An “IT Project” is actually a business investment.
Steve Freeman and I first first wrote about the three categories of risk in Agile Times Vol 6 (?). We stated that there are three categories of risk.
1. Delivery risk. The risk that the software is not delivered on time, on scope, to budget or of sufficient quality.
2. Business Value risk. The risk that the business investment does not deliver the anticipated business value.
3. Risk to the Enterprise. The risk that the project will actually damage the organisation.
Most literature on risk in software development focuses on delivery risk. This is because most IT risk is development centric. When considering risk from the perspective of the business investor, delivery risk is only a third of the risk. Minimising delivery risk may increase the business value risk or the risk to the enterprise.