The Role and the Effects of Risk Management in IT Projects Success

Introduction “Risk management is an essential process for the successful delivery of IT projects” [1]; [2], and “risk management offers genuine and significant benefits to organizations, their projects and their stakeholders, but these will never be achieved without recognition of the importance of managing risk at all levels in the business, matched with operational effectiveness in executing risk management in practice” [3]. Effective IT project management has been discussed by academics and practitioners since 1978 [4]. Existing literature discusses several conceptual frameworks for explaining different types of IT risks, risk management strategies and measures of software projects performance [5]; [6]; [7]; [8]; [9]. Risk management is the most important management tool a project manager can use to increase the likelihood of project success. Because risk management is often not used or not understood, those that implement the risk management processes in their projects can have a significant competitive advantage [10]. There are several approaches to risk management in the IT projects literature, and the main ones are: the evaluation approach, the management approach and the contingency approach [11]. Also, the literature is defining project success [12]: in the traditional, vendor-oriented way, based on time, budget and quality/requirements criteria [13], and in the nontraditional, broadening way, that refers to the concept of project performance using dimensions like product and process performance [9]; [14]; [15]; [16]; [17].


Introduction
"Risk management is an essential process for the successful delivery of IT projects" [1]; [2], and "risk management offers genuine and significant benefits to organizations, their projects and their stakeholders, but these will never be achieved without recognition of the importance of managing risk at all levels in the business, matched with operational effectiveness in executing risk management in practice" [3].Effective IT project management has been discussed by academics and practitioners since 1978 [4].Existing literature discusses several conceptual frameworks for explaining different types of IT risks, risk management strategies and measures of software projects performance [5]; [6]; [7]; [8]; [9].Risk management is the most important management tool a project manager can use to increase the likelihood of project success.Because risk management is often not used or not understood, those that implement the risk management processes in their projects can have a significant competitive advantage [10].There are several approaches to risk management in the IT projects literature, and the main ones are: the evaluation approach, the management approach and the contingency approach [11].Also, the literature is defining project success [12]: in the traditional, vendor-oriented way, based on time, budget and quality/requirements criteria [13], and in the nontraditional, broadening way, that refers to the concept of project performance using dimensions like product and process performance [9]; [14]; [15]; [16]; [17].about how the project managers perform risk management in IT projects and how the most recent completed IT project turned out.

Sample, population or subjects
The target population for the empirical analysis consisted of project managers, IT managers and IT analysts in Romanian IT companies, and the sample was derived from a combination of the convenience method and the snow-ball method on a 361 company database between the 10th of June 2012 and the 11th of July 2012.We received 108 answers (28.35%), out of which we validated 106, from 72 companies (19.95%).

Instrumentation and materials
The questionnaire was developed in Google-Docs and the data were processed using Microsoft@ Excel 2007 and IBM@ SPSS 19.

Variables in the research
The variables in the empirical research are the practices of risk management used in IT projects and the performance of the IT project -subjective and objective (Figure 1).Each risk management practice was represented by a nominal variable, the subjective performance of the IT project, as perceived by the respondents was represented by a nominal variable on a 5-point Likert scale (5 being the highest degree, 1 being the lowest degree) and the objective performance of the IT project, as perceived by the respondents was represented by a nominal variable.We formulated two main hypotheses: H1 -Risk management practices are correlated with the subjective performance of IT projects H2 -Risk management practices are correlated with the objective performance of the projects Data analysis We performed r-Pearson correlation tests in order to test the correlation between applying risk management processes and the performance of the IT project.

