Ultimately there are no guarantees. Life is risky, and a certain amount of risk has to be accepted by any organization. Risk management is not about guaranteeing that nothing bad can happen, because even the most secure environments experience problems. Instead, the aim of risk management is to reduce exposure to an acceptable level that is both affordable and survivable. If IT can manage that, then it can consider its risk management program successful.