The aim of this study is to determine how public organisations in the Australian higher education sector develop and validate information systems (IS) risk management (RM) strategies to address possible disasters arising from IS failures. For several decades, various management theories, decision-making frameworks, risk-management frameworks and project-management methodologies have been developed and are widely available and implemented in many organisations. Yet major IS and project failures continue to occur all over the world. Although these “rational” systems and procedures prescribed for IS risk management exist, there is little systematic knowledge – as opposed to anecdotal information – about what organisations actually do to address these risks. The research design for this study was based on a qualitative case study approach using two cases and a structured interview technique involving open and closed questions. The raw data were analysed followed by a cross-case comparative analysis using thematic analysis, looking at similarities and differences that generated various categories. The categories were then used to develop a theoretical model highlighting key findings, which includes four key themes that have an impact on shaping IS-RM strategies to avoid IS failures: level of governance; level of monitoring and enforcement of policies and frameworks; level of conformance to compliance; and level of business and IT collaboration in decision-making. The study concludes by making recommendations for future research. The theoretical contribution from this study is three-fold. First, a theoretical model is developed that can be used to manage risks proactively. Second, the development and implementation of an Information Systems Risk Management (IS-RM) Framework is proposed. Third, IS risk can be minimised through the establishment of an IS Middle-Managers Governance Group, which grows out of the IS-RM Framework.