Organisational implementations of IT risk management (IT-RM) frameworks often fail due to cultural forces. This work-in-progress study focuses on the action of IT individuals involved with IT-RM implementations. Particularly, this research steps outside the conventional factor analytic perspective of IT risk management research by focusing on contextual and processual elements as well as the actions and interpretations of managers to explain successful implementations. A series of case studies were designed around semi-structured in-depth interviews with IT managers. Grounded theory-like analysis of the case text produced a structure of conceptual categories and themes depicting the successful implementation of an IT-RM framework.