Risk management in IT projects still is more an art than a science. Reliable figures about the risks of a project portfolio still depend on intuition and experience of project managers. A central challenge is to aggregate the risks of a project into a single risk measure that makes it easy for the senior management to compare projects and see which projects need their attention. We first analyze different approaches to aggregate risks and compare them in terms of theoretical foundation and practical usability. In particular we explore the applicability of the well-known financial risk figure Conditional Value-at-Risk (CVaR). Using data from 110 IT projects we demonstrate that the CVaR offers a well-defined risk measure that provides clear information for senior management decision-making. Since the CVaR is flexible concerning its confidence level it can be changed to fit the management’s risk aversion. Finally, we derive suggestions for risk management to make the calculated CVaR even more reliable. In sum, we show that well-defined risk measures can be transferred to the domain of project risk management if companies establish central risk reporting.