Representing IT Projects Risk Management Best Practices as a Metamodel

—Although still relatively new, the field of IT Governance has its own bodies of knowledge that include various methodologies, frameworks and techniques supported by an increasing growing base of research. IT Project Risk Management has since emerged as its own field. Many frameworks and methodologies were proposed by both practitioners and researchers. A review of the literature about the subject shows that there is a divergence between the two. The practitioners propose a set of good practices from professional environment but the heaviness of the proposed guides does not allow its application and adoption by managers or it’s improvement by researchers. Thus it calls for specific focus on IT governance frameworks best practices modelling in order to reach fusion between practitioners and researchers contributions. In this paper, special attention is dedicated to Project Management Institute’s guides. The main objective is representing IT Project Risk Management best practices as a Metamodel in order to complement different areas of knowledge.


INTRODUCTION
Projects management frameworks are becoming an obligation in order to face the environment requirements and to meet the strategic objectives designed by the organization.Authors in [1] precised that project management serves as primary capabilitiy of an organization to respond to change and gain a competitive edge.Authors in [2] define project management as a critical competency for organization strategy.Despite the proliferation of project management frameworks/ methodologies/ software, many projects fail.According to International Standish group study, project failure rate is high in technology sector, most of projects are over budget/ deadline with a lower quality than expected, project success rate has declined from 34% in 2004 to 32% in 2009 [3].Author in [4] defines a project management success as a subset of project success, an internal measure of efficiency.A survey study was realized in [4] in order to investigate any linkages among organization project management maturity factors, project success factor and project management performance factors.The result of this study suggests that organizations encouraging project manager to obtain Project Management Professional Certification (PMP) are likely to have procedures and policies in place.Conventional project risk management is reactive.Risk managers are involved only when the project is already over budget, over deadline or underperforming.Software allowing project management has been designed but less attention has been devoted to the assessment of projects risks.In the other hand, risk management principles are described by international standards which don't prescribe how the process can be implemented.IT managers must have a global and a complete idea about methodologies and frameworks existing in order to choose the best framework for each specific project.Yet, managers prefer specific project methodologies and find difficulties to manage other projects that use other methodologies.In the other hand, IT projects management software are designed to meet the requirements of only one framework.Furthermore, the heavy nature of framework guides doesn't allow IT governance interested researchers to improve these frameworks.Hence the need for representing IT Governance framework knowledge areas as consistent basic models.This paper is focused on exploring any linkages among project management and project risk management knowledge areas.For that aim, we will analyze two of the most used frameworks for project management: PMBOK and PRINCE2, and respectively we will compare PMI's Risk Management framework and M_O_R guide established by OGC.This comparison will provide a better understanding of IT management framework.Then we use this comparison to suggest a global model of the management of IT projects in organizations by combining different knowledge areas derived from these IT projects frameworks, which allows a better alignment of projects with the company crafted strategy.The rest of this paper is organized as follows: firstly, we present an overview of related works and we explain the motivation for our contribution in section II.Secondly, we present a description and analysis of project management frameworks, and project risk management guides respectively in section III and IV.Then we provide our proposed IT project risk management Metamodel in section V. Finally we discuss the main outcomes and we highlight a number of limitations and perspectives of our works in conclusion.

II. RELATED WORKS AND MOTIVATION
Several risk management approaches have been presented by researchers.Authors in [5] have integrated a few of the most effective risk management recommendations of different researchers with the elementary risk management process in the form of a database.Authors in [6] established an evaluation model for software project risk based on BP neural network and the algorithm process [6].Authors in [7] use importance measure technique in order to model the complex risk management field.They provide an application to assess both risks and risk interactions in order to establish priorities for further decision making.Authors in [8] proposed a two phase method focusing on the characteristics of dynamic risk and multi attributes, based on Markov to evaluate risk in the first phase and then TOPSIS for selecting risk management strategy.Authors in [9] established a project risk management method based on Bayesian network model for predicting of job completion time and preventing delay of delivery.Authors in [10] used AHP model to construct a risk model to find knowledge relating to risks.Despite of many risk management approaches presented by researchers and the widely use of IT project management frameworks by IT managers, the success rate of project is very low [3,11,12].The paper points out the enhanced need for analyzing, comparing and integrating IT management best practices.The objective of our contribution is to integrate effective techniques for risk management identified form professional literature with the elementary project management conceptual model in order to make it more effective.Thus, five growing and established project methodologies were compared, and a generic project management Metamodel has been suggested.In our case, we use UML language to model the concepts of IT Project Risk Management and to show the relations maintained between each other.UML is a standard maintained by the OMG [13].It is originally a software design language that allows specifying objects manipulated in applications (class diagram).In the field of research, UML language has been used in different areas: it allows to structure meta-models within the framework of an MDA approach [14], to model ontologies [15], to specify domain models for the trades within architecture framework [16] or to specify multi-agent systems [17], which makes UML a stable and a reference language for modeling concepts and their relationships.

III. REVIEW OF PROJECT MANAGEMENT FRAMEWORK
According to [18], project management is an iterative process that is considered as a lock-step sequence of activities with the application of skills, tools, knowledge and techniques in order to meet the project stakeholder needs and expectation.

