Information technology (IT) projects are renowned for their high failure rate. Risk management is an essential process for the successful delivery of IT projects. In‐depth interviews with IT professionals from leading firms in Western Australia were undertaken to determine how IT risks were managed in their projects. The respondents ranked 27 IT risks in terms of likelihood and consequences to identify the most important risks. The top five risks, in order, were: personnel shortfalls; unreasonable project schedule and budget; unrealistic expectations; incomplete requirements; and diminished window of opportunity due to late delivery of software. The respondents overwhelmingly applied the treatment strategy of risk reduction to manage these risks. Furthermore, these strategies were primarily project management processes, rather than technical processes. This demonstrates that project management is a risk management strategy. Scope, quality management, and human resource management were solutions applied to several risks. In particular, managing stakeholders’ expectations is a specific risk treatment that helps to manage several key IT risks.