Next Article in Journal
Transportation Resilience Modeling and Bridge Reconstruction Planning Based on Time-Evolving Travel Demand during Post-Earthquake Recovery Period
Previous Article in Journal
Seismic Response of Earth-Rock Dams with Innovative Antiseepage Walls on the Effect of Microscopic Fluid-Solid Coupling
Previous Article in Special Issue
Sustainable Metrics in Project Financial Risk Management
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 15
Issue 17
10.3390/su151712752
Review Report
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Assessing the Maturity Level of Risk Management in IT Projects

Sustainability 2023, 15(17), 12752; https://doi.org/10.3390/su151712752
by Valentin Nikolaenko and Anatoly Sidorov *
Reviewer 2:
Aleksandar Milic
Reviewer 3:
Jon Tømmerås Selvik
Sustainability 2023, 15(17), 12752; https://doi.org/10.3390/su151712752
Submission received: 13 June 2023 / Revised: 21 July 2023 / Accepted: 17 August 2023 / Published: 23 August 2023
(This article belongs to the Special Issue Sustainability in Project Management)

Round 1

Reviewer 1 Report

The article explores the maturity level of risk management in IT projects. Overall are good. Well done. However, the followings require the author to reconsider:

1. The title is not appropriate, especially for the word “determining”. Need to rephrase.

2. Abstract – need to justify the methodology that is able to relate it to the main findings. 

3. The main topic is well explained but the main question is not well addressed by the research. Why is it required to determine because the existing model is proven effective? Or otherwise, the author should highlight the limitations of the existing model for several circumstances. 

4. How does your model been developed? What is the basis?

5. There is a lack of the latest citation being referred to except for the author's previous articles (Self-citation). How do we know the issue are still relevant?

6. Need to add a subtopic for “method” to guide the reader when reading the findings. 

7. Conclusion is too general. Need to consider a novel outcome from the research as a new guide for future work, if any. 

Author Response

The authors of the article are grateful to the esteemed Reviewer for the time given to us and for the careful acquaintance with our work. Your opinion is very important to us and our research. The authors would also like to express their deep gratitude for the interest shown in our manuscript and for the comments made. According to the recommendations of a respected Reviewer, we have made the following changes to the text of the article.

Point 1: The title is not appropriate, especially for the word “determining”. Need to rephrase.

The title has been updated in accordance with the comment. The verb "evaluation" is used. The new heading reads “Assessing the maturity level of risk management in IT-projects”.

Point 2. Abstract – need to justify the methodology that is able to relate it to the main findings. 

The Abstract has been updated in accordance with the comment. In particular, it was added that the analysis of these models allows identifying methods and mechanisms for determining maturity levels, to identify strengths and weaknesses for each model, and to study the findings obtained from their use. Based on the data obtained the author’s risk management maturity model in IT-projects was developed and tested, considering the strengths and weaknesses of the analyzed models.

Point 3. The main topic is well explained but the main question is not well addressed by the research. Why is it required to determine because the existing model is proven effective? Or otherwise, the author should highlight the limitations of the existing model for several circumstances. 

The developed author's model allows determining the best contractors (executors, suppliers) who can guarantee the creation of the desired IT-products, the successful completion of IT-projects and the conscientious fulfillment of all obligations stipulated by commercial and (or) government contracts. This conclusion is fixed in the last paragraph of section 4 "Results of the Risk Management Maturity Model in IT-Projects testing".

Also, the following information was added to section 4 “Results of the Risk Management Maturity Model in IT-Projects testing”.

It is worth noting that there are universal problems for both commercial and state (municipal) customers. They are a high probability of concluding contracts with unscrupulous, unreliable and insufficiently qualified contractors (performers, suppliers), finding a balance between the quality of work performed (services provided, goods supplied) and an affordable market price, as well as low chances for successful closing of transactions. In particular, according to data from the Automated Information System "Monitoring" (AIS "Monitoring") for 2017-2019, the average level of execution of public contracts before their termination was 66% [48]. Among the main reasons for the termination of contracts, experts of AIS "Monitoring" name a significant failure of contractors (performers, suppliers) to perform its obligations, where their dishonesty and insufficient qualification were especially acute during the performance of work on the IT-products development.

