by Douglas Hubbard

Hurdling Risks

Jun 13, 20079 mins
Risk Management

Botched or canceled IT projects cost companies enormous amounts of money. Applying some basic principles of finance to your IT investments will help you better manage these risky ventures

AS ANY INVESTOR KNOWS, stocks are riskier investments than bonds. Investors thus require a higher rate of return for investing in stocks. In fact, most investors are risk averse–for a small increase in risk, they need a large increase in expected return.

The additional amount added to a return to compensate investors for risk is referred to as a risk premium. Just as stock investors expect higher returns to compensate for taking on higher levels of risk, executives should factor in the potential for risk as well as for return when deciding whether to fund an IT project. Yet most companies do not apply these basic finance principles to IT investments, especially to internally developed software projects, which are inherently some of the riskiest investments they make.

Hurdle Rates

A hurdle rate is the minimum ROI a company requires for investments. If the projected ROI on a proposed project is greater than the hurdle rate, the project is considered a desirable use of funds. If the projected ROI is less than the hurdle rate, the project will be given lower priority. Hurdle rates are set somewhat arbitrarily, but those who set rates usually try to take risk into account. This is why hurdle rates for IT investments are usually higher than the cost of capital.

Not all companies use hurdle rates, of course, and some industries use them more than others. “Manufacturing firms tend to have more of a hurdle-rate mentality. Service firms have less of one,” says Ron Shevlin, senior analyst in the leadership strategies service of Forrester Research Inc. in Cambridge, Mass. He also notes that hurdle rates are inappropriate for most infrastructure investments because some are not optional; therefore ROI doesn’t apply (and a hurdle rate is thus not a decision criterion). Additionally, some analysts argue that because an ROI calculation does not always include the intangible benefits of some projects, strict adherence to a hurdle rate would discriminate against such projects.

But many companies do use hurdle rates as a guideline for some or even all of their IT investments. The fact is that many IT investments are optional and are proposed primarily to reap some economic benefit. In such cases a hurdle rate is a completely valid decision criterion.

The problem is that most companies do not adjust the hurdle rate for risk nearly enough. Estimates of average hurdle rates vary widely. “The typical hurdle rate for IT investments is in the range of 15 percent to 18 percent for the North American firms we talked to,” says Bruce Stewart, vice president in the management strategies and directions service of GartnerGroup Inc. in Stamford, Conn. Thomas D. Oleson, research director at Framingham, Mass.-based International Data Corp. (which is owned by the same parent company as CIO Communications Inc.), provides a higher range: “The [U.S.] hurdle rates I looked at were more in the 30 percent to 50 percent range, depending on the nature of the application.” Oleson attributes the higher numbers to a possible difference in IDC’s clients. DHS & Associates’ research, on the other hand, uncovered few hurdle rates above 30 percent. If the risk premium is fully incorporated into the hurdle rate, we find that these hurdle rates may be far too low. IT investments are risky–there are uncertain benefits, potential cost overruns and possible cancellations. In fact, the cancellation rate of large projects exceeds the default rate of most junk bonds. Unless U.S. hurdle rates begin to reflect these risks, companies will continue to gamble their money on IT projects that, with better risk management, they might have nixed at the starting gate.

Risk and Return

One way to assess whether IT investments are worth the risk is to borrow a graphing technique from modern portfolio theory (MPT), the science of portfolio management developed in the 1950s. MPT shows, among other things, how one can derive the risk and return of a portfolio given the risk and return of the individual investments and how to optimize the investments of a portfolio for a given risk and return. I asked executives how they’d evaluate an IT investment of about $3 million and plotted how high an expected return they’d require before investing, given different probabilities of a negative return. As you can see from “Risk/Return Profiles”, the CFO of this insurance company would accept a 15 percent chance of a negative return if the expected return–the probability-weighted average of all possible returns–was about 50 percent. The CIO, on the other hand, would need about a 150 percent return for a 15 percent chance of a negative return. The “just barely acceptable” points on the resulting graph delineate the investment boundary, or the risk aversion (or risk tolerance) of each executive.

