Practice-based perspectives in information systems have established how, in instances of information technology use, the user exercises considerable discretion in their appropriation of the technology with local workarounds and situated improvisations. Today, information systems research has a considerable stock of cases demonstrating the malleability of technology. We analyse the question, not pursued with much energy to date within practice-based perspectives, of how risk management practices in IT-enabled process management are enacted. Research on IT risk has over the last decades produced a number of frameworks and checklists to identify and manage risk, allowing for a proactive approach to e.g. IT development projects. Still, IT-projects fail more often than not and even the most proficient managers have difficulty in managing IT as an organizational resource. This paper introduces a framework for the analysis of software risk as knowledge systems (Holzner & Marx, 1979) composed of a set of knowledge processes, as they are enacted in the context of software risk management: reactive, proactive and adaptive IT risk management. We position ourselves in line with works that take a practice-based approach on knowledge and learning (Lave and Wenger, 1991; Wenger, 2000), which emphasise how knowledge is local, social, situated and closely linked to practice. However, another central premise behind our framework is that knowledge is not only local and situated, but also linked to larger established 'systems of knowledge'. This may imply that knowledge generation does not happen freely, but is highly contingent on the context in which knowledge generation is situated. In order to manage risk in the increasingly dynamic environment of organizational life, we argue that adaptive IT risk management provides organizations with a more powerful approach than we find in the reactive and proactive approach to IT risk management.