Risk Management in Information Technology Project: an Empirical Study

The companies are facing some risks due to changes in a dynamic environment. If risks are not managed properly, it will have some negative impacts on the companies at the present and the future. One important function of the Information Technology (IT) governance is risk management. Risk management in IT project aims to provide a safe environment for IT projects undertaken. Risk management becomes an important process for the success of IT projects. This article discussed the risk of IT project and whether there was a relationship between risk management and the success of the project. The method used was performing a literature review of several scientific articles which published between 2010 and 2014. The results of this study are the presence of risk management and risk manager influence the success of the project. Risk analysis and risk monitoring and control also have a relationship with the subjective performance of IT projects. If risk management is applied properly, the chance of the success of the projects undertaken can be increased.


INTRODUCTION
The companies are facing some risks due to changes in a dynamic environment.It allows emerging new risks, both derived from the internal environment or the external environment of the company. If the risks are not managed properly, it will bring the negative impacts on the company's present and future (Talet, Mat-Zin, & Houari, 2014).
One of the important functions of Information Technology (IT) is the governance of risk management. Risk management has been applied in various fields, one of which is an IT project. Risk management in IT project aims to provide a safe environment for IT projects. IT projects generally have a high level of risk. Risks are encountered in the financial risk. However, the risks that might occur in the implementation of IT projects not only the risks associated with the financial aspects, but also all conditions of uncertainty that may impact negatively or positively on the project objectives, including time, cost, scope of the project, or the quality of the project results (Talet, Mat-Zin, & Houari, 2014).
Risk management becomes an important process for the success of the IT project. Risk management provides significant benefits for companies, projects, and stakeholders associated with the implementation of the project. It can not be achieved without the introduction of the importance of risk management at every level of the business. Risk management becomes a management tool that is important for a project manager to increase the chance of success of the projects (Didraga, 2013) and can be moved more quickly to resolve the issue before the risk becomes a major problem that could threaten the project objectives (Talet, Mat-Zin, & Houari, 2014). IT projects are characterized by a high level of risk and can have different risk management approaches. Many literatures from the published articles between 2010 and 2014 shown that many researchers have discussed the risk of IT project, any approaches for IT project risk management, and whether there is a relationship between risk management and the success of IT project. The author will compile the findings based on the result of the literature review in this empirical study. Sharif, Basir, and Ali (2014) in their article said that the risk is generally defined as the possibility of loss that describes the impact of the project, could be the poor quality of the software, increased costs, failure, or pending completion. Risk can be reduced, managed, and maintained in accordance with the planning and assessment.
The study which is conducted by Chawan, Patil, and Naik (2013) found that the risk can be grouped into three categories, namely: (1) known risks that can be found after assessing project plans, environmental technology, and other trusted resources carefully, such as unrealistic delivery time, there is no demand and software bundle. (2) Unknown risks that might actually appear, but it is very difficult to be identified first. (3) Predicted risks that can be inferred from previous experiences, such as personnel adjustments and there is no communication with the customers.
The risks are associated with the events that can be identified which will have a negative impact. The uncertainties are related to the source of the risks that may impact negatively or positively. Risks must contain two elements, namely uncertainty and loss (Talet, Mat-Zin, & Houari, 2014).
The level of uncertainty of the project becomes an important dimension in the context of the implementation of the project. A major source of uncertainty in the IT project is about the scope or the project specifications. The study which is conducted by Thakurta (2014) provides uncertainty into four categories, namely: (1) variation refers to the many influences that produce a wide range of possibilities for a range of values on a project. For example, the variation of duration of the specific project takes between 10 to 15 days. If the changes are made, then the duration of the project will also change.
(2) Foreseen uncertainty refers to all the uncertainties that have been previously identified that may or may not occur during the implementation of the project. (3) Unforeseen uncertainty refers to all the uncertainties that can not be identified during the project planning. (4) Chaos refers to the uncertainty of the project because the projectsdo not have the definite basic structure plan so that the project's outcomes different from the original intent of the project. Talet, Mat-Zin, and Houari (2014) said that risk management on the project is used to manage the project risks. Risk management is generally regarded as a way to reduce the uncertainty and the impact of uncertainty, thus increasing the chance of the success of the project. Risk management aims to prevent or reduce the impact of the risk.
Most of the projects or businesses are in a dynamic environment (can be changed) that may impact negatively on the success of the project. The project is to be successful if the project was done and meet the requirements which are specified by the stakeholders, such as security, efficiency, reliability, manageable, capabilities, integration, and other requirements. A literature review which is conducted by Talet, Mat-Zin, and Houari (2014) said that 35% of quite projects are not unnecessary until the project implementation stage. This means that project managers do a poor job of identifying projects or terminating projects that are likely to fail because of the risks faced during the project life cycle.
