Assessing the Maturity Level of Risk Management in IT Projects

Nikolaenko, Valentin; Sidorov, Anatoly

doi:10.3390/su151712752

Open AccessArticle

Assessing the Maturity Level of Risk Management in IT Projects

by

Valentin Nikolaenko

and

Anatoly Sidorov

^*

Department of Data Processing Automation, Tomsk State University of Control Systems and Radioelectronics, 634050 Tomsk, Russia

^*

Author to whom correspondence should be addressed.

Sustainability 2023, 15(17), 12752; https://doi.org/10.3390/su151712752

Submission received: 13 June 2023 / Revised: 21 July 2023 / Accepted: 17 August 2023 / Published: 23 August 2023

(This article belongs to the Special Issue Sustainability in Project Management)

Download

Browse Figures

Review Reports Versions Notes

Abstract

:

The purpose of the article is to determine the maturity level of risk management in IT projects. To achieve this goal, the most popular risk management maturity models were analyzed. This analysis allows the identification of methods and mechanisms for determining maturity levels, the identification of strengths and weaknesses for each model, and the study of findings obtained from their use. Based on the data obtained, the author’s risk management maturity model in IT projects was developed and tested, considering the strengths and weaknesses of the analyzed models. Based on the analysis results and empirical data, it was found that the application of the created model allows the determination of the current maturity level of risk management in IT projects, the identification of these projects’ management problems, and the development of recommendations for increasing the level of management. The results have shown that the transition to the Standardized maturity level eliminates 105 universal risks and significantly increases the chances of successfully achieving the designed goals. In addition, it was found that the evaluation of the risk elimination effectiveness and efficiency and the best risk management practices identification and standardization are the main processes that ensure the transition to higher maturity levels. The obtained results suggest that the created author’s risk management maturity model in IT projects can become a tool for identifying the best contractor (performer, supplier), which guarantees the development of the desired IT product.

Keywords:

maturity model; risk management; project management; maturity level; risk; IT project; IT product

1. Introduction

IT project management is one of the most promising and actively developing areas of modern management. It is proved by the regular updating of international codes of the best management practices and standards, such as PMBOK^® Guide, ICBIPMA, PRINCE2^®, and ISO 10006 [1,2,3]. However, despite its active development and accumulated knowledge, the implementation of earlier developed tools does not always guarantee the successful achievement of the planned goals in IT projects. As an example, it is worth citing the results of the study by V. Nikolaenko, proving that IT projects are exposed to 105 universal risks, i.e., risks that can materialize in any IT projects, regardless of their scale, complexity, management methods and number of participants [4]. It is also worth mentioning the statistics of Standish Group International, confirming that more than 70% of implemented IT projects in the US and European countries have been recognized as problematic or incomplete [5]. According to J. Crawford, frequent risk materialization and a small proportion of successfully completed projects are closely related to the low maturity level of project management and its risks [6]. In particular, in his writings, J. Crawford came to the conclusion that in order to apply the PMBOK^® Guide effectively, project participants primarily need to determine the maturity level of professional competencies. Crawford called this method of improving the project participants’ skills increasing the level of maturity and called the method of determining the maturity the project management maturity model.

The incrementality of IT products is the ability to add new data and commands to the program code in order to expand functionality and correct program errors (bugs). A striking example of incrementality is the computer game “Cyberpunk 2077”, which was released at the end of 2020 [7]. Despite the fact that the final version of the game was released comparatively long ago, the developer organization “CD Projekt RED” systematically releases updates, improving technical characteristics, fixing bugs and adding new content. For example, in September 2022, the developer released patch 1.6, which added content from the “Cyberpunk: Edgerunners” series, which premiered in the autumn of 2022 on Netflix. Incrementality radically distinguishes an IT product from the work results obtained in classic projects (construction, educational, sports, etc.). In particular, separate parts of IT products can be developed in parallel, while in classic projects the desired result is obtained only in the case of compliance with a certain sequence of actions.

Another feature of IT products is high technology. High technology of IT products imposes certain restrictions on IT projects. For example, workers with special professional competencies may be involved in program code development. In particular, a programmer must have a minimum level of professional qualifications; a test specialist, a database administrator and a system analyst must have secondary specialized education; a specialist in graphical user interface design must have professional training for up to one year; and a project manager in the field of IT must have a higher education.

Based on the foregoing, it can be concluded that the complexity of implementing IT projects, and the incremental and high technology of IT products necessitate a high level of maturity. Otherwise, if the maturity of IT project management is low, then there is a high probability that there will be no guarantees of creating the desired IT products, successfully achieving the goals of IT projects and conscientiously fulfilling all obligations stipulated by commercial and (or) government contracts. It should also be noted that a high level of risk management maturity in IT projects can significantly increase the sustainability of IT organizations that develop IT products for commercial and government needs by eliminating and leveling critical compliance, project and environmental risks.

In this regard, the purpose of the article is to assess the maturity of risk management in IT projects. To achieve this goal, the authors of the article analyzed the most popular models of risk management maturity, developed the author’s maturity model in risk management in IT projects and tested it.

2. Analysis of Maturity Models in Risk Management

The Software Engineering Institute (SEI) is considered a pioneer in the field of determining the maturity level, as in the 1980s, it came to the conclusion that the most reliable contractor (executor, supplier) is a counterparty that has a high level of production and managerial maturity [8]. Since then, scientists and project management specialists have developed about 30 different maturity models [9], the most popular of which are OPM3 [10], IPMA DELTA^® [11], PMMMsm [6], P3M3^® [2], SPICE [12], PM2 [13], PMMM [14,15,16,17] and ProMMM [18,19]. It should be noted that the development of project management maturity models stimulate the creation of a maturity model in terms of risk management, which, with increasing maturity, can eliminate the most dangerous risks [20,21]. Many researchers have noted that the increasing level of risk management maturity also determines the real economic benefits from risk management processes use, creates road maps for the development of organizations and conducts competitive analysis [22,23,24,25,26].

In most cases, risk management maturity models are presented in the form of a matrix, where maturity levels are the proven availability of best risk management practices, attributes are risk management processes and methods, and fields of the matrix are criteria that determine the maturity of an attribute [27,28,29,30,31,32,33]. However, despite their similarities, each risk management maturity model has its own strengths and weaknesses. Let us consider them in more detail.

2.1. The Risk Management Maturity Model (RM Maturity Model)

The RM Maturity Model was developed by Portuguese scientists D. Proenca, J. Estevens, R. Vieira and J. Borbinha in 2017 [34]. Based on the international risk management standard ISO 31000, scientists have claimed that all risk management processes cannot be simultaneously launched in organizations [35]. Among the major obstacles, scientists highlight the lack of necessary business processes and structural and infrastructural elements in organizations. In this connection, Proenca, Estevens, Vieira and Borbinha proposed to decompose the classic risk management processes into 39 sub-processes, distributing them into 5 levels (Table 1).

