This paper conceptualizes software project risk in terms of risk exposure and defines it as an aggregate multidimensional construct comprised of four interrelated dimensions: risk sources, risk events, risk management mechanisms, and expected outcomes. The paper also theorizes about relationships between the four dimensions. Furthermore, it argues that the risk factors identified in the literature could be systematically categorized using the proposed construct. The specification is derived from a review of 20 years of software project risk literature – from 1989 to 2009 and on a semantic decompositional analysis of software project risk definitions. The proposed construct conceptualization helps demarcate between the often intertwined behavioural factors and project attributes recognized risk factors in the literature pertaining to software project risk. By identifying the dimensions of risk and their interrelationships, the suggested specification should help improve the construct’s explanatory and predictive power.