To differentiate from competitors, some organizations are transforming their business models from offering single products or services to providing IT solutions. In an IT solution, the provider and the customer co-operate in integrating hardware, software and service components to fulfil customer-specific needs. The new business model, however, presents new risk management challenges. First, IT solution providers need to understand additional risks of IT solutions, e.g., risks engendered by operating the IT solution on behalf of the customer and by integrating modules from third-party providers. Second, risk management must account for special IT solution characteristics, e.g., supporting the whole lifecycle from planning to end-of-life and accounting for customer-specific risk profiles. In this paper, we present the results of our design science research with a medium-sized IT solution provider. We developed two artifacts. First, we cooperatively developed a risk management process that could be generalized to other solution providers of similar size. Second, we derived a taxonomy of IT solution risks to provide a foundation for the risk management process. We describe the process by which our research partner transformed the risk management and discuss implications for medium-sized IT solution providers.