RM Maturity Model includes 5 maturity levels:

Level 1. Initial. Proenca, Estevens, Vieira and Borbinha argued that risk management is ad hoc at the initial level; thus, organizations cannot predict the development of the risk or assess its materialization.
Level 2. Managed. According to the RM Maturity Model concept, organizations of this maturity level begin to develop and apply a risk management plan. This level is characterized by the establishment of structural and infrastructural elements of risk management. In particular, specialists responsible for risk management (2.1) are assigned, necessary resources are allocated (2.2) and reports are prepared (1.1).
Level 3. Defined. This is the most time-consuming level because it requires the management of organizations to initiate the simultaneous launch of 26 subprocesses.
Level 4. Quantitavely Managed. The quantitative information accumulated in the knowledge bases of organizations can be used in order to model future states. This level is primarily aimed at improving the quality of the implementation of existing business processes. For example, quantitative indicators determine the cost effectiveness of applying risk management (4.1).
Level 5. Optimized. This level is considered the pinnacle of risk management maturity in organizations, as self-improvement sub-processes are launched at this level.

An analysis of the strengths and weaknesses of the RM Maturity Model demonstrated that despite the availability and ease of use, there are no empirical data in the literature confirming the effectiveness and efficiency of this model. In addition, the model does not provide an assessment of the maturity level of the professional competencies of specialists responsible for risk management, ignores the degree of development of a risk-oriented corporate culture, and does not identify the best risk management practices. In essence, the RM Maturity Model is a road map that can be used to plan the consistent implementation of risk management processes in organizations.

2.2. The Management of Risk Maturity Model

The Management of Risk Maturity Model was developed by the Office of Government Commerce in 2010 on the basis of the code of the best British management practices in the field of risk management M_o_R^® [36]. The model includes 5 levels of maturity:

Level 1. Initial. At this level of maturity, risks are identified once a year. Risk appetite and risk tolerance are not calculated. Sources of potential threats are not registered in risk registers.
Level 2. Repeatable. Organizations have risk management plans that provide systematic risk prevention measures and determine risk appetite and risk tolerance. For every identified risk, a risk owner is assigned.
Level 3. Defined. Risk management processes are continuously improved. The top management of organizations regularly discusses the risk status at meetings.
Level 4. Managed. Important management decisions are made considering risks. Organizations use quantitative risk assessment methods and mathematical models.
Level 5. Optimized. A risk-oriented corporate culture has been built in organizations, where each employee contributes to risk management. Job descriptions are updated and developed, taking into account risk-based management. Proactive management, aimed at anticipating risks, is practiced.

An analysis of the strengths and weaknesses of the Management of Risk Maturity Model establishes that the model does not provide for the availability of documents that should be used at different maturity levels. The Office of Government Commerce (OGC) operates with general principles and recommendations but does not provide empirical evidence supporting the effectiveness and efficiency of this model.

2.3. The Risk Maturity Model (RMM)

The Risk Maturity Model (RMM) is based on the Enterprise Risk Management (ERM)—the best management practices code [37]. The model was developed by The Risk and Insurance Management Society (RIMS), which has more than 11,000 risk managers working in more than 60 countries around the world.

RMM evaluates 7 attributes to determine the maturity level. The maturity level is determined by the weak link, i.e., if 6 attributes have reached level 3, and one attribute reaches level 2, then the overall maturity level of the organization is level 2.

RMM attributes are as follows:

Management of the organization adopts the ERM. This attribute indicates the degree of administrative support from the organization’s management. This support is manifested in the management decisions made on the integration of risk management processes into corporate information systems, the establishment of local documentation, standards, instructions, checklists, etc.
Processes ERM. The evaluation of ERM processes is aimed at determining the degree of effectiveness and efficiency of the use of the main risk management processes. An important indicator of maturity for this attribute is the transition from qualitative risk assessment methods to quantitative methods that ensure more accurate estimates of the likelihood of risk events and their possible impacts in cases of materialization.
Risk-appetite. Determining the risk appetite enables the management of the organization to evaluate the acceptable limit for the materialization of risks and to increase the degree of awareness in cases of investing resources in new projects.
Determining the source of the problem. The accumulation of information on problems reduces uncertainty and creates the basis for proactive risk management.
Risk disclosure. This attribute is characterized by the collection, processing, analysis and storage of information about the management decisions made.
Performance management. The systematic assessment of key performance indicators, such as Kaplan’s balanced scorecards, demonstrates how the use of risk management affects the process of achieving goals.
Business sustainability. This attribute shows the behavior of organizations in critical conditions; for example, when suppliers fail, a sharp change in market prices, high volatility in cash flows, loss of liquidity of commercial property, etc.

The business value of RMM is confirmed by the results of research by M. Farrell and R. Gallagher [38]. In particular, scientists evaluated 225 organizations and established a relationship between the level of maturity in the field of risk management and the market value of the organization (Table 2). Empirical evidence has shown that organizations that are highly mature in terms of risk management are less likely to experience dangerous risk events or not at all.

S. Tjahiono presented the results of a maturity assessment for 100 non-financial Indonesian organizations (Table 3) [39].

Analyzing the strengths and weaknesses of RMM, we can conclude:

First, agriculture and construction organizations have the worst indicators in terms of risk management. Tjahiono explained this circumstance by the fact that the spheres of agriculture and construction are highly dependent on external threats, which are often beyond control (flood, drought, fires, earthquakes, hurricanes, etc.).
Second, the most developed area in the field of risk management is the extraction, processing, transportation and storage of minerals. Tjahiono believed that the high level of maturity in this area is associated with the created mechanisms that eliminate the threat of the materialization of dangerous man-made disasters, such as oil spills and toxic emissions into the atmosphere.
Third, there is no empirical evidence for the use of RMM in IT projects and IT organizations in the literature. According to ISO/IEC 26514, an IT product is both a set of IT results obtained at the end of the IT project life cycle phases and a complex legal object, which is the result of intellectual activity and a materialized result, expressed in a set of data and commands that ensure the functioning of a computer and other digital devices [40]. From this definition, it follows that the risk management maturity model should take into account the compliance and technological features of IT-project management, such as program code incrementality and high technology. RMM does not take these features into account.

2.4. The Risk Management Maturity Model (RM3)

In their works, P. Zou, Y. Chen and T. Chan noted that risk management in construction projects is one of the most important management tools [41]. In this connection, scientists have created the Risk Management Maturity Model (RM3), which can identify strengths and weaknesses in the management of construction projects and create a consistent roadmap for the development of construction organizations. The RM3 maturity model includes 5 attributes presented in Table 4.

It should be noted that Zou, Chen and Chan understood the attribute risk analysis as the processes of quantitative and qualitative determination of the probability of risk occurrence and their possible impact in cases of materialization. In the RM3, attributes are categorized into 5 maturity levels (Table 5).

RM3 has been tested in Australian construction organizations. The results show that 32% of construction organizations are maturity level 2, and 52% are maturity level 3. Scientists have also found that risk analysis is the most immature attribute in construction organizations [42].

