<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">proanaris</journal-id><journal-title-group><journal-title xml:lang="ru">Проблемы анализа риска</journal-title><trans-title-group xml:lang="en"><trans-title>Issues of Risk Analysis</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1812-5220</issn><issn pub-type="epub">2658-7882</issn><publisher><publisher-name>ФГБУ ВНИИ ГОЧС (ФЦ)</publisher-name></publisher></journal-meta><article-meta><article-id custom-type="edn" pub-id-type="custom">PCYTXA</article-id><article-id custom-type="elpub" pub-id-type="custom">proanaris-1032</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>УПРАВЛЕНИЕ РИСКАМИ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>RISK MANAGEMENT</subject></subj-group></article-categories><title-group><article-title>Модель зрелости системы управления рисками для ИТ-субъектов</article-title><trans-title-group xml:lang="en"><trans-title>The Maturity Model of Risk Management for IT-Entities</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Николаенко</surname><given-names>В. С.</given-names></name><name name-style="western" xml:lang="en"><surname>Nikolaenko</surname><given-names>V. S.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Николаенко Валентин Сергеевич: кандидат экономических наук, доцент кафедры автоматизации обработки информации, доцент Бизнес-школы, доцент кафедры экономики, социологии, политологии и права</p><p>634050, г. Томск, пр. Ленина, 40</p><p>634050, г. Томск, пр. Ленина, 30</p><p>634050, г. Томск, Московский тракт, 2</p></bio><bio xml:lang="en"><p>Valentin S. Nikolaenko</p><p>Lenin Ave., 40, Tomsk, 634050</p><p>Lenin Ave., 30, Tomsk, 634050</p><p>Moscow Tract, 2, Tomsk, 634050</p></bio><email xlink:type="simple">valentin.s.nikolaenko@tusur.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Томский государственный университет систем управления и радиоэлектроники; Томский политехнический университет; Сибирский государственный медицинский университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Tomsk State University of Control Systems and Radioelectronics; Tomsk Polytechnic University; Russian Federation Siberian State Medical University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2026</year></pub-date><pub-date pub-type="epub"><day>25</day><month>02</month><year>2026</year></pub-date><volume>23</volume><issue>1</issue><fpage>36</fpage><lpage>49</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Николаенко В.С., 2026</copyright-statement><copyright-year>2026</copyright-year><copyright-holder xml:lang="ru">Николаенко В.С.</copyright-holder><copyright-holder xml:lang="en">Nikolaenko V.S.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.risk-journal.com/jour/article/view/1032">https://www.risk-journal.com/jour/article/view/1032</self-uri><abstract><p>В статье рассматривается авторская модель зрелости системы управления рисками для субъектов, занятых разработкой компьютерного программного обеспечения и оказанием консультационных услуг в этой области (ОКВЭД класс 62). Ключевым аспектом ее разработки стали результаты анализа наиболее популярных моделей зрелости, таких как RM Maturity Model, The Management of Risk Maturity Model, RMM и RM3. По итогам анализа были сформулированы требования, которым должна удовлетворять отечественная модель зрелости системы управления рисками, применимая в области информационных технологий. Было установлено, что модель зрелости системы управления рисками должна с повышением уровня зрелости сопровождаться уменьшением объемов материального ущерба и иного вреда для заинтересованных сторон и соответствовать требованиям национальных стандартов по управлению рисками. Кроме того, квалификация специалистов, ответственных за управление рисками, должна соответствовать требованиям профессиональных стандартов. Оценка критериев разработанной модели зрелости системы управления рисками позволила сделать вывод, что она полностью соответствует заявленным требованиям, что указывает на ее потенциальную результативность и эффективность в вопросе митигации рисков. Так, в зависимости от развития, ИТ-субъекту может быть присвоен один из трех уровней зрелости: «Низкий», «Средний» или «Высокий». Если ИТ-субъект имеет «Низкий» уровень зрелости системы управления рисками, то для него характерна частая материализация рисков, приводящих к значительным объемам материального ущерба и иному урону как для него самого, так и для заинтересованных сторон. Если ИТ-субъект имеет «Средний» уровень зрелости системы управления рисками, то для него характерно приемлемое количество наступающих рисков, приводящих к «контролируемым» объемам материального ущерба. При достижении «Высокого» уровня зрелости системы управления рисками ИТ-субъект не сталкивается с событиями, которые могут негативно повлиять на процессы создания ИТ-продуктов во время реализации ИТ-проектов (спринтов, фаз жизненных циклов, контрактов и др.).