In this century, information, along with other factors of production, is a valuable and vital component of the organizations. With increasing technology advances, organizations have realized the undeniable benefits of Information Technology (IT) to increase the quality, accuracy and speed of affairs and most managers have become aware of the importance of its use in increasing efficiency and effectiveness of organizations and more satisfied customers and have established and used information systems. Meanwhile for organizations to use the information technology, risk management plays a crucial role in protecting their information. Effective risk management is one of the most important parts of a security program in IT organizations. This paper first explains the importance of risk management and a framework for development of effective risk management in order to identify, assess and reduce the existing risks in IT systems is provided. Also, the chief executives in risk management in organizations will be introduced and appropriate methods of selection for advantageous security controls will be described, and at the end, the keys to a successful risk management program in the IT system will be noted.