Six Months In: What Stuck and What’s Next

Part 6 of a six-part series on what happens when a capable Finance Manager gets handed risk management and no one gives them a map.

Mark Scales

Professional woman in business suit standing on modern bridge overlooking office buildings

TL;DR

Six months ago Jess was still trying to turn a loose set of concerns into a working risk process. Now the organisation has had a couple of executive and Board cycles with the new register, appetite settings and reporting rhythm in place. That is real progress!

This is the point where risk management either starts to embed culturally or quietly turns into a compliance process. At six months in good does not look like a perfect framework. It looks like clearer ownership, earlier escalation, better Board questions, and a few decisions that were made better because the risk conversation got more honest.

So this is the time to move focus from the setup. Jess needs to work out what has actually stuck, what is drifting, whether the settings still fit the business, and what the next twelve months should focus on. Not everything. The next things that will genuinely add value.

Six months later

Monthly executive risk reviews and two Board committee cycles later, Jess can finally tell the difference between work that stuck and work that only looked good in month one.

She is walking out of the second Risk and Audit Committee meeting since the new reporting rhythm went live. The pack was shorter. The questions were better. The focus was on the things that mattered most.

One director wanted to know whether cyber was still outside appetite or whether the recent access review work had materially changed the picture. Another asked whether the organisation was still too reliant on two people in one critical service area. The CEO was prepared to answer both questions.

That is success at this stage.

Success is when the Board can see the picture clearly enough to govern from it, and management can explain that picture without pretending everything is fine.

Now comes the harder test. What stuck? What drifted? And what does the next year need?

What success actually looks like

Jess should not judge the last six months by whether every action is closed and every rating is green. That would be nonsense.

She should judge it by whether the organisation has changed its behaviour.

The first sign is that risk is no longer a quarter-end scramble. Six months ago most of the energy went into getting the paper ready. Chasing updates. Rewriting commentary. Trying to work out whether “in progress” meant underway, overdue, or forgotten. Now there is more rhythm.

  • Risk owners know when reviews happen.
  • The executive team expects to talk about risk regularly not only before the Board pack is due.
  • Outside-appetite issues are being surfaced earlier.
  • Emerging risks have a place in the conversation instead of living in side comments and corridor chats.

The second sign is ownership. When Jess first started putting names next to risks, the mood changed fast. It always does. Six months on, the awkwardness has not disappeared, but the organisation has moved from assumed ownership to named ownership.

  • People know which risks sit with them.
  • They know they will be asked what changed, what evidence supports the control position, and what help they need if the risk is drifting.

The third sign is that the framework has started changing decisions, not just documents. One low-value procurement process has already been simplified because the organisation finally realised it was spending too much management time on a control burden that was not reducing much risk. At the same time, cyber has stayed outside appetite for longer than anyone would like, but at least it is being treated honestly. The access reviews got done. A tabletop exercise is scheduled. The Board can see the gap between current controls and desired position.

That is useful risk management. Do less where the control burden is silly. Do more where the exposure is real.

The fourth sign is cultural change. This is change that has the greatest impact. In one executive meeting, a manager said plainly that a critical process was still too dependent on one experienced staff member, even though cross-training had been on the action list for months. Six months earlier that conversation wouldn’t have happened. Now it is said clearly, captured properly, and left in the paper as an issue that still needs management attention.

Good progress at this stage is not a perfect framework. It is an organisation getting better at telling the truth about its own exposure.

Where it usually starts to drift

The most common failure at this point is not usually a dramatic event. It’s drift.

The first kind is when everything slides back onto Jess. The register sits with Jess. The reminders come from Jess. The Board paper gets assembled by Jess. Commentary gets rewritten by Jess because executives are busy and someone has to get the pack out.

That is how a functioning process turns back into dependency on one capable person.

When Jess sees that happening, the answer is not a better template. It is an ownership reset.

  • Risk owners need to speak first about their risks.
  • Executive review needs to exist for management, not just for Board reporting.
  • Overdue commentary or stalled treatment actions need to be treated as management issues, not admin loose ends.

The second kind of drift is false confidence. A control is still marked effective because it was effective once. An action is still marked in progress because nobody wants to say it stalled. A risk rating stays where it was last quarter because reopening the discussion feels inconvenient.

Jess has learned that the only real antidote is evidence.

  • If the organisation is relying on a control, what evidence says it is working?
  • If a risk is now within appetite, what changed?
  • If an action is overdue, is it still the right action, or is it now just a task nobody believes in?