2.5. Strengths and Weaknesses of the Most Popular Risk Management Maturity Models

An analysis of risk management maturity models made it possible to define a list of mandatory characteristics that a model should have in order to eliminate the most dangerous risks, determine the real economic benefits from the operation of risk management processes and continuously develop organizations. These characteristics include:

Body of knowledge. A body of knowledge is an aggregated best risk management practice that is formalized in the manuals of professional communities and standards. Prominent examples of knowledge codes are PMBOK^® Guide, ICBIPMA, PRINCE2^®, ISO, etc. The body of knowledge describes the tools, mechanisms, methods, processes and knowledge that allow the identification of management gaps that need to be addressed.
Empirical data. Identifying the level of maturity in terms of risk management requires significant effort. Moreover, an incorrect definition of development priorities can deplete managerial, material and human resources without presenting the expected effect. In this regard, a mandatory characteristic of the maturity model is its practical applicability confirmed by empirical data. Otherwise, the use of a risk management maturity model is inappropriate.
Risk elimination. A maturity model should primarily solve the problem of risk elimination. In particular, with an increase in the maturity level, the number of materialized risks and the amount of damage caused in case of their occurrence should decrease. If these requirements are not met with increasing maturity, investing in the development of risk management is inappropriate.
Structural and infrastructure elements. These elements include risk management budgets allocated by the organization, specialists responsible for risk management, workplaces, job descriptions, corporate standards, checklists, specialized equipment and software. Without these elements, effective and efficient risk management is impossible. Therefore, if the maturity model does not consider the presence and maturity of structural and infrastructural elements, the use of this model is inappropriate.
Risk-oriented corporate culture. A set of behavior patterns, codes of the best individual and group risk management practices that have proved their effectiveness and efficiency in past projects and form a risk-oriented corporate culture in the organization. Thanks to a developed corporate culture, employees can effectively and efficiently resolve problems that arise in normal and abnormal situations. If the maturity model does not assess the degree of development of a risk-oriented corporate culture, the use of this model is inappropriate.
Professional maturity of specialists responsible for risk management. The effective and efficient use of risk management tools, mechanisms, methods and processes requires specialists to have special knowledge. For example, the use of quantitative methods to assess the probability of risk occurrence and the possible impact in cases of risk materialization is not possible without knowledge of mathematical modeling, statistics and probability theory. Therefore, if the maturity model does not take into account the professional training of specialists responsible for risk management, the use of this model is inappropriate.

Based on the identified mandatory characteristics, it is possible to evaluate the risk management maturity models analyzed. The evaluation results are presented in Table 6, Appendix A and Appendix B.

Evaluation of maturity models in risk management showed that RMM is the most developed model. RMM can eliminate hazardous risks, determine the real economic benefits of operating risk management processes, and ensure the continuous development of organizations.

However, the absence of such characteristics as risk-oriented corporate culture and professional maturity of specialists responsible for risk management does not allow us to confidently claim that the application of this maturity model will guarantee the successful achievement of the planned goals. It is also worth noting that RMM does not take into account compliance and technological features of IT project management, such as program code incrementality and high technology, which significantly reduces the possibility of this model’s practical application.

In this regard, based on the analysis of the strengths and weaknesses of the most popular maturity models, the authors of the article developed an author’s model that determines the maturity level of risk management in IT projects and satisfies the requirements of the mandatory characteristics that the maturity model needs in terms of risk management.

3. The Author’s Risk Management Maturity Model in IT Projects

Based on the analysis of the most popular risk management maturity models in IT projects, methods and mechanisms for determining maturity levels using these models, as well as an assessment of their strengths and weaknesses, the authors of this article developed a maturity model that is based on an assessment of the key attributes of risk management in IT projects.

The author’s risk management maturity model in IT projects includes four levels of maturity. Its detailed description is presented in Table 7.

The developed author’s model includes ten attributes, their description is presented in Table 8. It is worth noting that the model includes the distribution of responsibility for a particular attribute implementation. For example, a risk management mechanism cannot be created by a specialist responsible for risk management, since the allocation of budgets, the search and employment of specialists, the organization of workplaces, the control over the implementation of job descriptions and standards, and the purchase of specialized equipment and software fall within the competence of the organization’s management.

Thus, given the maturity levels and attributes of the author’s risk management maturity model in IT projects, criteria that determine the maturity level can be identified. These criteria are presented in Table 9. Notably, Level 3 provides for the emergence of a new structure in the organization—a project office, which is targeted at identifying, analyzing, evaluating, standardizing, disseminating and updating the best risk management practices.

It should be noted that the attributes presented in Table 8 and Table 9 were selected through the analysis of the PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc. products. The maturity of these attributes is determined by the achievement of certain indicators, as detailed in Table 7 and Table 9.

It is important to note that the developed maturity model of IT project risk management meets all characteristics identified during the analysis of the most popular models (Section 2.5). Let us consider these characteristics in more detail:

Body of knowledge. The developed maturity model of IT project risk management does not depend on the scale, complexity, number of participants or methods of managing IT projects (Waterfall, Agile). Therefore, the author’s model is universal, so it could be used in any IT project, regardless of the applied codes of knowledge (PMBOK^® Guide, ICBIPMA, PRINCE2^®, ISO, etc.). This statement is confirmed by the criteria for the maturity level of risk management in IT projects, presented in Table 8 and Table 9. In particular, to achieve “Level 2. Random”, such attributes as “Risk Management Plan”, “Risk identification”, “Risk analysis”, “Risk assessment”, “Impact on risks”, “Risks monitoring” and “Risk control” must be carried out in accordance with the PMBOK^® Guide, ICBIPMA, PRINCE2^®, ISO, etc.
Empirical data. The practical applicability of the developed model is confirmed. The author’s risk management maturity model was used in 3 IT projects; the results are presented in Section 4. It is worth noting that the authors plan to conduct research on 50 IT projects in order to determine the positive effect from increasing the level of maturity in the area of risk management for IT organizations.
Elimination of risks. The empirical data obtained, presented in Section 4, establish that when the maturity level increases, the likelihood of project and compliance risks decreases and the possible negative impact decreases if these risks materialize. However, the specific number of risks that were eliminated by increasing the maturity level could not be established at this stage of the research. In order to establish this value, it is necessary to carry out a number of improving measures in the studied IT organizations that increase the level of risk management maturity. This problem is planned to be solved in the next stages of research.
Structural and infrastructure elements. The planned goals of IT projects will not be successfully achieved unless structural and infrastructural elements are created, such as jobs, specialists, job descriptions, corporate standards, specialized equipment, etc. The developed model takes into account these features of the implementation of IT projects, which is confirmed by the attribute “Risk management mechanism”, described in detail in Table 8 and Table 9. For example, at “Level 2. Random” the position of a specialist responsible for risk management is introduced, a job description and other acts are created that describe the purpose, functions, rights, obligations, responsibility, qualification requirements, etc.
Risk-oriented corporate culture. Behavior patterns and best individual and group risk management practices are the core of a risk-based corporate culture. The developed model also considers these features of the implementation of IT projects, as shown by the “Risk-oriented corporate culture” attribute presented in Table 8 and Table 9. For example, at “Level 3. Standardized”, a specialist is guided by standards that are developed based on the best practices developed by predecessors.
Professional maturity of specialists responsible for risk management. In Section 2.5, it was noted that the effective and efficient use of risk management tools, mechanisms, methods and processes requires specialists to have specialized knowledge. The developed model of IT projects risk management takes into account these features of the implementation of IT projects, which is confirmed by the assignment of responsibility (Table 8). For example, the development of a “Risk Management Plan” is the responsibility of a specialist who performs the functions of a risk manager in an IT organization and an IT project.