Risk management approaches in IT projects
Professionals affirm that risk management has to be done in the way the best practice books recommend it [18]; [19]; [20]; [21].This concept is also found in risk management literature [22].Best practice project management standards imply that effective risk management leads to project success [23]; [24].
Early researchers that have had a common interest concerning risk and uncertainty in IT projects [4]; [25]; [26]; [27]; [28] treat risk management as an ex-post evaluation process [11].The evaluation approach answers the question what causes projects to fail and has three main elements: known risk factors, the process of project risk management and new factors.It is assumed that it is likely that knowledge of the risks and their causes will have a positive impact on the project outcome.The aim of this approach is to create project predictability in new projects by using information regarding risks and causes of project failure gathered from previous projects [11].This approach considers the process of risk management from an analytical point of view in determining the risk factors and causes of project failure.It evaluates risks that have already occurred thus learning from past projects.The evaluation may result in changing the project risk management methodology, but literature indicates that knowledge of risk factors is not enough to contribute to project success.The contribution of the evaluation approach of risk management to project success is indirect, the knowledge being used in future projects, thus leading possibly to project success.The management approach answers the question how to deal with risks in order to prevent project failure.Chapman and Ward [29] assume that by improving the project planning, budget and design, project risk management will contribute to the success of the project.Risk management is a process consisting of specific phases: identification, analysis, response, monitoring and control [11].The management approach to risk management is based on rational decision making.It aims at identifying the events and situations specific to projects that can influence the original plan and developing measures to keep the current project on track.The contribution of the management approach of risk management to project success is direct because it deals with the actual risks of the current project.
During the last years, the management approach is assumed implicitly to work in favour of project success, risk management having a key role in delivering successful projects and as a result, the stakeholders are aware of the fact that there are risks, based on which, they adjust their expectations and behaviour.Another approach discusses risk management, project success and the relationship between them from a contingency perspective [30]; [31]; [32].According to the contingency approach, risk management is embedded in the different processes and procedures of the project [11], so it is not a specific process.

Project success and project performance
The traditional view on project success is measured by time, budget and requirements/quality criteria [13]; [33]; [34]; [35].The "time-budget-requirements" definition of project success is only influenced by the interests of the vendor or supplier in Turner and Cochrane's opinion [13].There are several researchers that use the concept of project performance instead of project success [9]; [14]; [15]; [16]; [17]; [36].Project performance is defined by Nidumolu [14] as "the degree to which the software project achieves success in the perspective of process and product" [16]; [17].They use terms like product performance and process performance, but they refer also to time and budget -process performance, as well as requirements -product performance [12]; [15].Table 1 presents the dimensions of project performance.-The application developed is reliable -The application developed is easy to use -Flexibility of the system is good -The system meets user's intended functional requirements -Users are satisfied with the system delivered -The overall quality of the developed application is high Project performance has been defined as the extent to which the software development process has been undertaken as well as performance of the delivered system from users' point of view.Even though the software delivered by the project may be of high quality, the project itself may have significantly exceeded time and cost projections.Vice versa, well-managed projects can adhere to cost and schedule, but may deliver poor systems.
Recent researchers claim that there are multiple constraints in a project [37].Now, there are more complex projects, where the tradi-tional triple constraints success factors are constantly shifting.For example, as in Figure 2, for traditional projects, time, cost, and scope may be a higher priority than the image/reputation, quality and value constraints.Also, the fourth edition of the PMBOK Guide [18] does not use the term "triple constraints" any more.Instead, because there can be more than three constraints, it uses the "competing constraints" term, claiming that "the exact number of success constraints and their relative significance can change for each project" [37].

Fig. 2.
The multiple components for project success [37] Project success or failure depends on how it is measured.The project manager's definition of failure may be: not meeting the criteria of the competing constraints.Stakeholders, on the contrary, may be more interested in the business value of the result than the competing constraints.