</p></abstract><trans-abstract xml:lang="en"><p>The article considers the author's model for the maturity of risk management systems for entities involved in developing computer software and providing consulting services in this area. The key aspects of its development were the results of an analysis of popular maturity models such as RM Maturity Model, The Management of Risk Maturity Model, RMM, and RM3, based on which requirements were formulated for a domestic RMS model applicable to the IT-field. It was determined that the RMS maturity model should be accompanied by reduced material damage and harm to stakeholders, increased maturity levels, and compliance with national risk management standards. In addition, specialists responsible for managing risks must meet professional standards, and evaluation of the criteria for the developed model allowed us to determine that it meets all requirements, indicating its potential effectiveness in mitigating risks. Depending on its development, an entity can be assigned to one of three levels of maturity – «Low», «Medium», or «High». If an entity has a «Low» level of RMS, it is characterized by a high frequency of materialized risks leading to large amounts of damage, both to itself and to interested parties. An entity with a «Medium» level has an acceptable number of risks leading to «controlled» amounts of damage. At the «High» level, the entity does not experience events that could negatively affect IT-product creation during IT-project implementation (sprint, lifecycle phase, contract, etc.).</p></trans-abstract><kwd-group xml:lang="ru"><kwd>ИТ-субъект</kwd><kwd>ИТ-продукт</kwd><kwd>ИТ-проект</kwd><kwd>модель зрелости</kwd><kwd>риск</kwd></kwd-group><kwd-group xml:lang="en"><kwd>IT-entity</kwd><kwd>IT-product</kwd><kwd>IT-project</kwd><kwd>maturity model</kwd><kwd>risk</kwd></kwd-group><funding-group><funding-statement xml:lang="ru">Работа выполнена в рамках государственного задания Минобрнауки России, проект FEWM-2026-0011.</funding-statement><funding-statement xml:lang="en">This research was funded by Ministry of Science and Higher Education of the Russian Federation, project FEWM-2026-0011.</funding-statement></funding-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Николаенко В. С. Комплаенс-риски эксплуатации ИТ‑продуктов // Стратегические решения и риск-менеджмент. 2024. Т. 15 № 4. С. 360–367. https://doi.org/10.17747/2618-947X‑2024-4-360-367</mixed-citation><mixed-citation xml:lang="en">Nikolaenko V. S. Compliance-risks in the operation of IT products // Strategic Decisions and Risk Management. 2024;15(4):360–367. (In Russ.) https://doi.org/10.17747/2618-947X‑2024-4-360-367</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Яхваров Е. К. Совершенствование системы управления рисками в коммерческой деятельности организации // Гипотеза. 2019. № 3 (8). С. 19–25</mixed-citation><mixed-citation xml:lang="en">Yahvarov E.K Improvement of the risk management system in the commercial activity of the organization // Hypothesis. 2019;(3):19–25. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Cienfuego I. Developing a risk maturity model for dutch municipalities. PhD Thesis. 2013. 227 p.</mixed-citation><mixed-citation xml:lang="en">Cienfuego I. Developing a risk maturity model for dutch municipalities. PhD Thesis. 2013. 227 p.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Jugdev K., Thomas J. Project management maturity models: the silver bullets of competitive advantage? // Project Management Journal. 2002;33(4):4–14. https://doi.org/10.1177/875697280203300402</mixed-citation><mixed-citation xml:lang="en">Jugdev K., Thomas J. Project management maturity models: the silver bullets of competitive advantage? // Project Management Journal. 2002;33(4):4–14. https://doi.org/10.1177/875697280203300402</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Montero G. Analysis of common maturity models applied to project management. book of proceedings of the 7th International Conference on Industrial Engineering and Industrial Management XVII Congreso de Ingeniería de Organización. Valladolid. 2013. P. 788–794.</mixed-citation><mixed-citation xml:lang="en">Montero G. Analysis of common maturity models applied to project management. book of proceedings of the 7th International Conference on Industrial Engineering and Industrial Management XVII Congreso de Ingeniería de Organización. Valladolid. 2013. P. 788–794.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Khoshgoftar M., Osman O. Comparison of maturity models. 2nd International Conference on Built Environment in Developing Countries. Penang. 2008. P. 953–964.</mixed-citation><mixed-citation xml:lang="en">Khoshgoftar M., Osman O. Comparison of maturity models. 2nd International Conference on Built Environment in Developing Countries. Penang. 2008. P. 953–964.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Grant K. P., Pennypacker J. S. Project management maturity: an assessment of project management capabilities among and between selected industries // IEEE Transactions on Engineering Management. 2006;53(1):59–68. https://doi.org/10.1109/TEM.2005.861802</mixed-citation><mixed-citation xml:lang="en">Grant K. P., Pennypacker J. S. Project management maturity: an assessment of project management capabilities among and between selected industries // IEEE Transactions on Engineering Management. 2006;53(1):59–68. https://doi.org/10.1109/TEM.2005.861802</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Backlund F., Choronner D., Sundqvist E. Project management maturity models — a critical review. A case study within Swedish engineering and construction organizations. 