The third kind of drift is overbuilding too soon. This catches a lot of organisations after the first six months. The early wins create energy. People start talking about more categories, more attestations, more dashboard views, more reporting, more fields, more control documentation.

I would be careful here. Minimum viable risk was the right starting point and care needs to be taken when adding more.

Maturity is not how much machinery sits around the process. It is whether the process still helps the organisation see clearly and act in time.

Take stock before you add more

This is where Jess goes back to the maturity assessment. She performs a practical re-check of where the organisation now sits across principles, framework and process.

The question is: what is the next step that will create value?

Jess looks at principles first.

  • Is risk management helping the organisation make better decisions, or is it still mainly showing up in the Board pack?
  • Are appetite conversations influencing projects, budgets, change decisions and major business cases? Or do they disappear once the meeting ends?

Then framework.

  • Are roles still clear six months in?
  • Does the executive team genuinely own the risk story the Board sees?
  • Is escalation better understood?
  • Has the Board’s line of sight improved?
  • Is the system less reliant on Jess translating everything manually?

Then process.

  • Are reviews happening when they should?
  • Are owners updating risks in a way that reflects reality?
  • Are treatments moving?
  • Are incidents, near misses and audit findings being fed back into the register?
  • Are emerging risks being picked up early enough to matter?

Once Jess has that view, the roadmap gets easier. She selects the next three or four improvement projects that will add the most value.

The best next opportunities usually sit in one of four places:

  • Tighten the framework for any early lessons learned. (e.g. clean up roles, ownership, escalation points and reporting expectations)
  • Bed down the operating rhythm. (e.g. lock in the review expectations, update timelines, executive review steps and Board reporting timetable)
  • Build risk capability within the organisation (e.g. onboarding new team members, continuously train and develop team members to keep risk fresh)
  • Build risk into core business processes where decision making occurs (e.g. projects, business cases, fund raising, service delivery, etc.)

By asking what this organisation most needs next Jess will come up with a plan of attack that will ultimately add the most value.

Reviewing the risk settings

The organisation Jess is looking at now is not quite the same one she was looking at six months ago.

  • A couple of major projects have moved.
  • Leadership is more comfortable talking about risk openly.
  • The Board has clarified where it wants firmer line of sight.
  • Some risks that originally sat as broad operational issues now need sharper treatment.
  • Some criteria that felt sensible on day one are not quite right now that people are actually using them.

That is normal, but it does have an impact on how an organisation manages risk, so Jess should build a regular calibration process into the year. This should cover:

  • Risk classes.
  • Consequence criteria.
  • Appetite levels.
  • Escalation thresholds.
  • Reporting requirements.
  • Control effectiveness.*

This process isn’t a rewrite for the sake of it, it’s a check that the risk framework still fits the business.

Sometimes reviews need to happen sooner and could be triggered by:

  • A material change in the business.
  • A strategy reset.
  • A new service line.
  • A new funding model.
  • A merger or acquisition.
  • Rapid growth.
  • A significant regulatory change.
  • A serious incident.
  • A leadership change that materially alters how decisions get made.

Planning the next twelve months

By now Jess knows enough not to confuse maturity with expansion.

The next year is not about adding every feature risk management could possibly have. It is about strengthening what has proven useful, fixing what is unreliable, and choosing the next layer deliberately.

So her plan for the next twelve months is fairly simple.

  • Keep the quarterly Board reporting rhythm.
  • Tighten the executive review underneath it.
  • Focus assurance effort on the risks that remain outside appetite or close to it.
  • Link incidents, near misses and audit findings back into the register more systematically.
  • Schedule a review of the core risk framework settings.
  • Keep looking for places where the control burden is heavier than the risk justifies.

Six months ago, Jess needed enough structure to stop the organisation guessing. Now she needs enough discipline to keep the system honest without making it bureaucratic.

The goal is to make the organisation better at seeing, discussing and acting on risk over the next year than it was over the last six months.

That is the finish line for this series.

If you are at this point now, where the first lift has happened and the question is what to tighten, what to leave alone, and what to do next, we’d love to help!

We’ve helped many clients in this position, it could look like:

  • Developing a maturity refresh and a practical uplift plan for the next twelve months.
  • Working with the Board and executive team to recalibrate appetite, sharpen reporting and reset the rhythm between governance and management.
  • Helping the organisation embed risk management into the way work already gets done.
  • Developing and delivering practical training.
  • Setting up the StartRisk platform to take the admin weight out of risk while utilising AI to uplift capacity and capability.

If you’d like to learn more, reach out.
A conversation is usually the best place to start.

Book now

More articles