The concept of risk management is applied in all aspects of the business, including planning and project risk management. Before discussing the concepts of risk management more deeply, need to know first about the definition of the threat and vulnerability. Threats can be defined as unwanted incidents on the system or organization that can damage the assets owned by system or organization.
Vulnerabilities are weaknesses in procedure, architecture, and implementation of the system and other causes that can be used to exploit the security systems and unauthorized access to the information (Talet, Mat-Zin, & Houari, 2014).
Risk management (Talet, Mat-Zin, & Houari, 2014) is a process consisted of (1) identify vulnerabilities and threats to information resources which are used by the organization in achieving business objectives, (2) conduct a risk assessment to determine the probability and the impact, and (3) identify the various controls that might be done to reduce the risk to an acceptable level. Many approaches that can be used in identifying risks. A literature review which is conducted by Sarigiannidis and Chatzoglou (2011) said that there are four approaches to the identification of risk, namely: (1) ad-hoc approach provides an assessment of the risk when the first symptoms appear on the project. (2) Informal approach involves the discussions with people involved with the project either directly or indirectly on some of the issues emerging risks or risks that might appear. (3) Periodic approach involves the use of repetitive procedures for the identification and specification of risk. (4) Formal approach identifiesthe risks and performs an evaluation of each risk. Didraga (2013) found in his study that there are three approaches that can be used in IT project risk management. They are: (1) evaluation approach answers the questions of what can cause the project to fail. This approach aims to make predictions in new projects that will be done by using the information on the risks and causes of project failure that has been collected from previous projects.
(2) Management approach answers the question of how to handle the risks to prevent the failure of the project. Risk management is required in this approach. Risk management is a process that consists of certain stages starting from the identification, analysis, response, monitor, and control the risks. (3) Contingency approach will embed risk management in the different processes and procedures.
Currently, there are any tools that can be used to provide a risk assessment on the project (Sharif, Basri, & Ali, 2014), such as Capability Maturity Model Integration (CMMI), Risk Assessment Visualization Tool (RAVT), Risk Assessment Tool (RAT), MATLAB, and Project Risk Assessment Decision Support System (PRADSS).

METHODS
The method used is conducting a literature review of any published articles between 2010 and 2014. The articles used are any articles that discussed the risk, risk management in the project, particularly the IT project and whether there is any relation between risk management and the success of the project.

RESULTS AND DISCUSSIONS
The IT project in this discussion is associated with software development projects. IT projects are characterized by a high level of risk. Advances in technology quite rapidly result changes in business processes that can create unexpected shift, for example in terms of costs. This was revealed in a study by Thakurta (2014) that the chance of a software project to fail is still high at 44%. Other studies said that many IT projects fail (Talet, Mat-Zin, & Houari, 2014;Thakurta, 2014). IT projects are potentially more likely to fail than other types of projects, such as the construction projects. The main cause of IT project failure is the use of technology that is changing quite rapidly. Other reasons for this failure include the complexity associated with software development and the uncertainty characteristics of the project development environment. IT organizations need to keep the project to meet the planned schedule and budget for IT projects susceptible to the failure, additional costs, and schedule delays (Talet, Mat-Zin, & Houari, 2014).
IT projects can have different risk management. Risks were created from many factors involved in the project. Each factor will depend on the type and the purpose of the project. One of the classic problems that could potentially cause a risk in many IT projects is when the new technology is developed when the project is running (Talet, Mat-Zin, & Houari, 2014). Arnuphaptrairong (2011) conducted a study to determine the list of risks in software projects from any literatures. The results showed that there are 27 software risks that are categorized into six dimensions (see Table 1), namely user, requirements, project complexity, planning and control, team, and organizational environment.  (2011), so it was found that the largest frequency of software risk dimension on planning and control (27), followed by requirement (17), user (14), team (9), environmental organizations (9), and project complexity (4). Arnuphaptrairong (2011) also found that there are seven software risks which often occur, such as misunderstanding in the requirement, lack of commitment and support from top management, lack of user involvement, failed to get the commitment from the users, failed to manage the expectations of the end users, and lack of effective project management methodologies.
The survey which is conducted by more than 1.000 organizations in Canada found that the main reasons for IT project failure are inadequate risk management and immature project plans. Risks faced by IT projects not only related to financial risk. IT project risks are divided into nine categories, including financial risk, technology risk, security risk, information risk, people risk, business processes risk, management risk, external risk, and success risk. Due to the interviews with IT professionals from leading organizations in Western Australia, found that there are five most important risks, namely lack of personnel, unreasonable project schedule and budget, unrealistic expectations, incomplete requirements, and the delay in software delivery (Talet, Mat-Zin, & Houari, 2014).
