As part of our “New in Role” series, we’ve interviewed several risk professionals to find out what they have focused on during their first quarter at a new company. They deep dive into how and what tasks they’ve prioritised, the ways they’ve adapted, what opportunities they’ve taken, and the lessons they’ve learned since changing roles.
With the new year can come starting a new job, or perhaps starting to think about taking the next step in your career.
It can be daunting. A new sector, a new role, or a new risk landscape to sink your teeth into. All while trying to make the best possible first impression and proving to senior leaders why you were the right choice for the role.
As we all know, what works at one company does not necessarily work for another: upon entering a new business, a risk leader may find that the risk framework and culture in place is very different to what they’ve been used to.
What tasks you prioritise in your first few months, therefore, is crucial. But what exactly should you start with?
To help those in this position, we’ve produced a content series, “New in Role” showcasing real-life case studies of members, revealing how they coped with – and found success in – their first 100 days in a new role.
This complements the many collaborative opportunities members are using to share candid experiences with one another, all under Chatham House Rule, during our member meetings and our bespoke network assistance opportunities. The New in Role series reflects the open, honest and practical advice members are giving to peers within the network.
Below is an excerpt from one of the case studies in this series. The full case study, alongside the collection of others in the New in Role series, are available for members on our Intelligence platform.
New in role: first 100 days
(This risk leader has been hired by an international organisation to improve the risk culture and mature the risk management process; they oversee operational and strategic risk management, compliance and business continuity at the company)
Areas of focus
Assessing the company’s risk maturity: reviewing risk documentation
When I start somewhere new, in order to understand how risk is actually managed in an organisation, I start by looking at all of the formal risk documentation - the polices, framework, processes, risk registers and how they are developed. Is it a system? Is it an Excel document?
I find that this tends to give a really good idea of where the organisation is in terms of risk maturity. Sometimes, these documents are a straight lift from ISO 31000, for example, or from a consultant group’s documents. This might indicate that the company is not very mature risk-wise and has not adapted their processes to fit the culture of the organisation.
This review exercise gives me a feel for how the documents are made, which gives me a good basis for where the company’s risk management currently sits. So, it’s a very crude, personal risk maturity model if you will.
Make yourself known across the business
Alongside this review, I prioritise working out how the board of directors operate. I think it’s important to know how to manage and communicate up as well as down throughout the organisation.
I also make a particular effort to find out who the other key people are in the organisation and set up meetings with them. This usually involves pretty much all of the executive team and heads of departments. The idea is to introduce myself but also get an understanding of their perspectives on risks, so I can decide who my best allies will be and also how these people like to work.
You also want to know what they aim to deliver. I have found that being more direct helps, given the current virtual working situation. So, I might just explicitly ask a department head: “What is the culture of this organisation? How do I engage with executives and what do they want?” In previous roles, I would probably not have needed to be so direct.
What opportunities to take
For me, developing the education and the maturity aspects are the main opportunities right now. I’m taking those risks that are in the risk register and working with executives to see what they actually mean, and what they think of when we talk about these risks. Then I will work to establish a system to update these risks on a quarterly basis or some other regular frequency based on reporting requirements.
My main aim will be to work with executives to understand the seven or eight key risks for their department - what they actually mean and how to help them educate their teams to manage these risks. Not just reporting but actually making the business better. To date, risks have been documented and reported to the board and the process has ended there without any real understanding or even willingness to understand that information and how to use it. That isn’t actually very different to what I’ve seen at other organisations.
This will require us to look at specific risks, not just the standard issues. Then, work out how to manage the reporting process, not just have the risks sit on a spreadsheet or in the risk register - how do we really engage with them? I think that could be one of the best things I could do to really help this business.
To read the full case study and get into the detail of their priorities and lessons learned, as well as read others from this “New in Role” series, find out more about membership today.
