過去15年來，資訊專案的失敗率一直居高不下，實務界和學術界一直很想改善這樣的狀況，因此資訊專案的風險管理在這幾年一直是備受矚目的議題。過去研究主要是著重在找出資訊專案中的潛在風險以及針對這些潛在風險所採取的方法。然而，最近研究顯示資訊專案的發展過程應為動態行為，且風險不單是來自於技術層面，也來自組織人為層面。本研究旨在探討系統軟體發展過程中技術面和人為面的風險演化行為。本研究利用訪談收集資料並輔以內容分析法進行資料分析。參與本研究的訪談對象主要來自10家公司的18位受訪者。研究結果顯示專案風險主要是圍繞在結構方面的議題，且不論是在同階段或不同階段間，各類風險彼此間會相互作用。此外，研究發現也指出，不同專案背景具有不同的風險演化行為以及不同的管理方式。當專案成員來自同組織且專案目標一致時，專案的風險管理不僅以結構議題為控管重心，且控管方式從專案開始即著手進行。反之，當專案成員來自不同組織時，因專案目標不同，雖同樣以結構議題為控管重心，但實際控管行為卻是在專案進行中間才開始進行。此研究希望能解釋這些風險類別在軟體發展過程中的動態關係，專案管理者也可藉此進一步了解發展過程中的風險是如何影響專案成敗的結果，並據此適當調整專案資源以制定切實可行的專案風險管理計畫。

Many research have engaged in software risk management initiatives to lead to fewer IS project failures. However, relatively little research attention so far seems to have been devoted to a consideration of the dynamic of risk evolution in the software development process. Therefore, the aim of this article attempts to explore how the software risks evolve in the system development process. The research methods involved interviews and content analysis. Eighteen participants of ten companies participated in the study. Results of this study showed that risk components surrounded structure issues and had interactions with each other whether in the same or different phase of the software development process. The major findings suggested that project context had influence about risk evolution and management process. To conclude, this study may be of importance in explaining the dynamic relationship between those risks in the software development process, as well as in providing project managers with a better understanding of how risks about development process relate to their project outcome.

Contents
1	Introduction	1
2	Literature Reviews	3
2.1.	Risk Management	3
2.2.	Risk in Systems Development Life Cycle	8
2.3.	Risk in the Socio-Technical Change Model	13
3	Research Model	18
3.1.	Planning Phase	18
3.2.	Analysis Phase	20
3.3.	Design Phase	22
3.4.	Implementation Phase	24
4	Methodology	27
4.1.	Research Design	27
4.2.	Sampling and Data	28
4.3.	Interview	31
4.4.	Content Analysis	34
5	Results	38
5.1.	Risks in the planning phase	43
5.2.	Risks in the analysis phase	46
5.3.	Risks in the design phase	49
5.4.	Risks in the implementation phase	52
6	Discussion	55
6.1.	Type 1 – Product manufacture & Organization system	57
6.2.	Type 2 – System supplier	60
6.3.	Type 3 – Tender case	64
7	Conclusions	67

Contents of Figure
Figure 1 Software Risk Management Steps (Boehm & Ross, 1989)	5
Figure 2 The systems development life cycle (Valacich et al., 2001; Dennis et al., 2005)	10
Figure 3 The Socio-Technical Theory in the System Development Process  (Bostrom & Heinen, 1977)	15
Figure 4 The Socio-Technical Model (Leavitt, 1964)	17
Figure 5 Risk frequency in the software development process	40
Figure 6 Risk correlations in the software development process	42
Figure 7 Risks correlations between each phase in the software development process	43
Figure 8 Risk frequency in the software development process for the first project type	58
Figure 9 Risk correlations in the software development process for the first project type	59
Figure 10 Risks correlations between each phase in the software development process for the first project type	60
Figure 11 Risk frequency in the software development process for the second project type	61
Figure 12 Risk correlations in the software development process for the second project type	62
Figure 13 Risks correlations between each phase in the software development process for the second project type	63
Figure 14 Risk frequency in the software development process for the third project type	65
Figure 15 Risk correlations in the software development process for the third project type	65
Figure 16 Risks correlations between each phase in the software development process for the second project type	66

Contents of Table
Table 1 The overview of the participated case companies	30
Table 2 The overviews of the participants	31
Table 3 The definitions, keywords and example themes in the software development risk	36
Table 4 The definitions, keywords and example themes in the software development process	37
Table 5 Descriptive statistics for risk in the software development process	39
Table 6 Correlation Matrix for risks in the planning phase	45
Table 7 Correlation Matrix for risks in the planning phase with different phase of the software development process	46
Table 8 Correlation Matrix for risks in the analysis phase	48
Table 9 Correlation Matrix for risks in the analysis phase with different phase of the software development process	49
Table 10 Correlation Matrix for risks in the design phase	51
Table 11 Correlation Matrix for risks in the design phase with different phase of the software development process	52
Table 12 Correlation Matrix for risks in the implementation phase	54

