Features of methods and models in risk management of IT projects

Department of International E-Commerce and Hotel&Restaurant Business, V.N. Karazin Kharkiv National University, Kharkiv, Ukraine Department of Marketing, Entrepreneurship and Production Organization, Kharkiv National Agrarian University named of V.V. Dokuchaev, Kharkiv, Ukraine Department of Economic Control and Audit, Sumy National Agrarian University, Sumy, Ukraine Subsidiary enterprise «Korostyshivsky Forestry APC» of Zhytomyr Regional Utility Forestry Enterprise «Zhytomyroblagrolis» of Zhytomyr Oblast Council, Korostyshiv, Ukraine Department of Accounting and Audit, Kharkiv Petro Vasylenko National Technical University of Agriculture, Kharkiv, Ukraine Department of International Economic Relation, V.N. Karazin Kharkiv National University, Kharkiv, Ukraine


Introduction
In connection with the latest economic crisis, which is associated with a cost decrease of raw materials in international markets, the information technology (IT) industry became a key to the recovery of country's economic growth and its reorientation to the production of products and the provision of high value added services.In the conditions of the rapid development of IT and increasing their role in the efficient functioning of modern organization, software development and implementation projects are becoming increasingly widespread.Recent research data indicate a significant increase in the global IT market [1].The annual cost of IT in the world from 2005 to 2013 increased from $ 2.65 trillion to $ 3.83 trillion, of which $ 922 billion was spent on IT services, $ 300 billion -on corporate software [2].In the broadest sense the term "IT project" is used to refer to activities related to the use or creation of certain information technology.In this regard, IT projects have a wide range of applications, including software development, information systems, deployment of IT infrastructure, etc.At the same time, in many sources there is no clear definition of "IT project" (project in the field of the information technology).J. Smirk, analyzing different approaches to defining an IT project, suggests defining an IT project as "a project where all results are artifacts of information systems / technologies form" [3].According to the ISO / IEC 2382: 2015 standard, the information system is the "information processing system and human, technical and financial resources that provide and distribute information" [4].And some sources provide numerous examples of IT projects in various fields (subject-matter areas).Therefore, K. Schwalbe [5] refers to IT projects creating a mobile application, the development of an unmanned car, adding functionality to the internal software of the financial department of the company, improving the technological infrastructure of the educational institution to provide wireless access to the Internet, developing a government system for monitoring children's immunizations, etc. Prokopenko O., et.al. [6] have a common opinion on the support of communication and information technologies for the participation of the universities in the innovation networks.According to the results of the analysis of the peculiarities of IT project implementation, it is proposed to consider the management of IT projects as a time-limited and resource-based set of interrelated actions aimed at achieving an intellectually intangible non-material result in the form of information systems / technologies in conditions of uncertainty regarding development technologies, customer requirements and customer needs.Despite the existence of certain patterned actions, IT projects that run "from scratch" require unconventional solutions and highly skilled implementers, as well as high degree of uncertainty.Data from numerous studies indicate that a significant part of IT projects is failed.Research [7][8][9][10] results indicate that most IT projects, in comparison with other types of projects, are characterized by exceeding the timing and budget.Thus, in 2012, the average excess of project expenditures in the IT industry was 66% (43% in other sectors), exceeding the deadlines -33% (3.6% in other sectors).At the same time, the cost of each sixth large IT project went beyond the budget by 200%, and the timing of its implementation increased by 70% [9].According to the CHAOS Manifesto study, in 2012, only 39% of major IT projects were successful (timely, within budget and with the required functionality); 43% had problems (not scheduled, with budget overrun and / or with less functionality than expected); 18% of IT projects failed (stopped by the time of delivery, or executed without further use of the results) [10].In 2017, the cost of a large IT project exceeded the budget by an average of 45%, the execution time increased by 7%, and the value of output was 56% lower than expected.At the same time, only 64% of the projects studied achieved their goals [7].Among the most general causes of IT projects failure, executives call lack of focus (badly defined goals), as well as problems with implementation (unrealistic scheduling and reactive planning), with content (requirements changes, technical complexity) and qualifications (team mismatch, lack of skills) [8].Another study found that the overall causes of IT project failures were a change in the organization's priorities (40% of cases), misleading requirements (38%), changes in project objectives (35%), unidentified risks and opportunities (30%), inadequate assessments costs (29%) and inaccurate estimates of the duration of the tasks (27%) [8].Consequently, the use of sophisticated technologies and blurred demands on results at initial stages will result in a high degree of uncertainty and risks in IT projects.Implementation of IT projects is closely related to risks, the nature of which depends on factors such as subject area, technology used, number of involved developers, etc.The level of risk is given an important role, in particular, in the classification of projects [11][12][13].The risks to the project are influenced by factors such as the level of novelty for the organization, the complexity of the project, its duration, availability of resources, including highly skilled specialists, etc. [11].In addition, regarding the need to set up effective communication in the implementation of an IT project, its riskiness can be significantly influenced by the use of distorted information [14] and providing computer security [15].PEN Vol. 7, No. 2, August 2019, pp.629-636 631