Point 4. How does your model been developed? What is the basis?

Section 3 «Risk Management Maturity Model in IT-Projects» has been updated in accordance with the comment. Information on how the author's risk management maturity model in IT-projects was developed has been added.

Point 5. There is a lack of the latest citation being referred to except for the author's previous articles (Self-citation). How do we know the issue are still relevant?

The relevance of creating a risk management maturity model in IT-projects is due to the need to identify the best contractors (performers, suppliers) who can guarantee the development of the desired IT-products, the successful completion of IT-projects and the conscientious fulfillment of all obligations stipulated by commercial and (or) government contracts. Research conducted by Nikolaenko V. and Sidorov A. in the work "Analysis of 105 IT-Project Risks" showed that during the implementation of IT-projects more than a hundred different risks can materialize. The results of the approbation made it possible to establish that the higher the level of maturity of risk management in IT-projects, the greater the number of risks preventively eliminated by the contractor (executor, supplier).

Also, the relevance of the development is confirmed by the data of the Automated Information System "Monitoring" (AIS "Monitoring") according to which for 2017-2019, the average level of execution of public contracts before their termination was 66%. Among the main reasons for the termination of contracts, experts of AIS "Monitoring" name a significant failure of contractors (performers, suppliers) to perform its obligations, where their dishonesty and insufficient qualification were especially acute during the performance of work on the IT-products development.

In addition, the empirical data from The Standish Group International can be an example of relevance. According to these data the share of successfully completed short-term IT-projects is 67%, and the share of medium-term and long-term IT-projects is 10%. These statistics confirm the need to determine the level of risk management maturity in IT-projects in order to increase their chances of successfully achieving project goals.

Point 6. Need to add a subtopic for “method” to guide the reader when reading the findings. 

The point has been covered. The title of section 3 "Author's maturity model of risk management in IT-projects" has been improved.

Point 7. Conclusion is too general. Need to consider a novel outcome from the research as a new guide for future work, if any. 

The point has been covered. Information about plans for further research has been added to section 6 "Conclusions". In particular, it is planned to increase the number of studied IT-projects and to quantify the results obtained. The quantitative assessment will be carried out in order to identify the magnitude of the positive effect that can be obtained by IT-organizations from increasing the level of maturity in the field of risk management. To achieve the planned goal, the level of maturity in more than 50 IT-projects of various durations and various management methods will be evaluated. Assessment of the level of maturity in IT projects will be carried out as part of a universal roadmap, which is also planned for development and publication in subsequent works.

Since all corrections have been made, we hope that the manuscript will now be accepted without any further changes.

We look forward to hearing from you regarding the submission of our manuscript. We will be happy to answer any additional questions and comments you may have.

Sincerely, the team of authors of the article.

Reviewer 2 Report

The authors presented the results of the work that enables the determination of the current level of maturity of risk management in IT projects, the identification of management problems in these projects and the development of recommendations for moving to a higher level of management. The obtained results showed that the transition to the "Standardized" level of maturity eliminates 105 universal risks and significantly increases the chances of successfully achieving the planned goals of the project. 39 literature titles were used in the work. (only 5 papers are from the last 5 years).

 

The contribution of the work is expressed in the following:

- coverage of the research in order to define the issue of relationship to risk assessment.

- a model for a more complete assessment of the maturity of risk management and definition of recommendations for improving risk management is presented.

- On the basis of the presented coverage of the literature, it can be concluded that an objective critical approach to the existing models was carried out.

- Clear tasks for further research with precise direction

 

The paper has potential and can be accepted after the following MAJOR corrections:

 

1. The use of generally marked shortcuts is acceptable (IT-program). However, it is mandatory to state the full name during the first presentation in the paper. (example is line 21: ETC program; line 126: OGC?)