To check the practical applicability of the author’s risk management maturity model in IT projects, it was tested in three IT projects. The results are presented in the next section.

4. Results of the Risk Management Maturity Model in IT Projects Testing

The developed author’s model was tested in three IT projects: MojeKeramik, VV and Beethoven. IT projects were selected based on their scale, concepts for creating IT products, payment systems, and the number of participants. In particular, IT projects of various sizes were selected for the study—a small, medium-term and long-term project. According to the classification of IT projects by The Standish Group International, projects with a duration less than two months should be classified as short-term, projects with a duration of two to six months as medium-term, and projects with a duration exceeding six months as long-term [5].

The incrementality of the program code led to the development of various concepts for creating IT products, such as Waterfall and Agile. These concepts are radically different, as they are based on different principles. According to Royce, the process of program code creation while using Waterfall is similar to a continuous water flow, where each stage continues the previous one and does not begin until the previous one ends [44]. Agile, using the incremental property of program code, on the contrary, changes the priority of development stages according to current user, functional and business requirements [45]. Given these circumstances, the authors of the article selected IT projects that used various concepts for creating IT products to test the developed risk management maturity model. It should be noted that the use of a particular concept determines the application of the payment system. In particular, the use of Waterfall implies the determination of a fixed price (Fixed Price), which is fixed in terms of the contract [46]. During Agile code development, the price is determined based on the actual resources spent (Time and Material).

The number of participants in an IT project has a significant impact on the successful achievement of planned goals. According to Standish Group International, the chances of successful completion of IT projects are higher if the number of participants does not exceed six people. In this case, the success rate is 67% [5]. In this regard, the authors of the article had selected IT projects for testing, where the number of participants does not exceed six people, and an IT project where the number of participants exceeds this number. More detailed information about the characteristics of the studied IT projects is presented in Table 10.

As a result of applying the author’s risk management maturity model in IT projects, maturity maps were built. Their analysis made it possible to establish that the integral level of risk management maturity is in maturity levels ranging from 0 to 1 (Figure 1). The low level of maturity can be explained by spontaneous risk management, which confirms the absence or immaturity of some risk management processes. Moreover, in the studied IT projects, it was found that the studied projects do not develop a risk management plan—a key document which could help later to identify the best risk management practices.

The low level of risk management maturity at VV and Beethoven prevented the successful achievement of the planned project goals, and MojeKeramik led to a significant deviation from the planned duration. In the studied IT projects, frequent project and compliance risks materialized, which stopped the work, changed the composition of teams, and revised the plans and requirements.

The maturity model approbation has shown that a low level of maturity does not allow project participants to gain positive experience that can be used in subsequent projects. That is due to the lack of structural and infrastructural elements, project participants do not identify the best risk management practices and do not evaluate and fix them in internal local acts. It is logical to assume that due to the loss of experience gained, project participants will face the same problems that materialize in the MojeKeramik, VV and Beethoven IT projects again and again.

It should be noted that the scale, the concept of developing IT products, the payment system and the number of participants did not have a significant impact on the successful achievement of the planned goals due to low maturity. In this connection, we can conclude that the key success factor is a high level of maturity in terms of risk management, which ensures the elimination of 105 universal risks, the sustainable development of structural and infrastructural elements of the organization, commitment to a risk-oriented corporate culture, and the professional maturity of IT project participants. Moreover, the constructed maturity maps and the results of completed IT projects have clearly demonstrated the inability of organizations with a low level of risk management maturity to ensure the successful development of IT products.

Thus, we can conclude that the developed risk management maturity model in IT projects has shown its practical value and can be used to determine the best contractors (performers, suppliers) who can guarantee the development of the desired IT products, the successful completion of IT projects and conscientious performance of all obligations stipulated by commercial and (or) government contracts. It is worth noting that there are universal problems for both commercial and state (municipal) customers [47]. They are a high probability of concluding contracts with unscrupulous, unreliable and insufficiently qualified contractors (performers, suppliers), finding a balance between the quality of work performed (services provided, goods supplied) and an affordable market price, as well as low chances for successful closing of transactions. In particular, according to data from the Automated Information System “Monitoring” (AIS “Monitoring”) for 2017–2019, the average level of execution of public contracts before their termination was 66% [48]. Among the main reasons for the termination of contracts, experts of AIS “Monitoring” name a significant failure of contractors (performers, suppliers) to perform their obligations, where their dishonesty and insufficient qualification were especially acute during the performance of work on the IT products development.

5. Discussion

Considering the list of mandatory characteristics and the results obtained during the analysis of the strengths and weaknesses of maturity models, the authors of the article developed a risk management maturity model in IT projects, which has the following positive characteristics:

First, the use of the developed model provides the creation of road maps for improving risk management processes. The reviewed research results showed that not all analyzed risk management maturity models allow developing road maps that would guarantee favorable economic effects. For example, an analysis of the D. Proenca, J. Estevens, R. Vieira and J. Borbinha model demonstrated that the RM Maturity Model is essentially a road map, but the simultaneous implementation of 26 sub-processes at Level 3 requires organizations to significant managerial, financial and human resources that do not guarantee a favorable economic effect [34].
Second, the increase in the maturity level brings about the elimination of risks, namely, the likelihood of risks materializing and their possible impact in cases of occurrence decreases. As analysis of the works of D. Proenca, J. Estevens, R. Vieira, J. Borbinha, P. Zou, Y. Chen and T. Chan showed, scientists had not reviewed risks, which elimination is carried out with an increase in the level of maturity [34,41]. The maturity model developed by the authors of this article is based on 105 universal risks that are eliminated with the transition to higher levels of maturity [4].
Third, the developed maturity model considered compliance and technological features of IT project management, unlike the analyzed models.

A comparative analysis of the empirical data obtained by the authors of this article, coupled with the results of the predecessors, clearly demonstrates the practical significance of the created author’s model. Its value lies in the ability to determine the best counterparty that can guarantee the creation of an IT product and the successful achievement of project goals. However, it should be noted that the empirical data obtained are not sufficient to assess the economic effects that organizations receive from the transition to higher levels of maturity. These circumstances necessitate further research aimed at obtaining quantitative data to establish cause-and-effect relationships and patterns.

