Projects with high-impact/low- probability risks need to be continually monitored to make sure the risk probabilities don't change, Taylor says. This is an area where consistency of metrics -- and buy-in from IT, business and finance -- is essential. If the probability of a high-impact event increases, there should be no debate as to what that means for the project.

"The key is to agree on what constitutes a low-, medium- and high-probability status and then monitor the established standards to ensure that these do not change as the project proceeds," says Taylor.

Prioritize. Creating a matrix with this impact/probability information will help you better understand how to prioritize risk mitigation.

The top risk is usually very specific to your business. "Since we're a health care company, things that endanger our patients are No. 1," Blake says. "You have what I call the untouchables. [For example,] if it happens to be the peak time in the ER, we're not going to be taking down servers during that time."

Verify mitigation. Once you've identified, measured and prioritized risks, you can take steps to mitigate them. But you're not done yet. You need to verify that steps have been taken to mitigate the risks, which is an easy task if you've done your job properly. "Risk mitigation leaves footprints," says DeMarco. "You can go into a risk assessment of New Orleans and say, 'Show me the money you spent to make sure the busses were there. Show me the contracts that you signed.' "