2. The defined list of mandatory characteristics that the model should have in order to eliminate the most dangerous risks, determine the real economic benefits from the functioning of the risk management process and the continuous development of organizations should be explained in more detail. It is not enough to refer to the risk management maturity model analysis.

3. Technically process table 6. (different fonts appear)

4. Review works in the last 5 years (a smaller number of works are presented). It is likely that there is some other work that deals with the mentioned problem.

5. Checking the offered model on one representative does not allow a clear overview of the advantages and disadvantages of the model. Application in the manner presented allows for confirmation that the model "works". The quality of the work would be greatly improved if the analysis was performed on a larger number of representatives of different categories.

6. It is necessary to incorporate a criterion that deals with the issue of assessing the economic effect that organizations get from moving to higher levels of maturity and then perform an analysis.

7. Well-presented tasks for further research.

Author Response

The authors of the article are grateful to the esteemed Reviewer for the time given to us and for the careful acquaintance with our work. Your opinion is very important to us and our research. The authors would also like to express their deep gratitude for the interest shown in our manuscript and for the comments made. According to the recommendations of a respected Reviewer, we have made the following changes to the text of the article.

Point 1. The use of generally marked shortcuts is acceptable (IT-program). However, it is mandatory to state the full name during the first presentation in the paper. (example is line 21: ETC program; line 126: OGC?)

The point has been covered. The "ETC program" has been replaced by the generally accepted "IT-product". The content of the abbreviation OGC - The Office of Government Commerce is disclosed.

Point 2. The defined list of mandatory characteristics that the model should have in order to eliminate the most dangerous risks, determine the real economic benefits from the functioning of the risk management process and the continuous development of organizations should be explained in more detail. It is not enough to refer to the risk management maturity model analysis.

The point has been covered.

Table 7 "Maturity levels of the author's risk management maturity model in IT-projects" presents the key qualifications that allow identifying the current level of risk management maturity in IT projects and determine the next steps to move to a higher level of maturity. It is important to note that when Level 2 is reached, 105 universal risks are eliminated, the list of which is provided in the work of Nikolaenko V., Sidorov A. Analysis of 105 IT-Project Risks.

Also, section 6 "Conclusions" is supplemented by the information about plans for further research. In particular, it is planned to increase the number of studied IT-projects and to quantify the results obtained. The quantitative assessment will be carried out in order to identify the magnitude of the positive effect that can be obtained by IT-organizations from increasing the level of maturity in the field of risk management. To achieve the planned goal, the level of maturity in more than 50 IT-projects of various durations and various management methods will be evaluated. Assessment of the level of maturity in IT-projects will be carried out as part of a universal roadmap, which is also planned for development and publication in subsequent works.

Point 3. Technically process table 6. (different fonts appear)

The point has been covered.

Point 4. Review works in the last 5 years (a smaller number of works are presented). It is likely that there is some other work that deals with the mentioned problem.

The point has been covered. The following publications have been added:

  1. Kanoujiya J., Abraham R., Rastogi S., Bhimavarapu V.M. Transparency and Disclosure and Financial Distress of Non-Financial Firms in India under Competition: Investors’ Perspective. Journal of Risk and Financial Management, 2023, 16(4), pp. 1-20.
  2. Alkhyyoon H., Abbaszadeh M.R., Zadeh F.N. Organizational Risk Management and Performance from the Perspective of Fraud: A Comparative Study in Iraq, Iran, and Saudi Arabia. Journal of Risk and Financial Management, 2023, 16(3), pp. 1-27.
  3. Zinchenko Y., Asimit A.V. Modeling Risk for CVaR-Based Decisions in Risk Aggregation. Journal of Risk and Financial Management, 2023, 16(5), pp. 1-22.
  4. Cyberpunk 2077. The Complete Official Guide. CD Projekt RED. 2020, 151 p.
  5. Tikhomirov P., Boychuk Y., Chumakova E. A high proportion of contract cancellations within the framework of the law on the contract system. Analytical Center, 2021, 40 p.
  6. Nikolaenko V., Sidorov A. Assessment of Project Management Maturity Models Strengths and Weaknesses. Journal of Risk and Financial Management, 2023. Vol. 16(2). pp. 1-19.
  7. Calzadilla A. C. G., Villarreal M. S., Jerónimo J. M. R., López R. F. Risk Management in the Internationalization of Small and Medium-Sized Spanish Companies. Journal of Risk and Financial Management, 2022, 15(8), pp. 1-21.
  8. Kalina I., Khurdei V., Shevchuk V., Vlasiuk T., Leonidov I. Introduction of a Corporate Security Risk Management System: The Experience of Poland. Journal of Risk and Financial Management, 2022, 15(8), pp. 1-27.
  9. Foli S., Durst S., Davies L., Temel S. Supply Chain Risk Management in Young and Mature SMEs. Journal of Risk and Financial Management, 2022, 15(8), pp. 1-15.

Point 5. Checking the offered model on one representative does not allow a clear overview of the advantages and disadvantages of the model. Application in the manner presented allows for confirmation that the model "works". The quality of the work would be greatly improved if the analysis was performed on a larger number of representatives of different categories.

The point has been covered. Section 6 "Conclusions" is supplemented by the information about plans for further research. In particular, it is planned to increase the number of studied IT-projects and to quantify the results obtained. The quantitative assessment will be carried out in order to identify the magnitude of the positive effect that can be obtained by IT-organizations from increasing the level of maturity in the field of risk management.

Point 6. It is necessary to incorporate a criterion that deals with the issue of assessing the economic effect that organizations get from moving to higher levels of maturity and then perform an analysis.

The point has been covered. Section 6 "Conclusions" is supplemented by the information about plans for further research. In particular, in further studies it is planned to assess the level of maturity in more than 50 IT-projects of various duration and various management methods (Agile, Waterfall, etc.).

Point 7. Well-presented tasks for further research.

The point has been covered. Section 6 "Conclusions" has been supplemented by the information that further assessment of the maturity level of risk management in IT-projects will be carried out using the universal roadmap, which is also planned for development and publication in subsequent works.

Since all corrections have been made, we hope that the manuscript will now be accepted without any further changes.

We look forward to hearing from you regarding the submission of our manuscript. We will be happy to answer any additional questions and comments you may have.

Sincerely, the team of authors of the article.

Reviewer 3 Report

The article points to the importance of a mature risk management framework and covers a broad specter of aspects important for quality. However, the fundamental understanding related to maturity is lacking in the article. The authors should to a larger extent motivate the need to capture maturity level in a risk management context and also how to understand “maturity”.

Besides, there is need to clarify what characterizes IT projects in order to understand how these are distinct to other types of projects. And then use this in description of the method used to develop an approach or model for analyzing the maturity level. Per now, the development appears a bit random.

Finally, the discussion part can be strengthened, and should cover a more general reflection on the usefulness of the method and model selected for IT projects. It is a bit too quick on pros and cons.

Author Response

The authors of the article are grateful to the esteemed Reviewer for the time given to us and for the careful acquaintance with our work. Your opinion is very important to us and our research. The authors would also like to express their deep gratitude for the interest shown in our manuscript and for the comments made. According to the recommendations of a respected Reviewer, we have made the following changes to the text of the article.

Point 1. The article points to the importance of a mature risk management framework and covers a broad specter of aspects important for quality. However, the fundamental understanding related to maturity is lacking in the article. The authors should to a larger extent motivate the need to capture maturity level in a risk management context and also how to understand “maturity”.

Besides, there is need to clarify what characterizes IT projects in order to understand how these are distinct to other types of projects. And then use this in description of the method used to develop an approach or model for analyzing the maturity level. Per now, the development appears a bit random.

