Without accurate risk metrics, you can fail to mitigate serious risks and end up watching your project fail. Or you can misspend in an overblown effort to mitigate risks that will never come to pass or that won't cause much damage if they do. Here's how to get a handle on project risk.

Start early. "The key issue with IT project risk is that it is usually not considered until there is a problem," says Chris Thatcher, an enterprise security consultant at Dimension Data North America Inc. in Hauppauge, N.Y. "It is considered best practice to conduct a risk assessment for each IT initiative before it receives approval."

Identify risks. You should have enough information at a project's inception to know about the biggest risks, such as ineffective sponsorship, a fudged business case or inept project management, says Richard Hunter, an analyst at Gartner Inc. in Stamford, Conn. "Killing projects that exhibit those risks on Day One would save most IT organizations 50 percent of the money they spend on failed projects," he says.

Make a risk list. Good project planning will naturally address risk areas such as staffing, funding and technology, says Robert E. Taylor, CIO for the government of Georgia's Fulton County.

But there are other risks that are specific to the individual project. You can identify these by asking what would most likely cause one of the project's products, modules or processes to fail and then finding the root cause of each failure. "One of the easiest ways to get to root cause is to ask why [a failure might happen] five times," explains Mike Blake, chief financial officer at Kaiser Permanente IT. The answers will get you closer and closer to the underlying risk.