This paper examines software risk management in a novel way, emphasizing the ways in which managers address software risks through sequential attention shaping and intervention. Software risks are interpreted as incongruent states within a socio-technical model of organizational change that includes task, structure, technology, and actors. Such incongruence can lead to failures in developing or implementing the system and thus to major losses. Based on this model we synthesize a set of software risk factors and risk resolution techniques, which cover the socio-technical components and their interactions. We use the model to analyze how four classical risk management approaches--McFarlan's portfolio approach, Davis' contingency approach, Boehm's software risk approach, and Alter's and Ginzberg's implementation approach--shape managerial attention. This analysis shows that the four approaches differ significantly in their view of the manager's role and possible actions. We advise managers to be aware of the limitations of each approach and to combine them to orchestrate comprehensive risk management practices in a context. Overall, the paper provides a new interpretation of software risk management which goes beyond a narrow system rationalism by suggesting a contingent, contextual, and multivariate view of software development.