Taking these risk/return profiles at face value and comparing them with some of the known risks of IT has an interesting consequence. Depending on a company’s cost per work month, a $3 million software development project may require about 300 to 500 work months of effort. Based on data from Capers Jones, chairman of Software Productivity Research Inc. in Burlington, Mass., who has been tracking several thousand software development projects in a database, this project would have a 25 percent to 30 percent risk of cancellation. If we plot the chance of cancellation, which counts as a negative return, against some risk/return profiles, we see that a risk-adjusted hurdle rate could easily be 100 percent or higher. In fact, the CIO and CFO profiled in the chart apparently consider this risk too high even for a return of 300 percent. And remember that cancellation is not the only possibility for a negative return as uncertain costs can exceed uncertain benefits. This means that the real hurdle rate of the company–adjusted for risk–could easily surpass 100 percent or more for a $3 million investment.

Can this be right? Are the real hurdle rates for some projects in excess of 100 percent? The only way to deny this is to either argue that IT risks are actually not that high or that the subjective risk/return preferences for the investors are off-base and should be much more lenient. The problem with the first objection is that much empirical evidence supports the fact that IT investments have significant chances of cancellation, cost-overruns and unrealized benefits. Your company may be one of the exceptions because some organizations will do better than average. On the other hand, some firms will do worse. The problem with the second objection is that if we compare the risk aversion of executives purchasing IT to the risk profiles of other types of investors we find that they are not at all out of line. In fact, many IT purchasers are relatively risk tolerant when compared to other investors.

IT Portfolios and Risk

MPT suggests that the risk of portfolios with a few large investments is much more than the risk of portfolios with several small investments. One can always diversify risk by spreading it out among several types of investments. Unfortunately, IT portfolios are not typically diverse. Often the one or two biggest IT investments in a company make up more than half of the portfolio with the rest of the portfolio made up of projects of decreasing size. You may accept a 20 percent chance of a negative return to achieve a 25 percent expected return for an investment of $500,000, yet your required return for a $50 million investment would be much higher than 25 percent for the same chance of a negative return. Ironically, even as you become more risk averse for larger investments, risk increases as IT investments become larger. This compounding effect means that even hurdle rates of several hundred percent are possible for the largest projects in a portfolio. It is also possible to have a project that is so large and risky that no expected return–no matter how large–would compensate the investor for the risk.

Consequences for Decision Makers

When evaluating software development projects, using a fixed hurdle rate that does not change with risk is dangerous. Because various sized projects have different risks, hurdle rates need to be adjusted on a project-by-project basis. Companies that begin to use hurdle rates will find that many of the projects they approved in the past are no longer acceptable. For instance, a project with a 55 percent ROI may now look a lot less attractive when risk is considered. But that doesn’t mean that decision makers must invest in fewer IT projects. Instead, they should manage the risk directly. (See “Risk-Busting Strategies” in this article).

IT investments are among the riskiest investments a business can make. Any hurdle rate that does not fully account for risk puts the investor in the dangerous position of accepting too much risk in the firm’s IT portfolio. And unless companies start managing risk better, they will be forced to require astronomical hurdle rates or get far too little return on their IT investments.

Risk-Busting Strategies

Some tried-and-true methods of managing the risk of IT projects

    1. Focus on smaller projects that have a higher chance of being delivered successfully.

    2. Defer major projects until your company has gained the necessary skills to carry out those projects.

    3. Defer major projects if the organization is unstable or future mergers, spinoffs or changes in leadership make the successful completion of the project uncertain.

    4. Consider breaking up large projects into smaller projects that incrementally develop improved versions of software projects instead of putting your eggs in one basket with one big version 1.0.

    5. Present the risk-adjusted evaluation of proposed software to users and developers so that runaway gold plating–adding lots of bells and whistles with limited benefits–of software will be discouraged.

    6. Think about buying packaged software rather than developing software internally, even if the packaged software may not fit perfectly.

    7. Hedge against project losses by asking software vendors and consulting firms to assume more risk with fixed bids, lateness penalties or other types of insurance.

    8. Reduce the uncertainty of IT projects further by aggressively measuring unknown quantities, such as expected productivity benefits.


Douglas Hubbard is director of applied information economics with DHS & Associates Inc. in Rosemont, Ill. He can be reached at or 800 297-5601.