A literature review which is conducted by Sarigiannidis and Chatzoglou (2011) showed that the risk of software project consists of interrelated dimensions. These risk dimensions are project size, technology experience, project structure, user, system requirement, project complexity, planning and control, team, and organizational environment. Chawan, Patil, and Naik (2013) stated that there are several types of risks that may be encountered in a software project, namely: (1) technical risk includes the problems with the programming language used, the project size, the project functions, platforms, methods, standards, or process. Technical risk can be derived from the use of excessive constraint or less well-defined parameters.
(2) Management risk includes lack of planning, lack of management experience and training, communication problems, organizational problems, lack of authority, and control issues. (3) Financial risk includes cash flow, capital and budget problems, and Return on Investment (ROI). (4) Contractual and legal risk include changing requirements, health and safety issues, government regulations, and product warranty issues. (5) Personnel risk includes the staff performance, experience and training problems, ethics and moral issues, staff conflicts, and productivity issues. (6) Another resource risk includes the unavailability or delay in delivery of equipment and supplies, inadequate equipment and facilities, unavailability of computer resources, and slow response time.
Based on their research about the project risk, these can be summarized as shown in Table 2. Also, there is the most mentioned risk in their different research result, namely user requirement, project complexity, planning and control, team, organizational environment, technology, and financial risk. The success of the project can generally be defined as a comparison between the project planning and the final outcome of the project (time, budget, and requirements). When all is appropriate or even better than the planning, the project was successful. The success of the projectis the same for every stakeholder who are involved in the project.
Risks in the project can be managed by making and provide a list of the relevant risk to the project based on the impact on the success of the project. A poor requirement also can be the cause of the failure of the project (Bakker, Boonstra, & Wortmann, 2010). Many IT projects are experiencing the uncertainty in the success of the project. Determining what can be delivered in the project at the beginning of the project is not easy as seen in Figure 1. The changes in project requirements will almost certainly occur. These changes may be a risk of the project.  Company revenue does not influence the perceptionof project success Accepted H3 The type of project does not influence the perceptionof project success Accepted H4 The presence of a risk manager does not influenceproject success Rejected Risk managers become an essential element in the project risk management. Risk managers are the people who are entitled to perform the risk management (to identify, assess, and control the risks). Based on the results of hypothesis testing that has been performed by Junior and Carvalho (shown in Table 3), it can be concluded that the presence of risk management and risk managers influence the success of the project. The project is said to be successful when the result of the project is appropriate or better than the planning (shown in Figure 1). A good risk management can lead the project to its success, only if the risks and how to control them in project have been identified before the project was started.
The study which is conducted by Sarigiannidis and Chatzoglou (2011) stated that the definition of the software projects performance can be divided into two main categories, namely: (1) subjective performance which refers to the efficiency and effectiveness of the software when the project has been completed according to the people involved in the project. (2) Performance objective includes some quantitative metrics such as the advantages in terms of cost, effort, and schedule.
The above performance categories should be used together to measure performance that is quite important for software developersand users (Sarigiannidis & Chatzoglou, 2011). Didraga (2013) made a research model (shown in Figure 2) to determine the relationship between risk management and IT projects performance. Therefore, Didraga (2013) made two major hypotheses to be tested related to his research, namely: (1) the first hypothesis (H1): Risk management practices are correlated with the subjective performance of IT projects. (2) The second hypothesis (H2): Risk management practices are correlated with the objective performance of the projects, as seen in Figure 2. Target of the population consisted of project managers, IT managers, and IT Analyst at IT companies in Romanian. The samples derived from convenience method and snow-ball method on a database of 361 companies between June 10, 2012, and July 11, 2012. Didraga (2013) used the online questionnaire instrument by using Google Docs and processed it using Microsof Excel 2007 and IBM @ SPSS 19. He received 108 responses from 72 companies. The variables used were risk management practices used in IT projects, the subjective performance, and the objective performance of IT projects. Each of these hypotheses to be tested by Didraga (2013) has several sub-hypotheses and different sub-hypotheses results. The results can be seen in Table 4 and Table 5. Risk identification is correlated with the subjective performance of the IT project Rejected H1b Risk analysis is correlated with the subjective performance of the IT project Accepted H1c Risk response planning is correlated with the subjective performance of the IT project Rejected H1d Risk response monitoring and control are correlated with the subjective performance of the IT project Accepted