This paper shows how causes and mechanisms behind past information technology (IT) project failures can be used for systematic risk mitigation in new IT projects. This is significant because successful IT projects are needed to realise the benefit potential of digitalisation, whereas failed IT projects overspend resources and underdeliver benefits. In this paper we a) identify factors and causes that lead to IT project failure, b) analyse the consistency over time of the identified factors and causes, c) expose mechanisms of failure by analysing failure factors, causes, and common features of IT projects, and d) show how this knowledge can be used in IT project risk evaluations. The paper uses hermeneutic literature review, statistical analysis of failure factors in the literature, content analysis of the reviewed literature, and process tracing.