How to organise a risk session that people actually contribute to

Why most risk gathering fails before it starts

Gathering risks across your organisation sounds straightforward until you actually try to do it. You send emails. You book meetings. You chase the operations manager, the finance lead, and the IT coordinator one by one. Six weeks later, you have a patchwork of half-completed responses and a risk register that still does not reflect what is happening on the floor.

A risk session should not feel like that.

The biggest obstacle to good risk identification is not that people do not care about risk. It is that contributing is too inconvenient, too formal, or too dependent on a meeting slot that never quite fits.

The result? The loudest voices dominate. The quieter, operational team members who often know the most about what could go wrong stay quiet. You walk away with a list that reflects who spoke up, not what is actually at risk.

What a good risk session looks like

A well-structured risk session does three things. It lowers the barrier for contribution. It guides people toward useful, specific input. And it feeds directly into a working risk register without a manual translation step in between.

Asking "what risks do you see?" produces vague answers. Asking "what could prevent us from delivering on time in your area, and how often does something like that happen?" produces something you can work with.

That distinction matters more than any tool or template. The quality of a risk session is determined before anyone opens it.

Risk sessions in Risk Companion

We built the risk session feature in Risk Companion because collecting risk input from colleagues takes too long and produces too little. Visit every department head, ask the same questions in different meetings, take notes, go away to compile everything. By the time the register is updated, some of the information is already out of date.

Risk Companion's risk session feature changes that flow. You create a session, define the scope (a department, a project, a specific category), and invite the relevant people. They contribute directly, adding risks they see in their area, without needing to be in the same room or online at the same time.

No scheduling overhead. No chasing. No translating messy notes into register entries.

Each contribution goes straight into the risk register with a description, a category, and an initial assessment. You review it, assign owners, set due dates, and attach measures. The session becomes the starting point, not the end point.

How to structure the session

Four decisions determine whether a session produces useful input or a list of vague concerns: scope, prompts, timing, and follow-through.

1. Scope it to something specific. A session for the entire organisation is too broad. Scope it to "operational risks in the logistics function for Q3" and people know exactly what to respond to. Risk Companion organises risks by category (operational, financial, strategic, compliance, IT, safety, and reputational) so use those as natural boundaries for session scope, and as prompts rather than a blank page.

2. Use category prompts, not open questions. "What risks do you see?" lands in inboxes and goes unanswered. Prompting contributors with a specific category and a real scenario, such as "think about the last time a handover between teams caused a delay," gives people a foothold.

3. Set a deadline, even for asynchronous sessions. Two weeks is usually enough for asynchronous contribution. Without a deadline, the session drags. But do not wait for the deadline before reviewing input. Start assigning owners as contributions come in.

4. Act visibly. Contributors who see their input being acted on are more engaged next time. That matters more than any single session.

The part most teams skip

You collect the input. You review it. And then you add it to a list. No owners. No measures. No next review date.

A risk session is only as valuable as what happens after it. Every risk that comes out of a session needs an owner, a risk score based on probability and impact, and at least one measure attached. Without those three things, you have not managed the risk. You have documented a worry.

In Risk Companion, this is built into the process. When a risk is added through a session, it goes into the risk register with fields for owner, probability, impact, and measures. The dashboard then shows you which risks have overdue measures, which ones are unowned, and where your team's attention needs to go next.

The session creates the input. The register creates the accountability.

A practical example

A construction company with 120 employees runs projects across four sites. The compliance manager previously spent two weeks visiting site managers, collecting input in Word documents, and manually entering risks into a spreadsheet.

With a risk session, she creates one session per site, scopes it to operational and safety risks, and invites the site managers to contribute directly. They each spend 20 minutes adding what they are seeing. She reviews the input, consolidates duplicates, assigns owners, and has a fully updated register in three days instead of two weeks.

The site managers see their input reflected in the register. Risk management stops being something that happens to them and starts being something they participate in.

Are the people who actually know what is going wrong contributing to your risk process?

If not, a structured risk session is the simplest fix available. Book a 30-minute demo to see how Risk Companion's risk session feature works in practice.