Materials and Methods
In Table 1 there is methods list of knowledge management depending on the information situations associated with the uncertainty in the project.According to D. Tesch, effective use of PM tools, including RM, is important, but not a key factor.The project's critical success is the ability continuously to maintain the knowledge base underlying the project [16][17][18].In support of this, J. Kasten found a significant correlation between the different types of knowledge transfer and the success of the project [17].In addition, it is equally important to manage an IT project that supports its computer security [19].Moreover, as J. Kasten notes, a typical project that involves short deadlines, limited budget, and sometimes unstable external conditions, increases its chances of success when it involves knowledge bases [17].[20,21] It should be emphasized that PMBOK 5 emphasizes the importance of creating a corporate knowledge base for storing and extracting information, including historical information (project records and documents, information on previous projects, decision-making and RM activities), and documentation of previous projects (plans-graphs, budget, performance indicators, risk logs, etc.) [22].Based on the analysis of publications on the use of knowledge control techniques in PM, including RM of projects, it can be concluded that the effectiveness of these methods is confirmed by statistical data, and the importance of their application is emphasized by many scholars and standards.At the same time, in our opinion, the problem of choosing and using methods and models in knowledge management, regarding the peculiarities of IT projects and the methodologies used in software development, is not sufficiently investigated.In particular, the Scrum methodology provides an overview of the project's actions on a daily basis and based on sprints to analyze information about the project progress.At the same time, methods for detecting, recording and using knowledge are not explicitly included within the methodology.In this regard, the actual task is to adapt the methods and models of knowledge management to the peculiarities of RM of IT projects.Consequently, the existing standards for PM and RM offer a large number of RM methods and models, the choice of which depends on the methodology of PM and available information for decision-making.The P2M standard indicates that it is impossible to obtain successful results in the absence of RM measures [23].In addition, risk is the basis for a specific PM subject group in the ISO / DIS 21500 standard [24].Understanding the need for project RM is also widely reflected in the scientific literature [11,[24][25][26][27]. Within the subject area of PM, it is generally accepted that project RM is to achieve the project objectives by maximizing potentially positive effects (capabilities) and minimizing potentially negative (threats) through valid identification, assessment, and risk control.In standard ISO / DIS 21500 "Project Management Guidelines for Risk Management" includes processes that maximize the probability of achieving project goals by actively managing threats (risks that may have a negative impact on the project) and capabilities (risks that can have a positive impact to the project)" [24].According to the Prince2 standard [28], effective PM is to manage risk exposure to a project by taking measures to improve control over uncertainty and reducing the likelihood of failure to meet the set goals [29,30].
Regarding RM of own IT projects, K. Schwalbe, identifies RM of the IT project as "the art and science of identification, analysis and risk response throughout the cycle`s life of the project in order to achieve its goals" [5].According to Schwalbe, the goal of managing the risks of an IT project is "minimizing potential negative risks and maximizing potential positive risks" [5].Interesting in terms of concrete tasks for implementing the IT project is the approach of R. Loren, who, based on an analysis of methodological approaches to maximizing the value of created information technology, determines the value added activities (value-adding activities) and activities that do not add values (nonvalue-add activities) [31].The first ones include project planning, requirements analysis, code writing, testing, etc. Activities that do not add value to IT include the correction of technical complications that have not been thoroughly analyzed during the requirements formulation and project planning, excessive bureaucratization of the project environment, the development of an excess or poor-quality functional, the execution of a large number of parallel tasks in the project, etc. [31].

