This study introduces a new process for implementing risk management in IT departments, promoting a socio-technical change approach. This research steps outside the conventional factor analytic perspective of IT risk management by embedding contextual and processual elements (e.g. socio-technical interactions and interpretations) to explain successful implementations. Adopting a multi-case approach for obtaining richer data from a problem domain, we outline new details of an implementation process. The proposed process model represents how these elements work together to produce a successful outcome. Grounded theory-like analysis of the case findings helped us to understand and explore conceptual categories and themes that are relevant to the proposed process. By developing the conceptual model of IT risk management implementation with a socio-technical perspective, we generate a set of propositions in this paper that explains the dynamic nature of IT implementation.