Compare your list of risks with a standard risk profile, says Tom DeMarco, an analyst at Cutter Consortium in Arlington, Mass., and co-author of Waltzing With Bears: Managing Risk on Software Projects (Dorset House Publishing Co., 2003). You may have identified more risks than are on that standard list, but make sure you aren't missing any. If you have failed to identify one of the standard risks, you may be in denial, he says. Snap out of it.

Next, look into the types of risks you've found, DeMarco says. For each one, ask whether it's a binary risk -- something that either happens or doesn't happen -- or a contiguous risk -- something that happens to some extent and causes injury accordingly.

Measure. Examine each risk, noting its potential impact and likelihood. To assess potential impact, "we look at the dollars associated with the risk: what we would lose and the negative brand exposure we would suffer," says Gerald Shields, CIO at Aflac Inc. in Columbus, Ga.

"You need this analysis to determine what you would spend to mitigate the risk," he adds, since you wouldn't want to spend more to mitigate a risk than what the event would cost you.

Then look into the actual likelihood of the risk event. "Corporations can go to the extreme, spending a million dollars to close an exposure that is minimal and remote," says Shields. Metrics are all about consistency, says Taylor. "A consistent view of the metrics and a consistent interpretation of the results are key," he explains. Only by ensuring that all stakeholders are viewing and interpreting the metrics in the same way can you begin to mitigate risks appropriately.