Information systems risk management is as a problem area extremely wide, complex and of an interdisciplinary nature, which highlights the importance of having an adequate understanding of the many concepts that are included in the area. Dealing with definitions of those concepts is a somewhat ‘boring’ task, however probably it can be considered to be an important one. In the second part of this article my attempt is to move to perhaps more ‘exciting’ things, namely to highlight the significant importance that business processes and internal controls have in IS risk management.