6. Conclusions

Based on the study, it can be concluded that IT project management is one of the most promising and actively developing areas of modern management, which is confirmed by regular updates of international codes of the best management practices and standards, such as PMBOK^® Guide, ICBIPMA, PRINCE2^®, ISO 10006, etc. However, despite its active development and accumulated knowledge, the use of this toolkit does not guarantee the successful achievement of the planned goals. In this regard, the authors of the article analyzed the most popular risk management maturity models and developed and tested the author’s risk management maturity model in IT projects, considering the identified strengths and weaknesses of the analyzed models.

Based on the results of the analysis and empirical data, it was found that the application of the author’s model allows for determining the current maturity level of risk management in IT projects, identifying management problems in these projects, and developing recommendations for the transition to more mature management. The results obtained showed that the transition to the Standardized level of maturity eliminates 105 universal risks and significantly increases the chances of achieving the planned project goals successfully. It was also found that the main processes that ensure the transition to higher levels of maturity are the evaluation of the effectiveness and efficiency of risk elimination and the identification and standardization of the best risk management practices. The obtained results allowed us to conclude that the created author’s risk management maturity model in IT projects can become a tool for identifying the best contractor (performer, supplier) that guarantees the creation of the desired IT product.

In the following works, increasing the number of studied IT projects and quantifying the results obtained are planned. A quantitative assessment will be carried out in order to identify the magnitude of the positive effect that can be obtained by IT organizations from increasing the level of maturity in the field of risk management. To achieve the planned goal, the level of maturity in more than 50 IT projects of various durations and various management methods will be evaluated. Assessment of the level of maturity in IT projects will be carried out as part of a universal roadmap, which is also planned for development and publication in subsequent works.

Author Contributions

Conceptualization, V.N. and A.S.; methodology, V.N.; validation, V.N.; formal analysis, V.N. and A.S.; investigation, V.N.; resources, V.N. and A.S.; data curation, V.N.; writing—original draft preparation, V.N. and A.S.; writing—review and editing, V.N. and A.S.; visualization, V.N.; supervision, A.S.; project administration, A.S.; funding acquisition, A.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Ministry of Science and Higher Education, project FEWM-2023-0013.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Table A1. The most Popular Risk Management Maturity Models.

Risk Management Maturity Model	Program Developer	Date of the First Version	The Presence of a Standard	Number of Levels
RM Maturity Model	Proenca, Estevens, Vieira и Borbinha	2017	ISO 31000	1–5
Management of Risk Maturity Model	Office of Government Commerce	2010	PRINCE2^®, M_o_R^®	1–5
Risk Maturity Model (RMM)	The Risk and Insurance Management Society (RIMS)	2006	ERM	1–5
Risk Management Maturity Model (RM3)	Zou, Chen и Chan	2010	Heт	1–4
Risk Maturity Model (RMM)	Hillson	1997	Heт	1–4
Project Management Maturity Model (PMMM)	Crawford	2002	PMBOK^®	1–5
Risk Management Maturity Model	Project Management Institute (PMI)	2002	PMBOK^®	1–5
IACCM Business Risk Management Maturity Model	IACCM Business Risk Management Working Group	2003	Heт	1–4
Risk Management Capability Maturity Model for Complex Product Systems Projects	Ren и Yeo	2004	Heт	1–5
PMI’s Risk Management Maturity Model Adapted to the Construction Industry	Loosemore	2006	PMBOK^®	1–5

Appendix B

Table A2. Strengths and weaknesses of the most popular risk management maturity models.

Risk Management Maturity Models	Strengths	Weaknesses
RM Maturity Model	1. Based on international standard ISO 31000. 2. Analysis of the sub-processes enshrined in ISO 31000, risk management quickly determines the current level of maturity.	1. Level 3 overload with sub-processes, which requires a significant financial, personnel and managerial burden on the organization. 2. The literature does not provide empirical data confirming the positive effect of moving to a higher level of maturity.
Management of Risk Maturity Model	1. Based on standards M_o_R^® and PRINCE2^®. 3. Analysis of risk management processes, enshrined in M_o_R^® and PRINCE2^® quickly determines the current level of maturity.	1.The model does not provide for the existence of documents that should be used at a particular level of maturity. 2. OGC operates with general principles and recommendations but does not provide empirical data that confirm the effectiveness and efficiency of using the model in practice.
RMM	1. Based on standard ERM. 2. Analysis of the risk management processes enshrined in ERM quickly determines the current level of maturity. 3. The business value of RMM is supported by empirical evidence. 4. A relationship between the level of maturity in the field of risk management and the market value of the organization has been established. In particular, empirical evidence has shown that highly mature organizations are less likely to experience dangerous risk or not experience it at all.	1. The literature does not provide empirical data on the use of RMM in IT projects and in IT organizations. 2. RMM does not take into account compliance and technological features of IT project management, such as program code incrementality and high technology.
RM3	1. The literature provides empirical data on the use of RM3.	1. Does not based on standards. 2. RM3 specializes in determining maturity in construction organizations.