27th IPMA World Congress. 2014;119:837–846</mixed-citation><mixed-citation xml:lang="en">Backlund F., Choronner D., Sundqvist E. Project management maturity models — a critical review. A case study within Swedish engineering and construction organizations. 27th IPMA World Congress. 2014;119:837–846</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Anderson E. S., Jessen S. A. Project maturity in organizations // International Journal of Project Management Accounting. 2003;21(6):457–461. https://doi.org/10.1016/S0263-7863(02)00088-1</mixed-citation><mixed-citation xml:lang="en">Anderson E. S., Jessen S. A. Project maturity in organizations // International Journal of Project Management Accounting. 2003;21(6):457–461. https://doi.org/10.1016/S0263-7863(02)00088-1</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Crawford K. J. Project management maturity model. New York: Auerbach Publications, 2007. 235 p.</mixed-citation><mixed-citation xml:lang="en">Crawford K. J. Project management maturity model. New York: Auerbach Publications, 2007. 235 p.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">D. Proença, J. Estevens, R. Vieira and J. Borbinha, “Risk Management: A Maturity Model Based on ISO 31000,” 2017 IEEE 19th Conference on Business Informatics (CBI), Thessaloniki, Greece, 2017, pp. 99–108, https://doi.org/10.1109/CBI.2017.40.</mixed-citation><mixed-citation xml:lang="en">D. Proença, J. Estevens, R. Vieira and J. Borbinha, “Risk Management: A Maturity Model Based on ISO 31000,” 2017 IEEE 19th Conference on Business Informatics (CBI), Thessaloniki, Greece, 2017, pp. 99–108, https://doi.org/10.1109/CBI.2017.40.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Zou P., Chen Y., Chan T. Understanding and improving your risk management capability: assessment model for construction organization // Journal of Construction Engineering and Management. 2010;136(8):854–864. https://doi.org/10.1061/(ASCE)CO.1943-7862.0000175</mixed-citation><mixed-citation xml:lang="en">Zou P., Chen Y., Chan T. Understanding and improving your risk management capability: assessment model for construction organization // Journal of Construction Engineering and Management. 2010;136(8):854–864. https://doi.org/10.1061/(ASCE)CO.1943-7862.0000175</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Nikolaenko V., Sidorov A. Assessing the maturity level of risk management in it projects // Sustainability. 2023;15(17):12752. https://doi.org/10.3390/su151712752</mixed-citation><mixed-citation xml:lang="en">Nikolaenko V., Sidorov A. Assessing the maturity level of risk management in it projects // Sustainability. 2023;15(17):12752. https://doi.org/10.3390/su151712752</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Николаенко В. С. Комплаенс-особенности создания ИТ‑продуктов в рамках выполнения ИТ‑проектов // Проблемы анализа риска. 2024. Т. 21. № 5. С. 97–107. — EDN: OKHMIT</mixed-citation><mixed-citation xml:lang="en">Nikolaenko V. S. Compliance-features of creating IT-Products within the framework of IT-Projects // Issues of Risk Analysis. 2024;21(5):97–107. (In Russ.) — EDN: OKHMIT</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Николаенко В. С. Технологические особенности создания ИТ‑продуктов в рамках выполнения ИТ‑проектов // Стратегические решения и риск-менеджмент. 2024. № 15 (3). С. 270–279. https://doi.org/10.17747/2618-947X-2024-3-270-279</mixed-citation><mixed-citation xml:lang="en">Nikolaenko V. S. Technological features of creating IT products within the framework of implementing IT Projects // Strategic Decisions and Risk Management. 2024;15(3):270–279. (In Russ.) https://doi.org/10.17747/2618-947X-2024-3-270-279</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Farrell M., Gallagher R. The Valuation implications on enterprise risk management maturity // Journal of Risk and Insurance. 2015;82(3):625–657.</mixed-citation><mixed-citation xml:lang="en">Farrell M., Gallagher R. The Valuation implications on enterprise risk management maturity // Journal of Risk and Insurance. 2015;82(3):625–657.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Nikolaenko V., Sidorov A. Analysis of 105 IT Project risks // Journal of Risk and Financial Management. 2023;16(1):33. https://doi.org/10.3390/jrfm16010033</mixed-citation><mixed-citation xml:lang="en">Nikolaenko V., Sidorov A. Analysis of 105 IT Project risks // Journal of Risk and Financial Management. 2023;16(1):33. https://doi.org/10.3390/jrfm16010033</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Николаенко В. С. Анализ требований к квалификации специалистов, занятых созданием ИТ‑продуктов в рамках выполнения ИТ‑проектов // Векторы благополучия: экономика и социум. 2025. Т. 53. № 3. С. 97–109. https://doi.org/10.18799/26584956/2025/3/1992</mixed-citation><mixed-citation xml:lang="en">Nikolaenko V. S. Analysis of qualification requirements for specialists involved in the creation of IT‑products within the framework of IT‑projects // Journal of Wellbeing Technologies, 2025;53(3):97–109. https://doi.org/10.18799/26584956/2025/3/1992</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