Finally, the discussion part can be strengthened, and should cover a more general reflection on the usefulness of the method and model selected for IT projects. It is a bit too quick on pros and cons.

The point has been covered. Section «Introduction» is supplemented by the information indicating the features of IT-project management and properties of IT-projects. In particular, the following has been added.

The incrementality of IT-products is the ability to add new data and commands to the program code in order to expand functionality and correct program errors (bugs). A striking example of incrementality is the computer game “Cyberpunk 2077”, which was released at the end of 2020. Despite the fact that the final version of the game was released comparatively long ago, the developer organization "CD Projekt RED" systematically releases updates, improving technical characteristics, fixing bugs and adding new content. For example, in September 2022, the developer released patch 1.6, which added content from the “Cyberpunk: Edgerunners” series, which premiered in the autumn of 2022 on Netflix. Incrementality radically distinguishes an IT product from the work results obtained in classic projects (construction, educational, sports, etc.). In particular, separate parts of IT-products can be developed in parallel, while in classic projects the desired result is obtained only in case of compliance with a certain sequence of actions.

Another feature of IT-products is high technology. High technology of IT-products imposes certain restrictions on IT-projects. For example, workers with the special professional competencies may be involved in the program code development. In particular, a programmer must have a minimum level of professional qualifications, a test specialist, a database administrator and a system analyst must have a secondary specialized education, a specialist in graphical user interface design must have professional training for up to one year, and a project manager in the field of IT – a higher education.

Based on the foregoing, it can be concluded that the complexity of implementing IT-projects, the incremental and high technology of IT-products necessitate a high level of maturity. Otherwise, if the maturity of IT-project management is low, then there is a high probability that there will be no guarantees of creating the desired IT products, successfully achieving the goals of IT-projects and conscientiously fulfilling all obligations stipulated by commercial and (or) government contracts.

Section 5 "Discussion" is proposed to be left unchanged, since this section compares the data obtained by the authors of this article with the results of predecessors, such as D. Proenca, J. Estevens, R. Vieira and J. Borbinha.

Since all corrections have been made, we hope that the manuscript will now be accepted without any further changes.

We look forward to hearing from you regarding the submission of our manuscript. We will be happy to answer any additional questions and comments you may have.

Sincerely, the team of authors of the article.

Round 2

Reviewer 2 Report

I am grateful for the opportunity to look at the results of the work that enables the determination of the current maturity level of risk management in IT projects, the identification of management problems in these projects and the development of recommendations for moving to a higher level of management. A model for a more complete assessment of the maturity of risk management and definition of recommendations for the improvement of risk management is presented. On the basis of the presented coverage of the literature, it can be concluded that an objective critical approach to the existing models was carried out. There are clear tasks for further research with a precise direction The work has potential and can be accepted.

Author Response

The authors of the publication express their gratitude for the positive assessment of the peer-reviewed work. It is planned to continue the research of risk management maturity models in IT projects. In particular, in the following works it is planned to increase the number of studied IT projects and to quantify the results obtained. The purpose of the quantification will be to identify the magnitude of the positive impact on IT organizations from increasing the level of maturity in the area of risk management. To achieve the planned goal, the level of maturity in more than 50 IT projects of various duration and using various management methods will be assessing. The assessment of the maturity level in IT projects will be carried out as part of a universal roadmap, which is also planned for development and publication in subsequent works.

Reviewer 3 Report

The article has a focus on how to assess the maturity level for risk management in IT projects, and to achieve this, the authors propose a new “synthesis model” based a review of the most popular ones developed over the past couple of decades. This suggesting the existing models to be inappropriate for such assessments when facing IT projects, and the authors give some argumentation for why.  However, how to go from there to the new model is not obvious. Per now the link between the old models and this new one proposed is not sufficiently clear. The authors could be more specific on what is new in the proposed model compared with the existing ones. This is important for the reader to be able to understand the basis for the model, and it will minimize the need to cover all parts of the model in the same detail in the discussion. The authors should also elaborate on how the need to capture IT project characteristics are better addressed in the designing of the new model.  The characteristics presented seem to be equally relevant for the attributes belonging to the old models.

