Abstract
Risk management is often seen as a project manager's job. However, the information and knowledge required to make a realistic assessment of project risks is often dispersed among people in and around the project. Also people will tend to focus their attention on different aspects and as a consequence on different risks because their different roles with regard to the project. Our assumption is that it is wise to have a team of relevant people making a joint risk assessment, based on knowledge and information dispersed in, but not necessarily shared by, the team. The team corrects the filters and biases of individuals in their specialized roles and positions and creates both a richer "knowledge base" and increased variety in interpretations. To test these assumptions, we formulated design requirements for a risk management method on the basis of the theory of human group and individual decision-making and information processing. Based on these requirements a risk management method was developed and used in eight IT projects. The results confirmed the assumption that lack of information and bias are relevant issues in risk assessment. The proposed guidelines resulted in a method capable of handling these issues.