Discussion
According to project management theory [13]; [39], project risk management has a positive effect on project success in terms of "on time, within budget delivery" of a predefined result.Ropponen and Lyytinen [22] state that a frequent and continuous use of risk management measures by project managers in various projects over time contrib-utes positively to the effectiveness of risk management in their own projects.But, there are several factors that can reduce the likelihood that formal project risk management is used [40].These factors include:  The problem of hindsight (uncertainty in project);  The problem of ownership of risk management processes;  The problem of cost justification for applying risk management procedures;  Lack of expertise from project managers regarding risk management;  The problem of stakeholder anxiety.Considering the subjective aspect, project success is also measured by asking individual project members for their opinion on the outcomes of their project.Studies have shown that different stakeholders have different perceptions of risk, management processes and procedures and project success, because of their different objectives [41]; [42].Risk management is an "instrument" through which project managers identify, analyse and control project risks, and is considered in a social context, meaning that interactions between actors in the risk management process may be able to influence perceptions and valuations of the stakeholders regarding reality, particularly in relation to the outcomes of the project [43].The fact that project management practitioners pay attention to project risks is likely to have more impact on IT project success than following the steps prescribed in the risk management process.Risk management should be proactive, not reactive, and it should reduce the number of surprises and give a better understanding of the most likely results of negative events.
Practices and techniques used in the risk management process must try to increase the satisfaction of stakeholders and escalate the chances of IT project success [38].Risk management execution must be shared by all stakeholders [44].The main stakeholders can even be included on the risk management team.They have a valuable perspective, and involving them in the risk management process they become more committed to project success.Each stakeholder can bring different expertise, standards, priorities, and agendas to the project.The availability of a contingency plan (an alternative plan that will be used if a possible foreseen risk event becomes a reality) can significantly increase the chances for project success [38], and project risk management can positively influence project performance through the creation of a contingency plan or by influencing project time, budget or design plans [29].Also, important roles in risk management and project performance have the communication between stakeholders, collaboration between stakeholders and more creative thinking, mentioned by Chapman and Ward [29].Project stakeholders claim that different risk management activities are used to influence the behaviour, perceptions and expectations of other stakeholders and that risk management activities are used in order to create and maintain inter-stakeholder relationships.As reported by the stakeholders, these effects contribute to the success of the project, therefore, their decision is to use these risk management activities on their projects.The effects of different risk management practices on project success are presented in Table 2. Kutsch and Hall [40] conclude their study by affirming that there has been little research taken to establish whether project managers involved in IT projects actually apply risk management and what reasons lay behind their decisions to not pursue any active management of risk in some cases.There appears to be a lot of literature on the reactive attitude of project managers instead of a proactive one.Also, the results in the study of Jun et al. [12] reveal that risk management factors have different impacts on different dimensions of project performance.
The use of project risk management practices affect the project success as perceived by stake-holders (project managers, IT service suppliers, and business owners) regarding IT projects, because of communicative effects: perception and action.Communicative effects occur as a result of interaction between project stakeholders during the execution of risk management activities [43].
We grouped the main risk management practices into 4 main categories: risk identification, risk analysis, risk response planning and risk response monitoring and control, according to the literature [22]; [36]; [40]; [47].
The main practices are grouped in Table 3.

Empirical findings
We tested the reliability of the scale for the subjective performance construct and the 9 item scale used had a reliability coefficient alpha-Cronbach of 0,877 (>0,7).The KMO test value was 0,905 (>0,7), and the Bartlett sphericity test was 496,17 (significance p<0,01).The next step in the research was to split the main two hypotheses in 4 first grade subhypothesis and 12 second grade subhypotheses in order to test each risk management process in correlation with the subjective and objective performance of the IT project.We applied the r-Pearson correlation test, and the results are as follows:

H1 -Applying risk management practices is correlated with the subjective performance of the IT project
 H1a -Risk identification is correlated with the subjective performance of the IT project The H1a hypothesis was rejected, because the significance level was 0,175 (>0,05).The correlation between risk identification and the subjective performance is not considered significant from a statistical point of view.

 H1b -Risk analysis is correlated with
the subjective performance of the IT project The H2a hypothesis was accepted, the significance level was 0,001 (<0,05).The r-Pearson coefficient was 0,309, and this indicates a low-medium intensity correlation between applying risk analysis practices and the subjective performance of the IT project.
 H1c -Risk response planning is correlated with the subjective performance of the IT project The H1a hypothesis was rejected, because the significance level was 0,120 (>0,05).The correlation between risk response planning and the subjective performance is not considered significant from a statistical point of view.
 H1b -Risk response monitoring and control is correlated with the subjective performance of the IT project The H2a hypothesis was accepted, the significance level was 0,033 (<0,05).The r-Pearson coefficient was 0,207, and this indicates a low intensity correlation between applying risk response monitoring and control, and the subjective performance of the IT project.

H2 -Applying risk management practices is correlated with the objective performance of the IT project
H2a -Risk management practices are correlated with cost overrun  H2a1 -Risk identification is correlated with cost overrun The H2a1 hypothesis was rejected, because the significance level was 0,501 (>0,05).The correlation between risk identification and cost overrun is not considered significant from a statistical point of view.
 H2a2 -Risk analysis is correlated with cost overrun The H2a2 hypothesis was rejected, because the significance level was 0,604 (>0,05).The correlation between risk analysis and cost overrun is not considered significant from a statistical point of view.
 H2a3 -Risk response planning is correlated with cost overrun The H2a3 hypothesis was rejected, because the significance level was 0,443 (>0,05).The correlation between risk response planning and cost overrun is not considered significant from a statistical point of view.
 H2a4 -Risk response monitoring and control is correlated with cost overrun The H2a4 hypothesis was rejected, because the significance level was 0,062 (>0,05).The correlation between risk response monitoring and control, and cost overrun is not considered significant from a statistical point of view.