A. PMBOK (Porject Management Body of Knowledge)
PMI's PMBOK Guide is a set of standard terminology and knowledge for project management.It is a combination of 9 knowledge areas and 5 processes group with 44 KPA (key process areas), it handles the project life cycle and phases, the project stakeholders, the organizational and the socioeconomic influences and the general management skills needed by the project manager.PMBOK processes are described as a standard for project management because the PMI is approved by the American National Standards Institute to be a standard developer.PMBOK does not prescribe any specific life cycle for small projects, it only specifies that the project life cycle should be divided into phases, which is a difficult process for the small project managers [18].

B. Prince2
Prince2 is the successor of PROMPTII, it was released by the UK government in 1996, its most recent edition was released in 2009.Prince2 is a methodology for managing effectively all types of projects.It is combined of 5 phases and 8 high level processes (6 main processes and 2 supporting processes).PRINCE2 is mostly used in UK organizations.Prince2 requires a high degree of support from the top management to get the desired results, and it doesn't provide any support for people and contract management.

C. PMBOK and PRINCE2 comparison and analysis
The two methodologies discussed have commonalities in their features and ultimate goal.They perform tasks with common goal but with different approaches.We provide a basic comparison of PMBOK and PRINCE2 structure trough in Table I.The PMBOK guide is described as descriptive while Prince2 is often described as perspective, because the PMBOK guide contains lots of descriptions of tools, techniques and processes.PMBOK describes the output of each process but does not explain what information must be recorded in such outputs.Unlike PMBOK, Prince2 provides description about what information must be recorded in the outputs of its processes and who is responsible for the recording.The main strength of the PMBOK guide is that is provides a range of useful tools and techniques.(119 tools compared with only 40 tools referred in PRINCE2 guide).The greatest strength of Prince2 is that the majority of decisions must be based on business case.Prince2 allows a better understanding of the benefits versus costs.Moreover, Prince2 provides a detailed description of multiple project management team roles, describing the responsibilities for a total of 9 different project management team roles.The biggest weakness of Prince2 is its lack of tools and techniques, since it only describes 2 techniques.Prince2 and PMBOK both are not intended to tell managers how to use any of techniques or tools described, they only lay out the process.

IV. REVIEW OF PROJECT RISK MANAGEMENT MODELS
Several risk maturity models exist in literature.Among them: PMI's risk management model, M_O_R guideline and ISO31000.

A. PMI's Risk Management Model
According to the project management institute PMBOK, risk management is one of the ten knowledge areas in which a project manager must be competent.Risk management is defined as an organizational policy for optimizing investments and risk to minimize the probability of failure.PMI provides a practice standard for project Risk management based on PMBOK guide.It explains the purpose of risk management and provides a list of critical success factors for implementing risk management.These factors are applicable to most organizations and projects regardless of their size.PMI's risk management standard distincts between individual project risks and overall project risks, and discusses the role of the project manager in risk management.It also identifies six risk management processes: • Plan risk management

B. M_O_R Guideline
The UK commerce government office published a Risk management guide called M_O_R.The M_O_R guide provides a maturity model for risk management so-called "health check" and offers a framework that consist of four main steps: The ISO technical management board working group had developed an international standard that focuses on risk principles and guidelines which is the ISO 31000:2009.It provides a guideline for risk definition and risk management process.It focuses on risk assessment.

• Communication and consultation
• Establishing the context • Monitoring and review

D. Project Risk Management Standards Comparison
While ISO is a stand-alone risk management standard, PMI's framework is highly integrated within the PMBOK framework.The main advantage of PMI's risk management standard is that it provides much more specific information on how the process can be implemented and that it differentiates between qualitative and quantitative risk analysis.The principle disadvantages of PMI's standard are that it does not include the articulation of organizational objectives and the risk evaluation process.Much like PMI's framework, ISO 31000 underscores the importance of accounting for the context which risk management is implemented.Moreover, risk management processes are similar to those proposed in the PMI's management framework and do not contradict each other.ISO 31000 addresses risk in general while PMI's framework addresses project management risk.It differentiates between three types of risks: qualitative, semi-quantitative and quantitative risks.M_O_R is based on the ISO 31000, but it focuses on practical application and provides more details about risk management.For our contribution, we have selected the PMI's frameworks for many reasons: • The standards of PMI have achieved extensive exposure and worldwide acceptance [19].

www.etasr.com El Yamami et al.: Representing IT Projects Risk Management Best Practices as a Metamodel
• PMI's frameworks provide more details, tools and techniques about project management.
• PMI's practices standard for project Risk management is generic and can be applied to any organization.
• Finally, PMI is involved in the ISO/PC236 project committee and ISO/TC258 committee, so ISO and PMI's risk management standard will be more closely aligned [19].
Yet, we will propose a project management Metamodel based on the PMBOK guide and PMI's risk management standard.

V. PROPOSED METAMODEL
The objective of this section is to present the concepts manipulated in our proposed model for IT project Risk Management.The proposed integrated model (Figure 1) is composed of two packages, one for the PMBOK derived model and the second for PMI's risk management standard derived model.To explain our model, we will start by describing PMBOK and PMI's risk management standard architectures, then we will present the relation between the two original packages.

