Risk management involves understanding how likely it is that something bad will happen, and making decisions about risk and control activities such that some sort of economic optimization is reached. Couldn't it also be the case that the risk management banner is the most effective way to try to create some alignment and common structure to related processes like personnel and IT security and disaster recovery? If the business is asking us to help it make good decisions, shouldn't we want to accommodate it? Why wouldn't an information security professional want to sing from the same score as everyone else?

Concerns that we will do a trivial job of it, or that rote bureaucratic process will overcome security substance, are valid. And the expectation that risk management requires a belief in the precise quantifiability of business is often a stumbling block, but a needless one. The one thing that formal risk management does not imply is that there is any such thing as certainty in business--quite the opposite. Mature and effective risk management is about using the most appropriate tool for the job, not about using the one that provides answers in the most politically correct form.