NIST has released a DRAFT paper on risk management for IT Systems. Published as Special Publication 800-30 Rev A its shaping up to be a good reference.
Taken from the paper's introduction:
An effective risk management process is an important component of a successful IT security program. The principal goal of an organizations risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
The paper goes on to show just how to achieve that.
Happy reading! [Dana Epp's ramblings at the Sanctuary]