A. PMBOK Model
The main classes for project management model are derived from [20,21].PMBOK covers human and physical resources, activities, deliverable, the organizational concepts and their associated classes.An Organization has a collection of Programs, each program is combined of a set of Projects directed by one given Stakeholder [20].A stakeholder may assume one or many roles in a project.Each project is composed of a set of Phases which are related to activities that can be divided in Tasks.For each Activity, the associated stakeholders, and their respective roles must been defined.Activities are related to Deliverables as an input or output and each deliverable has a type and a responsible.The PMBOK guide defines five Process Groups (such as: initiating, planning, executing, monitoring and controlling, and closing), each activity is related to a Management Process that is associated to one ore many Knowledge Areas (such as scope, time, cost, quality) [20].The knowledge areas can be classified as core or facilitating knowledge areas.

B. PMI's Risk Management Standard
Our model must ensure the requirements defined in PMI's risk management domains: D1.Risk Strategy and planning: This domain allows quantifying risk tolerances in order to assess risk thresholds for the project, developing a project risk strategy in order to establish the outline for the risk management plan, and establishing evaluation criteria for risk management processes based on project objectives in order to measure effectiveness of the project risk process.D2.Stakeholder engagement: This domain allows assessing stakeholder risk tolerance, prioritizing project risk and promoting risk ownership and engaging stakeholders on risk prioritization process based on stakeholder risk tolerance in order to optimize consensus regarding priorities.D3.Risk Process Facilitation: This domain aims to facilitate risk identification, evaluation, prioritization and response among project team members.To Apply risk assessment processes and tools in order to quantify stakeholder risk tolerances and determine risk levels, and to Provide risk data to cost and schedule analyst/estimators to ensure that project risk is properly reflected in cost and schedule estimates for the project.D4.Risk Monitoring and Reporting: This domain allows creating custom reports using risk-related metrics in order to communicate risk management activities and status.D5.Perform Specialized Risk Analyses: This domain aims to evaluate identified risk attributes using advanced quantitative tools and qualitative techniques in order to estimate overall risk exposure of the project, and to support stakeholder decision making for the project.
Thereby, the PMI defines risk as a probability of threat or damage which any occurrence can impact resources and activities.For each Risk, the PMI specifies a set of risk policies, risk evaluation criteria and one or more risk tools that can be qualitative techniques or quantitative tools.It defines risk type that can be operational, tactical or strategic and risk strategy that can be corrective or preventive strategy.A Risk Occurrence is under the responsibility of a Risk Manager, for each risk occurrence the Risk Level is designed, the stakeholders are engaged on Risk Prioritization process based on stakeholders Risk Tolerance.The PMI defines a Risk Assessment plan that enables decision makers to manage risks.The assessment place risk occurrence in one of four risk response categories: mitigate risk if risk impact is small, avoid risk in case of activities with a high likelihood of loss and large financial impact, transfer risk in case of activities with a large financial impact to a third party and accept risk if cost benefit analysis determines the cost to mitigate risks is higher than cost to bear the risk.Integrating IT Project Management model with risk management best practices allows early identification and a better understanding of the faced risks nature and proactively risks identification which makes easy the making of plan for mitigating effects of potential risks.The Metamodel introduced in Figure 1 is able to represent the fundamental structure from which IT project Risk management enhanced models can be derived with respect to PMI's guides' processes.This Metamodel can be adapted to a new application domain so that the logic of IT project risk management can be reused with a reasonable tailoring effort.

VI. CONCLUSION AND FUTURE WORKS
The main objective of this paper was to understand risk assessment concepts in order to develop a model for IT project risk management.Most project management models proposed by researchers do not allow managing risks in compliance with risk management standards.This research paper is an attempt to overcome these challenges and provide a conceptual model for the development of project management and risk assessment solutions.For that aim, we have compared the most utilized methodologies within organizations, and we have chosen the PMI's standards.Therefore, our conceptual model is based on a combination of PMBOK guide and PMI's risk management standard by combining different knowledge areas derived from these guides.The integration of these standards allows the starting of risk management process early in the project lifecycle by including key stakeholders in the process, evaluating project risks periodically during the project lifecycle and to develop risk mitigation plans, which provides a better alignment of projects with the strategy crafted by the company.The paper points out the enhanced need for analysing, comparing and integrating IT management best practices in order to have a more efficient project management.Our contribution presents some limitations: the model is primarily focused on PMBOK best practices.This framework does not take into consideration the business case management, which does not allow managing IT investment processes.In addition our model does not present IT investment management knowledge areas.This process can be considered and explored in the future for developing an IT strategic project alignment model in order to improve return on investment.Besides that, our model does not define the organizational change management processes, next research should explore the integration of PMBOK and Prince2 best practices for

•
Identify risks • Perform qualitative risk analysis • Perform quantitative risk analysis • Plan risk responses • Monitor and control risks

Fig. 1 .
Fig. 1.IT Projects Risk Management Best Practices Metamodel