H2b -Risk management practices are correlated with schedule overrun
 H2b1 -Risk identification is correlated with schedule overrun The H2b1 hypothesis was rejected, because the significance level was 0,657 (>0,05).The correlation between risk identification and schedule overrun is not considered significant from a statistical point of view.
 H2b2 -Risk analysis is correlated with schedule overrun The H2b2 hypothesis was rejected, because the significance level was 0,694 (>0,05).The correlation between risk analysis and sched-ule overrun is not considered significant from a statistical point of view.
 H2b3 -Risk response planning is correlated with schedule overrun The H2b3 hypothesis was rejected, because the significance level was 0,053 (>0,05).The correlation between risk response planning and schedule overrun is not considered significant from a statistical point of view.
 H2b4 -Risk response monitoring and control is correlated with schedule overrun The H2b3 hypothesis was rejected, because the significance level was 0,328 (>0,05).The correlation between risk response monitoring and control, and schedule overrun is not considered significant from a statistical point of view.H2c -Risk management practices are correlated with effort overrun  H2c1 -Risk identification is correlated with effort overrun The H2c1 hypothesis was rejected, because the significance level was 0,630 (>0,05).The correlation between risk identification and effort overrun is not considered significant from a statistical point of view.
 H2c2 -Risk analysis is correlated with effort overrun The H2c2 hypothesis was rejected, because the significance level was 0,365 (>0,05).The correlation between risk analysis and effort overrun is not considered significant from a statistical point of view.
 H2c3 -Risk response planning is correlated with effort overrun The H2c3 hypothesis was rejected, because the significance level was 0,057 (>0,05).The correlation between risk response planning and effort overrun is not considered significant from a statistical point of view.
 H2c4 -Risk response monitoring and control is correlated with effort overrun The H2c4 hypothesis was rejected, because the significance level was 0,114 (>0,05).The correlation between risk response monitoring and control and effort overrun is not considered significant from a statistical point of view.
The results of the hypotheses testing are summarized in Table 4.The first hypothesis H1 is partially confirmed, risk analysis and risk monitoring and control being correlated with the subjective performance of the IT project.The second hypothesis H2 is rejected, risk management practices not being correlated with the objective performance of the IT project.

