Why is IT risk management separated from the rest of IT management? IT decisions affect many types of risk, including security, availability, project delivery, regulatory compliance and more. But senior-level IT management conversations tend to focus on topics of strategic and financial return, while delegating risk–related topics to people outside of the conversation. This creates difficulties for IT employees who must manage risks without being able to influence many of the key decisions that affect risks. This tutorial, based on a five-year MIT research project, presents a framework of four risks -- Availability, Access, Accuracy, and Agility – to make IT risk concepts an essential part of all IT management conversations. Using survey data and cases, the tutorial demonstrates how companies have built effective IT risk management capabilities, leading not only to fewer incidents but also to a highercapability IT unit. The tutorial rethinks the concepts of IT risk management and integrates them more clearly with other areas of IT management.