Outsourcing of information and communication technologies (ICT) and related services is an established and growing industry. Recent trends, such as the move toward multi-sourcing have increased the complexity and risk of these outsourcing arrangements. There is a critical research need to identify the risks faced by both the organisations that outsource ICT and the vendors that provide it in this changing landscape. To address growing concerns regarding the best way to deal with risk and control in this environment, our research focuses on establishing a Sourcing Risk and Control Framework to assist organisations identify these risks and develop effective mitigation strategies. In this paper we report on the first stage of our research that sought to document how sourcing risk is represented and considered in practice. To date, limited empirical research has been conducted in an Australian context. Using a series of workshops involving client and vendor representatives, we identified a broad range of risks and developed a cohesive categorisation scheme that incorporates functional and multi-stakeholder perspectives.