A lot of employees use their personal mobile devices, especially smart phones, for work duties as well as private purposes, and often without any limitations in terms of locality or time. Though involving risks to both businesses and employees, this practice is often not subject to any formal corporate policies. Moreover, most companies have not even come to a strategic decision whether to ban, tolerate or encourage BYOD yet. This paper enumerates and classifies such risks in an attempt to help employers make their decision and create a corporate BYOD policy and procedures framework of their own. In addition, risk level assessment and options for risk reduction are covered. The classical PDCA cycle is adaptable at development and maintenance of BYOD security framework.