top of page
Search

New CEOs and CIOs: Why Risk Management Should Top the 90-Day Agenda

  • aarongreenman3
  • Oct 8
  • 4 min read
Executives standing at a table looking at a big screen that displays the 90 day risk management agenda. The Spherion Pty Ltd logo is in the background

Author: Aaron Greenman, Managing Director

Stepping into a CEO or CIO role is exhilarating, a whirlwind of strategy sessions, stakeholder meetings, and bold new plans. Yet one critical area often gets sidelined in those early days: risk management. A troubling pattern has emerged where major incidents including those from catastrophic outages, erupt within a year of a new leader’s tenure, exposing gaps that the new CEO/CIO didn’t fully grasp in time. Such lapses can be devastating, not only to the company’s customers and reputation, but to the careers of those at the helm.

This article explores why risk management isn’t always front of mind for new leaders and makes the case that it must be - ideally within the first 90 days. It also outlines practical steps for incoming executives to get a true handle on vulnerabilities early, ensuring unfiltered, comprehensive information flows up about exposures lurking beneath the surface.

Why New Leaders Often Miss the Risks

New CEOs and CIOs face intense pressure to deliver on visible priorities; strategy, growth, cultural change and often assume that "someone else" has the operational risks under control. When everything appears to be running smoothly, it’s tempting to assume all is well. In truth, risk blind spots can hide anywhere:

  • Cybersecurity threats dismissed as "IT’s problem."

  • Legacy systems in critical infrastructure quietly creaking under the weight of age.

  • Essential services or utilities running with inadequate redundancy, a single fault away from catastrophic failure.

Organisational culture compounds this. New leaders may not know where the skeletons are buried, and employees may hesitate to bring them bad news. If staff perceive that the leader’s mind is already made up, they may withhold uncomfortable truths, leaving executives dangerously isolated from what is really happening.

Meanwhile, structural weaknesses such as unclear accountability for risk ownership, or board agendas that relegate risk to the last five minutes, may mean exposures are downplayed until they explode.

The High Stakes of Neglecting Early Risk Management

The consequences of not probing deeply into risks can be measured not just in dollars, but in lives and reputations.

Power and utility outages: Several global incidents have shown how a poorly managed grid or IT system can plunge millions into darkness. In one well-publicised outage, cascading IT failures in a national power grid left hospitals scrambling, businesses shuttered, and residents without heating or cooling. Investigations later revealed that preventive maintenance had been deprioritised, and senior leaders had not been given unfiltered reports on system vulnerabilities. Leadership turnover quickly followed.

Emergency services failures: Telecom failures have in the past disabled access to 000 / 911 / 112 services, leaving citizens unable to reach police, ambulance, or fire services. One such incident in Australia left thousands of emergency calls unanswered, sparking a government inquiry. Senior executives admitted they had not fully appreciated the fragility of the systems or the lack of backup, and within a year leadership changes ensued.

Airline and transport system meltdowns: Airlines and rail operators have suffered crippling IT outages that stranded passengers worldwide. In one case, a single corrupted software update grounded flights across continents for days. Public backlash was fierce, regulators circled, and the CIO’s position became untenable.

Cyber and privacy breaches: From retailers losing tens of millions of credit card details to insurers and telcos exposing medical and identity data, the pattern is similar: what seemed like "business-as-usual" was actually brittle, with overlooked weaknesses waiting to be exploited. The financial and reputational fallout often forced the CEO or CIO out within months.

These examples underscore a common theme: the risks were known by someone in the organisation, but the information never made it unfiltered to the top.

Making Risk Management a "First-90-Days" Priority: Actionable Steps

For a new CEO or CIO, the first 90 days set the tone. Here are concrete steps to ensure that comprehensive, unfiltered risk information flows up and that critical risks are addressed before they explode:

  1. Insist on a Deep-Dive Risk Briefing: Meet cybersecurity, IT, operations, compliance, and audit leaders one-on-one. Ask them directly: What could take us down tomorrow? What failures could put lives at risk?

  2. Stress-Test Critical Infrastructure & Services: Commission reviews of core systems including power supply, telecommunications, call centres, payment systems, not just IT. Ensure resilience and redundancy are real, not assumed.

  3. Align Risk Appetite with Reality: If the company claims "zero tolerance" for outages or data loss, test whether budgets, staffing, and monitoring reflect that.

  4. Clarify Risk Ownership: Make sure every major risk including cyber, safety, and operational continuity has an accountable owner with a direct reporting line to you or the board.

  5. Foster a No-Blame Culture: Signal early that you want the unvarnished truth. Thank people for raising issues, don’t punish them.

  6. Learn From Past Failures: Review internal incident logs and external case studies. Use simulations and "pre-mortems" to stress-test new initiatives.

  7. Put Risk on Every Board Agenda: Normalise open discussions on risks and resilience. Make it as central as financial performance.

  8. Drill Crisis Response: Run tabletop exercises from cyber-attacks to system outages so your team knows exactly how to respond under pressure.

  9. Walk the Floor: Spend time with frontline teams who maintain critical infrastructure or customer services. They often see risks long before executives do.

Bottom Line

The absence of a crisis in your first weeks is not proof that risks don’t exist; only that they haven’t yet materialised. Whether it’s a data breach, a grid failure, or an outage that puts lives at risk, a CEO/CIO's tenure could be defined by how well they understood and prepared for hidden vulnerabilities. By demanding unfiltered information, aligning investment with appetite, and embedding a culture of transparency in the first 90 days, you not only protect your organisation - you protect yourself.

In today’s environment of unforgiving public scrutiny and regulatory oversight, risk awareness is as vital as vision. The first 90 days aren’t just for setting strategy; they are for stress-testing the foundations that keep your company and your customers safe.

How Spherion Can Help

Spherion helps leaders turn uncertainty into control. Through rapid risk diagnostics, deep-dive control reviews, and independent assurance over critical systems and processes, we give new CEOs and CIOs the insights they need to act decisively. We ensure that information flows are transparent, accountability is clear, and risk management becomes a natural part of leadership, not an afterthought.


Contacts

Brett Taylor

Managing Director

+61 457 829 567

brett.taylor@spherion.com.au

 

Aaron Greenman

Managing Director

+61 439 191 201 aaron.greenman@spherion.com.au


 
 
 

© 2025 by Spherion Pty Ltd.

  • LinkedIn
bottom of page