Congratulations on taking the helm as the new Risk Officer. I’ve been in your shoes before, stepping into organisations where risk management was, shall we say, a bit of an afterthought. The first time I did it, I walked in with all the frameworks and theories, ready to deploy. I quickly learned that an Excel spreadsheet won’t win any hearts and minds. But, with a structured 90-day plan, you can strategically navigate your initial months, build the foundations for a robust risk culture, and become an indispensable asset to your organisation.
It’s a marathon, not a sprint, and your first 90 days are less about implementing a grand new system and more about a strategic reconnaissance mission.
Days 1-30: Listening & Learning to Discover
You’ve just landed a new role, you will bring a fresh perspective and a head full of ideas. But resist the “rookie error” of jumping straight into solutions. Your primary goal in the first 30 days is not to fix things immediately but to deeply understand the organisation’s current state of risk management, both formally and informally. This is your strategic reconnaissance mission.
So, your first 30 days are about building relationships, listening, and understanding the company’s culture. You’re connecting with people, their priorities, and their pain points.
1. Understand the business & its objectives
Before you can help you organisation better manage its risks, you have to understand what it’s trying to achieve. Think of yourself as an archaeologist, piecing together the organisation’s strategic history and future.
Start by listening. In Stephen R. Covey’s The 7 Habits of Highly Effective People, the fifth habit, “Seek First to Understand, Then to Be Understood,” is a cornerstone of effective management, emphasising that genuine listening is the key to building trust and solving problems.
Schedule one-on-one meetings with executive leaders, department heads, and key operational staff. But don’t lead with a pitch about risk. Instead, ask open-ended questions like, “What are your top three priorities for this quarter?” or “What’s the biggest challenge you’re facing right now?” Listen for the recurring themes and pain points. This approach will help you connect risk to their day-to-day reality, making you a key partner in their success, not just a compliance enforcer.
Understand the “why” behind the organisation’s existence and its key drivers. Review your organisations strategic plans, annual reports, and existing business unit performance reviews. Look for key performance indicators (KPIs) and business drivers. A financial services company, for example, might be driven by client acquisition and regulatory compliance, while a government agency might be focused on delivering services and managing public perception. Understanding this “why” behind the organisation’s existence will help you align your risk strategy with its core mission.
Listen more than you talk. Absorb as much information as possible before forming conclusions.
2. Understand the culture & key stakeholders
Every organisation has an unwritten rulebook that dictates how things really get done. Your job is to read it and decipher it.
Pay close attention to how decisions are made. Is it a top-down process, or do teams have autonomy? How does information flow…through formal memos or quick chats in the hallway? Observe who people defer to in meetings, as these are often the informal leaders and key influencers you need to win over.
Find your allies by identifying the “risk champions” i.e. the people who already do risk management well, even if it’s not in their job description. These individuals are your most valuable allies. They might be a project manager who meticulously tracks potential roadblocks or a finance officer who instinctively thinks about fraud. Find them, build rapport, and learn from them. They will be crucial in helping you drive change.
You may be the new kid on the block, so find the people who have the “institutional knowledge”. Build relationships with long-serving staff and administrative personnel. They often hold a wealth of knowledge and understand the informal power structures better than anyone. They can give you invaluable context on why certain processes exist or why previous change initiatives failed.
Be a partner, not a police officer. Position yourself as an enabler of objectives, not a blocker.
3. Assess the current state of risk management
This is where you get into the nitty-gritty, but remember to stay in “assessment mode” not “judgment mode”.
Dig into the paper trail by looking into the existing documentation and reports. Do risk registers and risk assessments exist? If so, are they living documents or dusty relics? How are risky decisions escalated to leadership? Do conversations about risk even occur in meetings, and if so, how? Look for formal processes, but also observe if they’re actually being followed.
Conduct informal interviews with people to look beyond the official documents. Ask staff at all levels about their experiences with risk management. Ask questions like, “What works well when it comes to managing risks in your area?” and “What do you believe are the biggest threats to our team’s success”? Pay close attention to the “grapevine” as sometimes, the most valuable insights come from informal conversations over coffee. It can reveal what people are truly worried about, regardless of what’s written in a report.
Days 31-60: Confirming & Benchmarking
With a clearer picture of the organisation, culture, and existing frameworks, your focus now shifts. The second month is about solidifying key relationships, validating your initial observations, and beginning to outline potential areas for improvement. This phase is for bringing order to the chaos i.e. this is where you transition from an observer to a trusted partner.
4. Cultivate key relationships & build trust
A month in, trust is the single most important currency you will have. Everything you do now should be in service of building it.
Show you’ve been listening by following up on your initial meetings. Send a brief email or schedule a quick chat to share a summary of what you heard. For example, “Thanks again for the chat. I heard your team is really focused on onboarding a new strategic vendor this quarter, and that their cybersecurity posture is a key concern. I’d love to explore how we can support you in that”. This simple act shows you were listening and value their input.
Identify some “quick wins” by looking for low-hanging fruit where you can offer immediate, tangible value. Maybe a manager is struggling with a clunky risk register or a risk reporting process. You could offer a workshop to review the risks or to streamline the report. Or perhaps a team is launching a new project and needs help thinking through the key risks. Offering to facilitate a short, informal risk brainstorming session can be a huge win. These small successes build goodwill and demonstrate that you are a resource, not a roadblock.
