There are risks associated with any project with a substantial IT component, like the large projects we examined. I think that goes without saying. To minimize and control the element of risk, very rigorous management practices need to be in place. The government's IT management framework appears to be satisfactory. Admittedly, it dates back to 1998, which means that it could be updated and more recent practices adopted. However, generally speaking, the management framework is adequate. The problem we noted was that people disregard the management framework. There is no business plan that clearly sets out what a project is supposed to achieve, who the user will be and what the risks are. Sound planning is needed from the outset to identify these risks if subsequently, we want to minimize them, or least keep them in check.
Another problem was also noted with respect to organizational capacity. One would expect there to be a sound analysis of the required resources, either in terms of qualifications or numbers, to successfully carry out a project. These are perhaps the two most important factors identified in terms of shortcomings in the projects we examined.