Contents of Appendix
Appendix 1 Interview Form	79
Appendix 2 Correlation Coefficient Matrix for risks in each phase of the software development process	84
Appendix 3 Correlation Coefficient Matrix for risks with different phases of the software development process	85
Appendix 4 Correlation Coefficient Matrix for risks in each phase of the software development process for the first project type	86
Appendix 5 Correlation Coefficient Matrix for risks with different phases of the software development process for the first project type	87
Appendix 6 Correlation Coefficient Matrix for risks in each phase of the software development process for the second project type	88
Appendix 7 Correlation Coefficient Matrix for risks with different phases of the software development process for the second project type	89
Appendix 8 Correlation Coefficient Matrix for risks in each phase of the software development process for the third project type	90
Appendix 9 Correlation Coefficient Matrix for risks with different phases of the software development process for the third project type	91

Alter, S., & Ginzberg, M. (1978). Managing Uncertainty in MIS implementation. Sloan Management Review, 20(1), 23-31. 
Awazu, Y., Desouza, K. C., & Evaristo, J. R. (2004). Stopping runaway IT projects. Business Horizons, 47(1), 73-80. 
Bahli, B., & Rivard, S. (2005). Validating measures of information technology outsourcing risk factors. Omega, 33(2), 175-187. 
Bannerman, P. L. (2008). Risk and risk management in software projects: A reassessment. Journal of Systems and Software, 81(12), 2118-2133. 
Barki, H., Rivard, S., & Talbot, J. (1993). Toward an assessment of software development risk. Journal of Management Information Systems, 10(2), 203-225. 
Barki, H., Rivard, S., & Talbot, J. (2001). An Integrative Contingency Model of Software Project Risk Management. Journal of Management Information Systems, 17(4), 37-69. 
Beck, P., Jiang, J. J., & Klein, G. (2006). Prototyping mediators to project performance: learning and interaction. Journal of Systems and Software, 79(7), 1025-1035. 
Boehm, B. W. (1984). Verifying and Validating Software Requirements and Design Specifications. IEEE Software, 1(1), 75-88. 
Boehm, B. W. (1991). Software Risk Management: Principles and Practices. IEEE Software, 8(1), 32-41. 
Boehm, B. W., & Ross, R. (1989). Theory-W Software Project Management: Principles and Examples. IEEE Transaction on Software Engineering, 15(7), 902-916. 
Bostrom, R. P., & Heinen, J. S. (1977). MIS Problems and Failures: A Socio-Technical Perspective. MIS Quarterly, 1(3), 17-32. 
Bowen, P. L., Cheung, M. D., & Rohde, F. H. (2007). Enhancing IT governance practices: A model and case study of an organization's efforts. International Journal of Accounting Information Systems, 8(3), 191-221. 
Chapman, C., & Ward, S. (2003). Project Risk Management - Processes, Techniques and Insights.  Chichester: John Wiley & Sons. Ltd.
Charette, R. N. (1989). Software Engineering Risk Analysis and Management. NY: McGraw-Hill.
Cooper, M. D. R., & Schindler, P. S. (2008). Business Research Methods. NA: McGraw-Hill.
Davis, G. B. (1982). Strategies for information requirements determination. IBM Systems Journal, 21(1), 4-30. 
DeMarco, T., & Lister, T. (2003). Waltzing With Bears: Managing Risk on Software Projects. NY: Dorset House Publishing Company.
Dennis, A., Wixom, B. H., & Tegarden, D. (2005). System Analysis and Design with UML Version 2.0. U. S. A: Wiley.
Huang, S., Chang, I., Li, S., & Lin, M. (2004). Assessing risk in ERP projects  identify and prioritize the factors. Industrial Management & Data Systems, 104(8), 681-688. 
Huang, S., & Han, W. (2008). Exploring the relationship between software project duration and risk exposure: A cluster analysis. Information & Management, 45(3), 175-182. 
Iacovou, C. L., & Nakatsu, R. (2008). A risk profile of offshore-outsourced development projects. Communications of the ACM, 51(6), 89-94. 
Iversen, J. H., Mathiassen, L., & Nielsen, P. A. (2004). Managing Risk In Software Process Improvement: An Action Research Approach. MIS Quarterly, 28(3), 395-433. 
Keil, M., Cule, P. E., Lyytinen, K., & Schmidt, R. C. (1998). A framework for identifying software project risks. Communications of the ACM, 41(11), 76-83. 
Keil, M., Li, L., Mathiassen, L., & Zheng, G. (2008). The influence of checklists and roles on software practitioner risk perception and decision-making. Journal of Systems and Software, 81(6), 908-919. 
Kendall, K. E., & Kendall, J. E. (1995). Systems Analysis and Design. NY: Prentice Hall.
King, S. F., & Burgess, T. F. (2006). Beyond critical success factors: A dynamic model of enterprise system innovation. International Journal of Information Management, 26(1), 59-69. 
