This paper analyzes risk concepts and risk assessment practices in modern IT management frameworks. We evaluate consistency and suitability of their methods for practical business decision-making using system analysis method. The objective is to determine fundamental logical flaws in regard to risk management in well-known IT control frameworks, and this can help to identify how to fix them. It turned out that examined frameworks can produce highly doubtful output of risk assessment in both substantial meaning and significance for decision-making.