References

Project Management Body of Knowledge, 6th ed.; Project Management Institute (PMI): Newtown Square, PA, USA, 2017; 763p.
Managing Successful Project with PRINCE2; The Office of Government Commerce (OGC): London, UK, 2017; 527p.
Project Excellence Baseline for Achieving Excellence in Projects and Programmes (PEB). Version 1.0; International Project Management Association (IPMA): Amsterdam, The Netherlands, 2016; 113p.
Nikolaenko, V.; Sidorov, A. Analysis of 105 IT Project Risks. J. Risk Financ. Manag. 2023, 16, 33. [Google Scholar] [CrossRef]
The CHAOS Manifesto; The Standish Group: Boston, MA, USA, 2014; 16p.
Crawford, J.K. Project Management Maturity Model; Auerbach Publications: New York, NY, USA, 2007; 235p. [Google Scholar]
Cyberpunk 2077. The Complete Official Guide; CD Projekt RED: Warsaw, Poland, 2020; 151p. [Google Scholar]
O’Neill, D. The Way Forward: A Strategy for Harmonizing Agile and CMMI. Cross Talk. J. Def. Softw. Eng. 2018, 29, 4–9. [Google Scholar]
Grant, K.P.; Pennypacker, J.S. Project management maturity: An assessment of project management capabilities among and between selected industries. IEEE Trans. Eng. Manag. 2006, 53, 59–68. [Google Scholar] [CrossRef]
Organizational Project Management Maturity Model (OPM3); Knowledge Foundation, Project Management Institute: Newtown Square, PA, USA, 2013.
Bushuyev, S.; Wagner, R. IPMA Delta^® and IPMA Organisational Competence Baseline (OCB): New approaches in the field of project management maturity. Int. J. Manag. Proj. Bus. 2014, 7, 302–310. [Google Scholar] [CrossRef]
Jeong, K.S.; Siriwardena, M.L.; Amaratunga, R.D.G.; Haigh, R.P.; Kagioglou, M. Structured process improvement for construction enterprises (SPICE) level 3: Establishing a management infrastructure to facilitate process improvement at an organisational level. In Proceedings of the 1st Salford Centre for Research and Innovation (SCRI) Symposium, Salford, UK, 1–2 April 2004; pp. 1–48. [Google Scholar]
Kwak, Y.H.; Ibbs, C.W. Project Management Process Maturity (PM)2 Model. J. Manag. Eng. 2002, 18, 150–155. [Google Scholar] [CrossRef]
Kerzner, H. Strategic Planning for Project Management Using a Project Management Maturity Model; John Wiley & Sons: Hoboken, NJ, USA, 2001; 272p. [Google Scholar]
Bay, A.F.; Skitmore, M. Project Management Maturity: Some Results from Indonesia. J. Build. Constr. Manag. 2006, 10, 2–15. [Google Scholar]
Polkovnikov, A.V.; Ilina, O.N. The Reality of Project Management Practice in Russia: Study Results. Procedia Soc. Behav. Sci. 2014, 119, 805–810. [Google Scholar] [CrossRef]
Demir, C.; Kocabas, I. Project Management Maturity Model (PMMM) in educational organizations. Procedia Soc. Behav. Sci. 2010, 9, 1641–1645. [Google Scholar] [CrossRef]
Hillson, D. Assessing project management capability. J. Facil. Manag. 2003, 2, 298–311. [Google Scholar] [CrossRef]
Hillson, D. Towards Risk Maturity Model. Int. J. Proj. Bus. Risk Manag. 1997, 1, 35–37. [Google Scholar]
Backlund, F.; Choronner, D.; Sundqvist, E. Project Management Maturity Models—A Critical Review. A case study within Swedish engineering and construction organizations. In Proceedings of the 27th IPMA World Congress, Dubrovnik, Croatia, 30 September–3 October 2013; Volume 119, pp. 837–846. [Google Scholar]
Anderson, E.S.; Jessen, S.A. Project maturity in organizations. Int. J. Proj. Manag. Account. 2003, 21, 457–461. [Google Scholar] [CrossRef]
Chapman, R. Simple Tools and Techniques for Enterprise Risk Management, 2nd ed.; Wiley: Hoboken, NJ, USA, 2011; 680p. [Google Scholar]
Tembo, E.; Rwelamila, P. Project Management Maturity in Public Sector Organisations: The Case of Botswana; Fraunhofer-Informationszentrum Raum und Bau IRB: Stuttgart, Germany, 2018; pp. 1–11. [Google Scholar]
Ofori, D.; Deffor, E.W. Assessing Project Management Maturity in Africa: A Ghanaian Perspective. Int. J. Bus. Adm. 2013, 4, 41–61. [Google Scholar] [CrossRef]
Alkhyyoon, H.; Abbaszadeh, M.R.; Zadeh, F.N. Organizational Risk Management and Performance from the Perspective of Fraud: A Comparative Study in Iraq, Iran, and Saudi Arabia. J. Risk Financ. Manag. 2023, 16, 205. [Google Scholar] [CrossRef]
Zinchenko, Y.; Asimit, A.V. Modeling Risk for CVaR-Based Decisions in Risk Aggregation. J. Risk Financ. Manag. 2023, 16, 266. [Google Scholar] [CrossRef]
Cienfuego, I. Developing a Risk Maturity Model for Dutch Municipalities. Ph.D. Thesis, University of Twente, Enschede, The Netherlands, 2013; 227p. [Google Scholar]
Jugdev, K.; Thomas, J. Project Management Maturity Models: The Silver Bullets of Competitive Advantage? Proj. Manag. J. 2002, 33, 4–14. [Google Scholar] [CrossRef]
Montero, G. Analysis of Common Maturity Models Applied to Project Management. In Proceedings of the 7th International Conference on Industrial Engineering and Industrial Management XVII Congreso de Ingeniería de Organización, Valladolid, Spain, 11–12 July 2013; pp. 788–794. [Google Scholar]
Khoshgoftar, M.; Osman, O. Comparison of Maturity Models. In Proceedings of the 2nd International Conference on Built Environment in Developing Countries, Penang, Malaysia, 3–4 December 2008; pp. 953–964. [Google Scholar]
Calzadilla AC, G.; Villarreal, M.S.; Jerónimo JM, R.; López, R.F. Risk Management in the Internationalization of Small and Medium-Sized Spanish Companies. J. Risk Financ. Manag. 2022, 15, 361. [Google Scholar] [CrossRef]
Kalina, I.; Khurdei, V.; Shevchuk, V.; Vlasiuk, T.; Leonidov, I. Introduction of a Corporate Security Risk Management System: The Experience of Poland. J. Risk Financ. Manag. 2022, 15, 335. [Google Scholar] [CrossRef]
Foli, S.; Durst, S.; Davies, L.; Temel, S. Supply Chain Risk Management in Young and Mature SMEs. J. Risk Financ. Manag. 2022, 15, 328. [Google Scholar] [CrossRef]
Proenca, D.; Estevens, J.; Vieira, R.; Borbinha, J. Risk Management a Maturity Model based on ISO 31000. In Proceedings of the 2019 IEEE 19th Conference on Business Informatics, Thessaloniki, Greece, 24–27 July 2019; pp. 99–108. [Google Scholar]
ISO 31000:2009; Risk Management—Principles and Guidelines. ISO: Geneva, Switzerland, 2013; 34p.
Management of Risk: Guidance for Practitioners; The Office of Government Commerce—AXELOS: London, UK, 2010; 145p.
Enterprise Risk Management. Integrating with Strategy and Performance; Committee of Sponsoring Organizations of the Treadway Commission (COSO): San Francisco, CA, USA, 2004; 16p.
Farrell, M.; Gallagher, R. The Implications on Enterprise Risk Management Maturity. J. Risk Insur. 2015, 82, 625–657. [Google Scholar] [CrossRef]
Tjahiono, S. Enterprise Risk Management Implementation Maturity in Financial Companies. Etikonomi 2017, 16, 173–186. [Google Scholar] [CrossRef]
ISO/IEC 26514:2008; Systems and Software Engineering—Requirements for Designers and Developers of User Documentation. ISO: Geneva, Switzerland, 2008; 143p.
Zou, P.; Chen, Y.; Chan, T. Understanding and Improving Your Risk Management Capability: Assessment Model for Construction Organization. J. Constr. Eng. Manag. 2010, 136, 854–864. [Google Scholar] [CrossRef]
Tsurkan, M.V.; Nikolaenko, V.S. Universal maturity model of Project Management: Project integration management. Manag. Today 2019, 2, 150–157. [Google Scholar]
De Bakker, K.; Boonstra, A.; Wortmann, H. The Communicative Effect of Risk Identification on Project Success. Proj. Organ. Manag. 2014, 6, 138–156. [Google Scholar] [CrossRef]
Royce, W.W. Managing the Development of Large Software Systems; TRW: Livonia, MI, USA, 1970; 11p. [Google Scholar]
Raymond, E. The Art of Unix Programming; Addison-Wesley: Boston, MA, USA, 2003; 549p. [Google Scholar]
Nikolaenko, V.; Sidorov, A. Assessment of Project Management Maturity Models Strengths and Weaknesses. J. Risk Financ. Manag. 2023, 16, 121. [Google Scholar] [CrossRef]
Kanoujiya, J.; Abraham, R.; Rastogi, S.; Bhimavarapu, V.M. Transparency and Disclosure and Financial Distress of Non-Financial Firms in India under Competition: Investors’ Perspective. J. Risk Financ. Manag. 2023, 16, 217. [Google Scholar] [CrossRef]
Tikhomirov, P.; Boychuk, Y.; Chumakova, E. A High Proportion of Contract Cancellations within the Framework of the Law on the Contract System; Analytical Center: Moscow, Russia, 2021; 40p. [Google Scholar]

Figure 1. Maturity maps in the field of risk management, where (a)—MojeKeramik project, (b)—VV project, (c)—Beethoven project.