Kishore, R., & McLean, E. R. (2007). Reconceptualizing Innovation Compatibility as Organizational Alignment in Secondary IT Adoption Contexts: An Investigation of Software Reuse Infusion. IEEE Transactions on Engineering Management, 54(4), 756 - 775. 
Krippendorff, K. H. (1980). Content Analysis: An Introduction to Its Methodology. London: Sage.
Laudon, K. C., & Laudon, J. P. (2000). Management information systems: organization and technology in the networked enterprise (6 ed.). New Jersey: Prentice Hall.
Leavitt, H. J. (1964). Applied Organization Change in Industry: Structural, Technical, and Human Approaches. New Perspective in Organizational Research (pp. 55-71). Chicago: Wiley.
Lee, G., & Xia, W. (2005). The ability of information systems development project teams to respond to business and technology changes: a study of flexibility measures. European Journal of Information Systems, 14(1), 75-92. 
Luna-Reyes, L. F., Zhang, J., Ramon Gil-Garcia, J., & Cresswell, A. M. (2005). Information systems development as emergent socio-technical change: a practice approach. European Journal of Information Systems, 14(1), 93-105. 
Lyytinen, K., Mathiassen, L., & Ropponen, J. (1996). A framework for software risk management. Journal of Information Technology, 8(1), 53-68. 
Lyytinen, K., Mathiassen, L., & Ropponen, J. (1998). Attention Shaping and Software Risk-A Categorical Analysis of Four Classical Risk Management Approaches. Information Systems Research, 9(3), 233-255. 
McFarlan, F. W. (1981). Portfolio approach to information systems. Harvard Business, 59(5), 142-150. 
Moynihan, T. (1996). An Inventory of Personal Constructs for Information Systems Project Risk Researchers Journal of Information Technology, 11(4), 359-371. 
Neuendorf, K. A. (2002). The Content Analysis Guidebook. CA: Sage.
Persson, J. S., Mathiassen, L., Madser, T. S., & Steinson, F. (2009). Managing Risks in Distributed Software Projects: An Integrative Framework. IEEE Transactions on Engineering Management, 56(3), 508-532. 
Procaccino, J. D., Verner, J. M., Darter, M. E., & Amadio, W. J. (2005). Toward predicting software development success from the perspective of practitioners: an exploratory Bayesian model. Journal of Information Technology, 20(3), 187-200. 
Ropponen, J., & Lyytinen, K. (2000). Components of Software Development Risk: How to Address Them? A Project Manager Survey. IEEE Transactions on Software Engineering, 26(2), 98-112. 
Serva, M. A., Sherer, S. A., & Sipior, J. C. (2003). "When Do You ASP?" The Software Life Cycle Control Model. Information Systems Frontiers, 5(2), 219-232. 
Shelly, G. G., Cashman, T. J., Adamski, J., & Adamski, J. J. (1995). Systems Analysis and Design. U. S. A: Boyd & Fraser.
Somers, T. M., & Nelson, K. G. (2004). A taxonomy of players and activities across the ERP project life cycle. Information & Management, 41(3), 257-278. 
Subramanian, G. H., Jiang, J. J., & Klein, G. (2007). Software quality and IS project performance improvements from software development process maturity and IS implementation strategies. Journal of Systems and Software, 80(4), 616-627. 
Taylor, H. (2007). Outsourced IT Projects from the Vendor Perspective: Different Goals, Different Risks. Journal of Global Information Management, 15(2), 1-27.
The Standish Group International. (1995) The Chaos Report. Retrieved November 20, 2009, from http://www.projectsmart.co.uk/docs/chaos-report.pdf
The Standish Group International. (2001) The Chaos Report. Retrieved December 25, 2009, from http://www.standishgroup.com/chaos/introduction.pdf
The Standish Group International. (2009) The Chaos Report. Retrieved January 30, 2010, from http://www1.standishgroup.com/newsroom/chaos_2009.php
Tiwana, A., & Keil, M. (2006). Functionality Risk in Information Systems Development: An Empirical Investigation. IEEE Transaction on Engineering Management, 53(3), 412-425.
Valacich, J. S., George, J. F., & Hoffer, J. A. (2001). Systems Analysis and Design. U. S. A: Prentice-Hall.
Wallace, L., & Keil, M. (2004). Software project risks and their effect on outcomes. Communications of the ACM, 47(4), 68-73. 
Wallace, L., Keil, M., & Rai, A. (2004). Understanding software project risk: a cluster analysis. Information & Management, 42(1), 115-125. 
Weber, R. P. (1985). Basic Content Analysis. London: Sage.
Xu, P., & Ramesh, B. (2007). Software Process Tailoring: An Empirical Investigation. Journal of Management Information Systems, 24(2), 293-328. 
Young, R., & Jordan, E. (2008). Top management support: Mantra or necessity? International Journal of Project Management, 26(7), 713-725. 
Zhou, L., Vasconcelos, A., & Nunes, M. (2008). Supporting decision making in risk management through an evidence-based information systems project risk checklist. Information Management & Computer Security, 16(2), 166-186.