In this paper, we describe the work, findings, study case and contributions made in the development of the specification of the “Guía de buenas prácticas de gestión de riesgo de TI en el sector bancario colombiano”1. We present how doing the specification of the most important step of the guide, makes it a strong tool for managing IT risk in the Colombian banking sector. This was achieved by reviewing some of the most relevant theories in IT risk management, developing new models that exploit their best attributes, and presenting them from a business point of view. Finally, we present the results obtained from validating the new constructed models in our study case: the cheque clearing process of “Banco de la República”2; a core service in the organization that depends ninety percent on IT.