In his paper, Boehm (1991) discusses a list of risks in software projects, as a result of which the paper can be positioned as belonging the evaluation approach. But in the same paper, Boehm describes risk management as a process consisting of identifying, analysing, controlling, and monitoring events that may jeopardise a software project. Risk management then becomes a sequence of activities with the aim to gather information about situations that may or may not occur in a specific project (Chapman and Ward, 1997; Pich et al., 2002). The sequence of activities that characterises project risk management is described in detail by e.g. Del Can˜o and Pilar de la Cruz (2002). This sequence of activities is executed during the project with the aim to