As a starting point, the authors should add a fundamental clarification regarding what is meant by “maturity”. Without a clarification, it is difficult to argue which attributes are important and should be included in the assessment and the new model. For example, “maturity” could relate to the effectiveness or quality of the process in terms of achieving goals and values, or it may simply relate to process compliancy to fundamental principles. The model will be dependent on this, and based on the scores given in Section 4, it seems like a definition towards the latter is implicitly given by the authors. If so, the authors should clarify the principles. It does not seem as it is the eight main risk management principles defined in ISO 31000:2018 that are the ones adopted.

In the model proposed, the highest level is characterized by aspects that should be complied to, scored from 0 to 3 in the maturity maps. Based on the analysis of three IT projects of different scale, the model is tested. As such, there should be a method part explaining how the model is to be tested before presenting any results. The selection of projects could also be placed into this new section.  By doing this it might be easier to separate results, discussion, and conclusions, which currently seems to be mixed together in sections 4, 5 and 6.

Finally, just a minor correction in the first paragraph of Section 2, where “and others” should be deleted as this is a listing of the most popular models available.

Author Response

The authors of the article are grateful to the esteemed Reviewer for the time given to us and for the careful acquaintance with our work. Your opinion is very important to us and our research. The authors would also like to express their deep gratitude for the interest shown in our manuscript and for the comments made. According to the recommendations of a respected Reviewer, we have made the following changes to the text of the article.

Point 1. The article has a focus on how to assess the maturity level for risk management in IT projects, and to achieve this, the authors propose a new “synthesis model” based a review of the most popular ones developed over the past couple of decades. This suggesting the existing models to be inappropriate for such assessments when facing IT projects, and the authors give some argumentation for why.  However, how to go from there to the new model is not obvious. Per now the link between the old models and this new one proposed is not sufficiently clear. The authors could be more specific on what is new in the proposed model compared with the existing ones. This is important for the reader to be able to understand the basis for the model, and it will minimize the need to cover all parts of the model in the same detail in the discussion. The authors should also elaborate on how the need to capture IT project characteristics are better addressed in the designing of the new model.  The characteristics presented seem to be equally relevant for the attributes belonging to the old models.

The point has been covered.  Section 3 "The author's risk management maturity model in IT projects" has been updated with the information that proves that the developed risk management maturity model in IT projects satisfies the generated characteristics presented in Section 2.5. In particular, the following information has been added.

It is important to note that the developed maturity model of IT projects risk management meets all the characteristics that were identified during the analysis of the most popular models (Section 2.5). Let's consider these characteristics in more detail:

  • Body of knowledge. The developed maturity model of IT projects risk management does not depend on the scale, complexity, number of participants and methods of managing IT projects (Waterfall, Agile). Therefore, the author's model is universal, so it could be used in any IT projects, regardless of the applied codes of knowledge (PMBOK® Guide, ICBIPMA, PRINCE2®, ISO etc.). This statement is confirmed by the criteria for the maturity level of risk management in IT projects, presented in Table 8 and Table 9. In particular, to achieve "Level 2. Random", such attributes as "Risk Management Plan", "Risk identification", "Risk analysis", "Risk assessment", "Impact on risks", "Risks monitoring" and "Risk control" must be carried out in accordance with the PMBOK® Guide, ICBIPMA, PRINCE2®, ISOetc.
  • Empirical data. The practical applicability of the developed model is confirmed. The author's risk management maturity model was used in 3 IT projects, the results are presented in Section 4. It is worth noting that the authors plan to conduct research in 50 IT projects in order to determine the positive effect for IT organizations from increasing the level of maturity in the area of risk management.
  • Elimination of risks. The empirical data obtained, presented in Section 4, allow establishing that when the maturity level increases, the likelihood of project and compliance risks decreases and the possible negative impact decreases if these risks materialize. However, the specific number of risks that were eliminated by increasing the maturity level could not be established at this stage of the research. In order to establish this value, it is necessary to carry out a number of improving measures in the studied IT organizations that increase the level of risk management maturity. This problem is planned to be solved at the next stages of research.
  • Structural and infrastructure elements. The planned goals of IT projects will not be successfully achieved unless structural and infrastructural elements are created, such as jobs, specialists, job descriptions, corporate standards, specialized equipment, etc. The developed model takes into account these features of the implementation of IT projects, which is confirmed by the attribute "Risk management mechanism", described in detail in Table 8 and Table 9. For example, at "Level 2. Random" the position of a specialist responsible for risk management is introduced, a job description and other acts are created that describe the purpose, functions, rights, obligations, responsibility, qualification requirements, etc.
  • Risk-oriented corporate culture. Behavior patterns and best individual and group risk management practices are the core of a risk-based corporate culture. The developed model also considers these features of the implementation of IT projects, as shown by the “Risk-oriented corporate culture” attribute presented in Table 8 and Table 9. For example, at "Level 3. Standardized", a specialist is guided by standards that are developed based on the best practices developed by predecessors .
  • Professional maturity of specialists responsible for risk management. In Section 2.5, it was noted that the effective and efficient use of risk management tools, mechanisms, methods and processes require specialists to have specialized knowledge. The developed model of IT projects risk management takes into account these features of the implementation of IT projects, which is confirmed by the assignment of responsibility (Table 8). For example, the development of a "Risk Management Plan" is the responsibility of a specialist who performs the functions of a risk manager in an IT organization and an IT project.

Point 2. As a starting point, the authors should add a fundamental clarification regarding what is meant by “maturity”. Without a clarification, it is difficult to argue which attributes are important and should be included in the assessment and the new model. For example, “maturity” could relate to the effectiveness or quality of the process in terms of achieving goals and values, or it may simply relate to process compliancy to fundamental principles. The model will be dependent on this, and based on the scores given in Section 4, it seems like a definition towards the latter is implicitly given by the authors. If so, the authors should clarify the principles. It does not seem as it is the eight main risk management principles defined in ISO 31000:2018 that are the ones adopted.

The points have been covered.  In particular, the following information has been added to the text. It should be noted that the attributes presented in Table 8 and Table 9 were selected through the analysis of the PMBOK® Guide, ICB IPMA, PRINCE2®, ISO, etc. products. The maturity of these attributes is determined by the achievement of certain indicators, detailed in Table 7 and Table 9.

Point 3. In the model proposed, the highest level is characterized by aspects that should be complied to, scored from 0 to 3 in the maturity maps. Based on the analysis of three IT projects of different scale, the model is tested. As such, there should be a method part explaining how the model is to be tested before presenting any results. The selection of projects could also be placed into this new section.  By doing this it might be easier to separate results, discussion, and conclusions, which currently seems to be mixed together in sections 4, 5 and 6.

Attributes in 3 IT projects were assessed according to the criteria presented in Table 7, Table 8 and Table 9. In this regard, in order to exclude the duplication of information, the authors of the publication presented a description of the studied IT projects (Table 10), the results of the changes obtained (Figure 1), their interpretation and comparison with the results of predecessors (Discussion).

Point 4. Finally, just a minor correction in the first paragraph of Section 2, where “and others” should be deleted as this is a listing of the most popular models available.

The points have been covered.

Since all corrections have been made, we hope that the manuscript will now be accepted without any further changes.

We look forward to hearing from you regarding the submission of our manuscript. We will be happy to answer any additional questions and comments you may have.

Sincerely, the team of authors of the article.

Round 3

Reviewer 3 Report

With the corrections made by the authors, I find the manuscript acceptable for publication in the Sustainability journal. 

Back to TopTop