Conclusions
Risk is an inherent component of software development projects, as well as implementation projects.Having origins in engineering, project management inevitably implies that the application of procedures and processes according to the best practice standards leads to project success [11].The project procedures and processes need to be improved in case a project fails, [45].Project stakeholders may use various project success definitions [35].Therefore, the contribution of risk management should be considered in relation to a broader definition of project success.The majority of publications that relate risk management to project suc-cess in the literature refer to the traditional "time-budget-requirements" definition of project success.However, this approach is not in line with the view presented by other literature that project success means more than just meeting time and budget constraints and requirements.The triple constraints of project success are still important, but in today's definition, success is "when the planned business value is achieved within the imposed constraints and assumptions, and the customer receives the desired value", so we are using the term "competing constraints" [37].There is limited empirical evidence that current risk management practices contribute to success in IT projects [43].Furthermore, the literature indicates that the assumptions, on which risk management in project management methodology is based, are often incorrect for IT projects.Still, specific risk management activities are and will often be used in IT projects.Success or failure depends on the contributions of stakeholders: top management, func-tional managers, customers, suppliers, contractors, and others [38], and that is why stakeholders must be involved in the risk management process.Project management, including the key process of project risk management, is described as self-evidently correct [23].However, it appears that factors such as the perception of stakeholders interfere with fundamental assumptions in traditional project risk management.An IT project manager's decision not to apply project risk management procedures may be irrational, at least if we start from the premise that the project manager chooses not to apply a "self-evidently" correct process to reduce the impact of risk on the project outcome.A project manager would act sensibly by not applying project risk management because he can rate the utility of not using project risk management as higher than the utility of confronting stakeholders with discomforting information [40].Project stakeholders indicate that various risk management activities are used to influence other stakeholders' behaviour, perceptions and expectations and that risk management activities are used in order to create and maintain inter-stakeholder relationships.Weick and Sutcliffe [46] discussed awareness creation and attention shaping as conditions for stakeholder behaviour in uncertain situations.In this respect, risk management has a vital role in project success because the stakeholders are aware of the fact that there are risks, on the basis of which they adjust their expectations and behaviour accordingly.Risk management practitioners are aware that risk management can help them gather information and support their decision making process, and also influence stakeholder expectations and perceptions, thus creating a better environment for more effective stakeholder actions.This may also contribute to the success of the project [43].Risk management in IT projects is essential to: help avoid project failure; avoid rework; focus and balance team effort and stimulate win-win situations [27]; [47].Risk and risk management have a key role because IT projects can be "vehicles of delivering IT-enabled organizational change, so achieving business objectives can be critically dependent upon their success" [47].Perhaps other project management instruments, such as planning or change management, or characteristics of the project or the project environment contribute to project success or failure, with only a subordinate role for risk management, or perhaps no role at all [43].The objective of project risk management must include the minimization of the likelihood and impact of possible risks and the maximization of the likelihood and impact of prospective opportunities.The effects of risk management in IT projects include creating awareness, clarifying expectations, creating acceptance and commitment, establishing trust and setting priorities, thus contributing to a higher success probability of the IT project.From a theoretical point of view, some sort of risk management practice must be applied, one way or the other, but from the practical point of view, a lot of project manager decide not to apply any risk management because of financial reasons.In the empirical research, considering the Romanian IT companies, the methods and techniques used for risk analysis and risk response monitoring and control are the only processes that influence the subjective performance of the IT project.Risk identification and risk planning do not influence the subjective performance of the project in terms of reliability, easiness, flexibility, satisfaction and quality.Also, no method of risk management influenced the objective performance of the IT project in terms of cost, schedule and effort.These negative results can be explained by the reduced size of the population or the sampling method used in this research (106 answers from 72 companies) and this is one of the main limitations of the empirical research, because it does not ensure an acceptable error margin.Considering this, we cannot generalize these conclusions to all the IT companies, further studies in this field being mandatory to for-mulate a solid conclusion regarding the role and effects of applying risk management in successful IT projects.Future research should include interviews with IT project managers on specific IT projects and should consider the client point of view regarding the success of the project.

Fig. 1 .
Fig. 1.Research model [own development] and vendor perspectives, Information and Organization, 13 (3), 2003, p. 153-202.[42] H. Taylor, Outsourced IT projects from the vendor perspective: different goals, different risks, Journal of Global Information Management, 15 (2), 2007, p. 1-27.[43] K.D. Bakker, Dialogue on Risk: Effects of Project Risk Management on Project Success, University of Groningen, Groningen, The Netherlands, 2011, ISBN: 978-90-367-4841-4.[44] P. Garvey, Analytical methods for risk management -A systems engineering perspective, Taylor & Francis Group, LLC, 2009.[45] C.C. Chen, C.C.H. Law and S.C. Yang, Managing ERP implementation failure: a project management perspective, IEEE Transactions on Engineering Management, 56 (1), 2009, p. 157-170.[46] K.E.Weick and K.M. Sutcliffe, Managing the Unexpected, Wiley, New York, 2007.[47] P.L. Bannerman, Risk and risk management in software projects: A reassessment.The Journal of Systems and Software, 81 (12), 2008, p. 2118-2133.Otniel DIDRAGA has graduated the Faculty of Economics and Business Administration in Timisoara in 2005.He holds a PhD diploma in Management since 2012.In 2005 he joined the staff of the West University of Timisoara -Faculty of Economics and Business Administration.He is a teaching assistant within the Department of Business Information Systems at the Faculty of Economics and Business Administration -West University of Timisoara.Currently, his research interests include IT Project Management, Risk Management, Business Information Systems Analysis and Design, Information Systems Control and Audit.

Table 1 .
Dimensions of project performance [own development]

Table 2 .
Effects of risk management practices on project success in existing literature[43]

Table 3 .
Risk management practices in IT projects [own development]