Maintain transparency by scheduling regular check-ins with your direct manager or sponsor. Be proactive in updating them on your progress, sharing your observations, and seeking their guidance. This ensures they’re never surprised and keeps them invested in your success.
Build credibility through action. Small, consistent successes speak louder than grand pronouncements.
5: Benchmark against better practice
Now that you have a sense of the organisation’s current state, you can subtly introduce new ideas about what’s possible. The key here is to do this without criticizing the past.
Subtly introduce new ideas and concepts. But, instead of saying, “Your risk management process is broken”, try, “In other organisations I’ve worked with, we found that having a clear risk appetite statement helped us make faster decisions. Is that something we could explore here?” This frames the conversation around improvement and a shared benefit, not problems.
As you review documentation and speak with people, your will identify clear differences between the current state and a functional risk management framework. Start planting seeds for change. For example, ask questions like, “Is there no clear accountability for key risks? Are risks only discussed reactively, after an incident has occurred?” Use these gaps as focal points for future conversations and improvement plans.
6. Develop a preliminary assessment & vision
It’s now time to translate your findings into a clear, high-level narrative.
Begin to consolidate your observations into a concise assessment of the current risk management maturity. What are the top 3-5 challenges? Is it a lack of clear ownership? A culture of blame? Or simply a lack of effective tools? You should be able to articulate these challenges in a clear and compelling way, grounded in the conversations and documents from the results of your first 60 days.
Next, draft a preliminary vision for what improved risk management would look like. This isn’t a final plan, but a simple, compelling statement. For example, “Success would look like a culture where everyone feels empowered to identify risks, and we can make better, faster decisions as a result”. This serves as your guiding star, a simple vision you can keep coming back to as you navigate the next 90 days and beyond.
Days 61-90: Catalysing Change & Outlining the Path Forward
You’ve now spent the last two months as an anthropologist and an analyst. You’ve listened, learned, and identified the pulse of the organisation. Now is the time to translate that knowledge into visible momentum and a clear strategic roadmap.
As a Risk Officer, you’re not just a manager; you’re a catalyst for change, driving early wins, and initiating the strategic plan that will accelerate the organisation’s risk maturity. This is where you demonstrate your value and secure buy-in for the future.
7. Deliver an early tangible win or two
Based on your observations and stakeholder feedback, you should have a solid idea of a quick win project. Now, execute it.
Choose a project that will have a real, visible impact on a key business unit or process. For example, if you discovered that a crucial department is struggling with fraud prevention, deliver a targeted workshop on common fraud indicators and best practices.
8. Communicate success widely
Once a quick win project is complete, ensure you publicise it. Write a brief memo or present a short update at a team meeting. Be sure to credit the individuals and teams who helped you. This shows you’re a team player and that your work translates into tangible benefits.
Communication helps to enhance stakeholder trust in your capabilities, makes you visible to key stakeholders. and builds momentum to demonstrate your value to the organisation.
Focus on value. Always articulate how risk management contributes to the organisation’s success. How a better risk process isn’t just about compliance; it’s about making better decisions, enhancing organisational resilience, and ultimately, achieving strategic objectives.
9. Present your findings & proposed roadmap
You’ve built trust and delivered a quick win. Now is the time to formalise your observations and present your vision for the future of risk management.
Prepare a concise presentation for the leadership team and key stakeholders. Don’t start with a list of problems. Instead, begin with what you’ve “learned” from them. Talk about the strategic priorities you’ve heard and how you’ve observed risk impacting those goals. This positions you as an ally and team player.
Based on your findings, propose a high-level strategic roadmap for the next 12-18 months. Focus on 3-5 key priorities. This isn’t about creating a rigid plan, but a living document that can be refined with feedback. For example, your priorities might be to clarify ownership of top risks, integrate risk discussions into business planning sessions, or enhance fraud detection capabilities. For each priority, briefly outline the benefits and the first steps.
10: Establish governance & communication channels
Your final goal for the 90-day mark is to set up the structures that will sustain momentum into the future.
Begin establishing or revitalising formal risk governance structures. This could involve creating a new risk committee or simply clarifying the responsibilities of key risk owners. This formalises the changes you’re introducing and gives them authority (e.g., a risk committee, clear responsibilities for risk owners).
Develop a communication plan for ongoing engagement. Outline how you will regularly communicate with stakeholders about risk. This might be a monthly email update, a standing agenda item in leadership meetings, or a quarterly risk report that is easy to understand. Consistent, clear communication is crucial for keeping risk top of mind and ensuring your efforts don’t fade into the background.
Be patient, but persistent. Cultural change takes time, but consistent effort will yield results.
Final Thoughts
Your first 90 days as a new Risk Officer are about building trust and momentum. It’s a three-phase journey. You’ll spend the first month as an anthropologist, listening and learning to understand the business, its people, and its culture. The second month is for building bridges, validating your findings, and subtly introducing better risk management practices to prove your value as a partner. Finally, in the third month, you’ll deliver on your promises by executing a small, visible project, then presenting a strategic roadmap that is tied directly to the organisation’s business goals. Remember, your credibility comes from empathy and action, not from a checklist.
How We Can Help You Take Better Risks
We are here to help strengthen your risk management capabilities, systems and processes. Our risk management capabilities include:
- Providing an interim Chief Risk Officer to backfill a vacancy.
- Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
- Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
- Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
- Conducting risk workshops covering strategic, operational and project risks.
- Conducting risk culture assessments.
- Risk management transformation.
- Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.
Take risk management to the next level and contact us to discuss your needs.