Purpose ‐ This paper aims to present a study of Information Systems project risk management aimed at identifying a risk ontology and checklist that will enable decision making and mitigation strategy planning in information system (IS) development in the public sector. This sector is an ideal research field in risk management practices, due to the visibility that failure of IS/IT projects has acquired as a consequence of the duty of accountability that characterises it. Design/methodology/approach ‐ The study is based on a qualitative approach anchored on a critical literature review, leading to the development of an analytical framework, followed by a thorough case-study survey. Findings ‐ A project risk ontology was derived from the analysis of ten case-studies in the UK, USA and New Zealand and was divided into five main categories: pre-project, customer, project management, technological issues, and development methodology. The analysis found that a considerable number of risk factors are incurred before the start of the formal project and pre-determine the future of the project and create predictable risks that can be avoided. Research limitations/implications ‐ This paper has focused on the pre-implementation and implementation phases of IT/IS projects and further research into IS post-implementation is required. Originality/value ‐ The proposed ontology is designed to fit in real life systems development cycles and is aimed at supporting risk assessment and control. The findings suggest that risk thinking should start early in the project and not, as many modern design and development methodologies propose, solely as part of the development process itself.