Table 1. The Risk Management Maturity Model (RM Maturity Model).

Maturity Level of Risk Management	Risk Management Sub-Processes
Level 5 Optimizing	5.1—Finding potential areas for improvement 5.2—Existing risk management processes and tool improvement 5.3—Improvement effect evaluation 5.4—Determine risk sources and possible consequences 5.5—Pro-active work on risk sources and possible consequences
Level 4 Quantitatively Managed	4.1—Every risk management process has quantitative indicators 4.2—Special techniques for quantitative measurement are used 4.3—Risk analysis process is quantified 4.4—Risk assessment process is quantified 4.5—Frequent and comprehensive reporting of risk management performance
Level 3 Defined	3.1—The organization provides systematic training in risk management 3.2—Risk management is integrated into all organizational processes 3.3—The organization defines a rationale for managing risk 3.4—Responsibilities for risk management are identified according to every position in the organization 3.5—All identified risks have an owner 3.6—All trades are analyzed for risks 3.7—Risk management complies with regulatory and legal requirements 3.8—Stakeholders are involved in risk management processes 3.9—Information about risks is disseminated promptly and is communicated to all interested parties 3.10—There is a communication and consultation plan 3.11—The organization establishes its external and internal context 3.12—The organization defines risk criteria 3.13—The organization goals and objectives for risk management are the same in the entire organization and are aligned with all other organizational objectives consistent with the goals and objectives of the organization 3.14—Risks are found, recorded and described 3.15—Determination of risk level 3.16—Identified risks are compared with previously materialized risks 3.17—Measures are developed for identified risks 3.18—There is a procedure to identify potential positive risks 3.19—Risks associated with unused opportunities are identified 3.20—Study of the interdependence between identified risks and their sources 3.21—Determine risk sensitivity to management decisions 3.22—Cost/benefit for each risk treatment option 3.23—Monitoring secondary risks 3.24—Risk management activities are reordered 3.25—All risk management activities are monitored and reviewed 3.26—There is a schedule for risk management activity monitoring and review
Level 2 Managed	2.1—People are assigned to risk management 2.2—Resources are available for risk management
Level 1 Initial	1.1—There is a risk management report

Table 2. Research results of M. Farrell and R. Gallagher.

Maturity Level	Number of Organizations, Pcs.	%
Level 1. Ad hoc	19	8.44
Level 2. Initial	64	28.44
Level 3. Repeatable	93	41.33
Level 4. Managed	48	21.33
Level 5. Leadership	1	0.44
Total	255	100.00

Table 3. Research results of M. Farrell and R. Gallagher.

Economic Sector	Amount	Level 1. Ad Hoc	Level 2. Initial	Level 3. Repeatable	Level 4. Managed	Level 5. Leadership
Trade and services	26	23	0	2	1	0
Shipping	12	7	0	1	3	1
Extraction, transportation, processing and storage of minerals	10	0	2	2	5	1
Agriculture	5	2	3	0	0	0
Rental and sale of real estate	13	8	2	3	0	0
Construction	9	9	0	0	0	0
Chemical industry	15	12	0	1	2	0
Industry	10	6	2	0	2	0
Amount, pcs.	100	67	9	9	13	2

Table 4. RM3 attributes.

Attribute	Attribute Description
1. General risk management in the organization	1.1. The management of the organization is actively involved in the development of risk management 1.2. Information about risks is promptly communicated to all interested stakeholders 1.3 Tools and methods of risk management are integrated into organization management and project management systems 1.4 Management allocates all necessary resources for risk management
2. Corporate risk-based culture	2.1. All employees of the organization confidently apply risk management in their workplaces 2.2. The organization’s management and project teams allocate responsibility for risk management and appoint risk owners 2.3. Risk management is being actively used at all levels of the organization
3. Risk identification	3.1. Risk identification is carried out for each new project 3.2. Information about identified risks is processed, grouped and communicated to each stakeholder 3.3. Previously identified risks are systematically reviewed 3.4. Materialized risks are compared with the risks that were previously recorded in the risk register
4. Risk Analysis	4.1. All employees of the organization are proficient in quantitative and qualitative methods of risk analysis 4.2. The probability of occurrence of risks and their possible impact in cases of materialization are determined as accurately as possible 4.3. Received risk analysis data are considered when making management decisions 4.5. The results of the risk analysis are considered when allocating resources
5. Standardization of risk management processes	5.1. Risks are identified and analyzed constantly 5.2. Risk information is disseminated to all stakeholders at all phases of the project life cycle 5.3. The risk management process is systematically reviewed

Table 5. Risk Management Maturity Model (RM3).

Level	Level Description
Level 4. Optimized	4.1. A proactive approach to risk management is applied. Information about risks is aimed at increasing competitive advantages. 4.2. Risk management is integrated into all business processes of the organization. 4.3. Systematic training of employees of the organization in risk management.
Level 3. Managed	3.1. The management of the organization supports risk management implementation. 3.2. There are responsible for risks; risk owners are assigned.
Level 2. Repeatable	2.1. Risks are managed differently in different projects. 2.2. Information about the risks that have occurred in past projects is analyzed and used in new projects. 2.3. The obtained successes of risk management can be repeated in new projects. 2.4. There are no generally accepted risk management standards.
Level 1. Initiate	1.1. The organization does not apply risk management. 1.2. There has been no attempt to identify project risks and/or develop mitigation plans for materialized risks. 1.3. Proactive measures are not applied.

Table 6. Assessment of maturity models in the field of risk management.

Characteristic	RM Maturity Model	Management of Risk Maturity Model	RMM	RM3
Body of knowledge	Yes	Yes	Yes	No
Empirical evidence	No	Heт	Yes	Yes
Elimination of risks	No	Yes	Yes	Yes
Structural and infrastructure elements	Yes	No	Yes	No
Risk-based corporate culture	No	No	No	No
Professional maturity of specialists responsible for risk management	No	No	No	No
Total:	2 (Yes)	2 (Yes)	4 (Yes)	2 (Yes)

Table 7. Maturity levels of the author’s risk management maturity model in IT projects.