Theory
Taking into account the above, it is proposed to consider the risk in the context of IT PM as a threat or unused opportunity, which could lead to a deviation from the objectives of the IT project in the form of obtaining damages, breach of timing and budget, non-compliance with the declared functional, etc. Accordingly, RM of IT should be considered as a set of measures to minimize the impact of potential threats and enhance the impact of opportunities in RM management processes.The main provisions of RM as a whole are set out in the ISO 31000 standard [32].The standard includes such components of the RM process as the establishment of a context for risks, identification, analysis, assessment of risk, modification`s risk, as well as monitoring and risk analysis [32].In the context of PM, standard PMBOK 5 [22] includes six RM processes: 1) planning of RM measures; 2) identifying risks; 3) qualitative of risk assessment; 4) quantitative risk assessment; 5) measures planning for responding to risks; 6) monitoring and risk control.The processes outlined above we implemented using certain methods of collecting, analyzing and interpreting risk data for decision-making in relation to defining and further adjusting the timing, budget and content of a project to achieve all objectives.In addition, risk information can serve as input for modeling project performance targets.According to different dictionaries in the broadest sense, the model is defined as: "Standard or example for simulation or comparison" [33]; "Schematic description or presentation of a system or phenomenon that regarding the features of such a system or phenomenon and is used to study its characteristics" [34]; "Imaginary or conditional (image, description, scheme, etc.) image of an object, process or phenomenon used as its "representative" [33]; "System of mathematical dependencies or a program that reflects the essential properties of an object, process or phenomenon being studied [34].Consequently, in the context of IT projects, simulation can be used to schematically visualize RM processes, to reflect the essential project parameters, and to determine the impact of external and internal factors on the achievement of the objectives of the IT project.At the same time, as noted above, it is typical for IT projects to exceed the deadlines and the budget, which indicates a lack of effective RM.In this regard, the actual scientific and applied task is to improve the methods and models used in the RM of projects in the field of IT.In order to accomplish this task, it is appropriate at first determine the peculiarities of the application of methods and models in managing the risks of IT projects.The use of certain methods and models in managing the risks of an IT project is significantly influenced by the methodology used in software development.In the context of PM, the methodology is a "system of practices, methods, procedures and rules that are used within a certain discipline" [22].Application of the methodology in PM allows recording its goals and results, to determine time, cost and quality parameters of the project, as well as to create a realistic plan for its implementation.According to PricewaterhouseCoopers [22], organizations that use one or another methodology are more effective than organizations that do not have it (Table 2).Systematized by the author on the basis of [35]

Results
According to the results of the analysis of modern approaches to the classification of PM methodologies [36][37][38][39] two groups of methodologies were devoted: methodologies-standards and methodologies based on system of the development lifecycle (SDLC).A generalized classification of PM methodologies is presented in Figure 1.

Fig. 1. Classification of PM methodologies
The standard methodology is PMBOK (PM body of knowledge) [22], PRINCE2 [28], P2M [23] and ISO 21500 [24].PM methodologies based on system life cycles include flexible Scrum methodologies, Kanban and extreme programming, as well as cascading PM methodologies used the critical path method (CPM) and critical chain PM (CCPM) projects.

Discussion
It should be emphasized that for the selection of methods and models in managing the risks of IT projects, an important aspect of any methodology is the criteria for successful project implementation, on which the relevant targets depend.According to the results of the survey [39,43,44], it was established that the success of the project is most often determined by criteria such as meeting the needs of stakeholders, execution within the timeframe and execution within the budget

Conclusions
Thus, as a result of the analysis of the main characteristics of IT projects, the following features of the application of methods and models in the management of risks of IT projects in comparison with projects in other areas are defined: Implementation of IT projects is an innovative activity aimed at creating a unique intellectual-sensitive product, which results in a high level of uncertainty with regard to the final results.Due to the limited ability to accurately plan IT projects, it is advisable to use methods that provide time and money reserves for adverse events and take them regards when modeling; Implementation of the IT project is aimed at creating an intangible product, which complicates the formulation of requirements and requires constant refinement.In this regard, the use of methods and models in managing the risks of an IT project could ragards the possibility of periodic risk control and prompt response to them through continuous communication between stakeholders of the project, as well as analysis of information and accumulation of knowledge about risks; IT projects are carried out in the context of the constant development of rapidly obsolete technologies and the variability of user expectations.In this regard, an important aspect is the adoption of measures to ensure the timely implementation of the IT project and take into account such measures through the use of methods and models in RM; the process of implementing an IT project depends on the cycle`s life of the development of systems (the methodology used in software development).In this regard, when choosing methods and models in RM IT projects must regards the features of the methodologies used in software development.
It should be emphasized that RM is multivariate, which determines the search for comprehensive solutions to improve the effectiveness of RM in projects.As far as IT projects are concerned, the mentioned problem is particularly relevant for the lack of accumulated knowledge on technology development and intangible results that limit the possibilities of initial planning and risk control.In order to develop an integrated approach to IT RM, it is advisable to analyze existing methodologies used in software development for the possibility of using methods and models in project RM.

Table 1 .
Methods of knowledge management in the context of information situations

Table 2 .
Comparison of organizations effectiveness that use or do not use PM methodologies