Despite the success stories in the literature, it remains a sad statistic that too many software development projects end in failure. Advocates of software project risk management claim that by identifying and analyzing threats to success, action can be taken to reduce the chance of failure. But the first step in successful risk management is identifying the risk itself, so appropriate countermeasures can be taken. In this presentation we describe research-in-progress to develop an authoritative list of risks, determine which of those risks are perceived as more important, and develop risk categories that can support theory development.