various sized projects have different risks, hurdle rates need to be adjusted on a project-by-project basis. Companies that begin to use hurdle rates will find that many of the projects they approved in the past are no longer acceptable. For instance, a project with a 55 per cent ROI may now look a lot less attractive when risk is considered. But that doesn't mean that decision makers must invest in fewer IT projects. Instead, they should manage the risk directly. (See "Risk-Busting Strategies".) IT investments are among the riskiest investments a business can make. Any hurdle rate that does not fully account for risk puts the investor in the dangerous position of accepting too much risk in the firm's IT portfolio.

And unless companies start managing risk better, they will be forced to require astronomical hurdle rates or get far too little return on their IT investments.

Douglas Hubbard is director of applied information economics with DHS & Associates in Rosemont, IllinoisRisk-Busting StrategiesSome tried-and-true methods of managing the risk of IT projects 1. Focus on smaller projects that have a higher chance of being delivered successfully.

2. Defer major projects until your company has gained the necessary skills to carry out those projects.

3. Defer major projects if the organisation is unstable or future mergers, spin-offs or changes in leadership make the successful completion of the project uncertain.

4. Consider breaking up large projects into smaller projects that incrementally develop improved versions of software projects instead of putting your eggs in one basket with one big version 1.0. 5. Present the risk-adjusted evaluation of proposed software to users and developers so that runaway gold plating -- adding lots of bells and whistles with limited benefits -- of software will be discouraged.

6. Think about buying packaged software rather than developing software internally, even if the packaged software may not fit perfectly.

7. Hedge against project losses by asking software vendors and consulting firms to assume more risk with fixed bids, lateness penalties or other types of insurance.

8. Reduce the uncertainty of IT projects further by aggressively measuring unknown quantities, such as expected productivity benefits -- D Hubbard

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about EmpiricalForrester ResearchIDC Australia

Show Comments