Despite its dubious role during the global financial crisis of 2008, risk management has continued its expansion. This paper addresses the question why risk management, in the face of its evident failure to manage risks during the crisis, has retained its importance even today. We build on the existing critical literature on risk management (Power, 2007) and advance it by introducing a more rigorous consideration of power. We refer to the notion of the “permanent state of exception” as conceptualized by the Italian social theorist Giorgio Agamben, 1998 and Agamben, 2005 in order to argue that risk is a powerful social category as it reflects a potential exception, challenging norms as well as normalizing forms of control. We conclude that a dispositif of risk management, an assemblage of institutions, regulations and models, lies at the heart of risk management. This dispositif provides elites engaged in risk management with an argument that allows them – in exceptional situations – to take extraordinary measures which cannot be rescinded after the initial state of exception has ended. The logic of the state of exception can be used as a discursive resource and adds to, but also gradually replaces, other forms of management control. Our study contributes to management control theory by focusing on post-disciplinary forms of control and provides a novel focus on how elites use management control systems for their own interests.