Let me suggest an interesting post in the Discussion Leaders area of the HBR site: Lesson from the Crisis: Risk Management Has Limits

Here is the last paragraph (but read the whole article!):

The moral of these failures is that risk managers need to change their approach. Some of the energy they currently put into calculating the probability that a given risk will become a reality might be better invested in modeling the impact of that reality should it occur. By doing that, they would be better positioned to mitigate the impact and respond quickly. Take hurricanes. It wouldn’t help a lot to know how unlikely it is to get hit by one. What matters is the kind of damage to expect and having some sort of survival plan in place. In short, focus your risk management more on the management and less on the risk.