Maturity Level	Maturity Level Name	Description of Maturity Level
Level 0	Absent	This level is characterized by the absence of project and risk management.
Level 1	Initial	Specialists are trying to manage risks and eliminate 55 project risks, but risk management is unsystematic. It should be noted that project risks are risks, the materialization of which affects one goal of the project (content, duration, cost, quality) or a combination of them. These risks become relevant due to the actions and (or) inaction of IT project managers and members of project teams, as well as due to the equipment, technologies and software used. In addition, this level is characterized by the fact that the actual results of IT projects often do not correspond to the developed plans, as well as the fact that risks are managed differently in different IT projects.
Level 2	Random	Specialists responsible for risk management eliminate 5 commercial and 45 compliance risks. The commercial risks of IT projects are any potential threats that may prevent interested parties from profiting from the operation of developed IT products. For example, the actions of competitors, piracy and (or) the presence of substitute goods on the IT market can negatively affect the commercial potential of developed IT products. Compliance risks of IT projects are understood as a possible non-compliance with regulations, rules, standards and codes of conduct, where non-compliance manifests itself in the form of legal sanctions from regulatory and supervisory authorities, industry associations, as well as people whose rights and interests have been violated. However, despite the elimination of 105 risks, this process is unstable, non-repeatable and random. The best risk management practices are not formalized and are not fixed in standards, which creates the risk of losing these practices with the departure of specialists responsible for risk management.
Level 3	Standardized	The best risk management practices developed by the predecessors are enshrined in the internal standards of the organization. The specialists responsible for risk management are guided by these regulatory documents. Risk management is constantly being improved by identifying new best practices.

Table 8. Attributes of the author’s risk management maturity model in IT projects.

Attribute	Responsible Party	Attribute Description
Risk management mechanism	Management of the organization	Risk management mechanism is a system-forming component of risk management that build the basis for guaranteed achievement of goals, and the organization’s management creates structural and infrastructural elements [43].
Risk Management Plan	Specialist	Document containing the risk management algorithm.
Risk identification	Specialist	The process of identifying probable events that could have both negative and positive impacts on strategic, tactical, operational and project objectives.
Risk Analysis	Specialist	The process of risk research (risk factors, risk sources, possible consequences in cases of risks materialization) with their subsequent classification.
Risk assessment	Specialist	The process of ranking risks, which quantitatively measures the likelihood of risks occurring, the impact on strategic, tactical, operational and project goals in cases of risks materialization, and also determines the time for updating risks.
Impact on risks	Specialist	The process of developing measures to prevent risk, as well as measures to overcome risks with dignity.
Risks monitoring	Specialist	The process of identifying previously unidentified risks.
Risk control	Specialist	The process of systematic monitoring of identified risks.
Assessing the effectiveness and efficiency of risk management	Specialist and Organisation management	The process of developing criteria for assessing, reviewing and evaluating (best) risk management practices used in projects.
Risk-oriented corporate culture	Specialist and Organisation management	A set of tactics, best individual and group risk management practices that have proved their effectiveness and efficiency in past projects. The best practices are enshrined in internal standards and stored in the best practices body of knowledge.

Table 9. Criteria for determining the maturity level of risk management in IT projects.

Attribute	Level 1. Initial	Level 2. Random	Level 3. Standardized
Risk management mechanism	The functional role of the specialist responsible for risk management is underlined. The risk management budget is approved.	There is a position for a specialist responsible for risk management. A job description and other acts are created that describe the purpose, functions, rights, duties, responsibilities, qualification requirements, etc.	A project office is set up.
Risk Management Plan	Rough risk management plan.	The risk management plan is developed according to the requirements of PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The risk management plan developing process proceeds according to standards that are established on the basis of the best practices developed by predecessors. The project office audits the development of a risk management plan in an IT project.
Risk identification	Section of the risk register identification.	Risk identification is carried out in accordance with PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The risk identification process proceeds according to the standards developed on the basis of the best practices developed by the predecessors. The project office audits the identification of the risk process in an IT project.
Risk analysis	Absent.	Risk analysis is carried out in accordance with PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The risk analysis process proceeds according to standards that are developed on the basis of the best practices developed by predecessors. The project office audits the risk analysis process in an IT project.
Risk assessment	Absent.	Risk assessment is carried out in accordance with PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The risk assessment process proceeds according to standards that are developed on the basis of the best practices developed by the predecessors. The project office audits the risk analysis process in an IT project.
Impact on risks	Rough risk-taking plan (Plan B).	Impact on risks is carried out in accordance with PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The process of impact on risk proceeds according to the standards, which are developed on the basis of the best practices developed by the predecessors. The project office audits the risk management process in an IT project.
Risks monitoring	Absent.	Risk monitoring is carried out in accordance with PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The risk monitoring process proceeds according to the standards developed on the basis of the best practices developed by the predecessors. The project office audits the risk monitoring process in an IT project.
Risk control	Absent.	Risk control is carried out in accordance with PMBOK^® Guide, ICB IPMA, PRINCE2^®, ISO, etc.	The risk control process proceeds according to the standards developed on the basis of the best practices developed by the predecessors. The project office audits the risk control process in an IT project.
Assessing the effectiveness and efficiency of risk management	Absent.	Register of lessons learned. The best risk management practices are included in the body of knowledge of the best practices.	The project office identifies, analyzes, evaluates, disseminates and updates the best practices.
Culture of risk management	Absent.	The specialist is guided by the identified best risk management practices.	The specialist is guided by standards that are developed on the basis of the best practices developed by predecessors.

Table 10. Characteristics of IT projects MojeKeramik, VV and Beethoven.

Characteristics	MojeKeramik	Beethoven	VV
Project scale	Short term project	Medium term project	Long term project
Concepts for IT products development	Waterfall	Waterfall	Agile
Payment system	Fixed Price	Fixed Price	Time and Material
Number of participants	4	4	12
Actual schedule deviation from the planned one	4 months	Project is not completed	Project is not completed

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Nikolaenko, V.; Sidorov, A. Assessing the Maturity Level of Risk Management in IT Projects. Sustainability 2023, 15, 12752. https://doi.org/10.3390/su151712752

AMA Style

Nikolaenko V, Sidorov A. Assessing the Maturity Level of Risk Management in IT Projects. Sustainability. 2023; 15(17):12752. https://doi.org/10.3390/su151712752

Chicago/Turabian Style

Nikolaenko, Valentin, and Anatoly Sidorov. 2023. "Assessing the Maturity Level of Risk Management in IT Projects" Sustainability 15, no. 17: 12752. https://doi.org/10.3390/su151712752

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Assessing the Maturity Level of Risk Management in IT Projects

Abstract

1. Introduction

2. Analysis of Maturity Models in Risk Management

2.1. The Risk Management Maturity Model (RM Maturity Model)

2.2. The Management of Risk Maturity Model

2.3. The Risk Maturity Model (RMM)

2.4. The Risk Management Maturity Model (RM3)

2.5. Strengths and Weaknesses of the Most Popular Risk Management Maturity Models

3. The Author’s Risk Management Maturity Model in IT Projects

4. Results of the Risk Management Maturity Model in IT Projects Testing

5. Discussion

6. Conclusions

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Conflicts of Interest

Appendix A

Appendix B

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI