Operationalizing IT risk management

global organisations conducted during 2002, it was found that all conducted some form of risk assessment to assist in the management Of security risks. However, when we analysed the risks that they addressed, three of the four organisations had major gaps in their risk assessment coverage that could result in significant risks being missed. We wondered: why did the gaps exist; are there inhibitors to effective risk assessment; are there blind spots; are approaches to risk assessment deficient in some way; how could we make the process of risk assessment more robust but easier to do? This paper seeks to address some of these questions.