I also have to do risk assessments for IT matters and often find organisations use the risk analysis to avoid doing something, not because its too risky, but because someone can't be arsed. However, I'd be interested to see the risk logs/assessments for government IT projects. I suspect my eyebrows would raise a tad!
In Nigeria I implemented the NIST Risk Methodology. The documentation required appears frightening at first, but once intio it, it is very straightforward. I think in the UK Prince2 covers the risk process for IT projects..
