Introduction
Firms across the financial services market are rethinking the role of risk leadership. Growth ambitions, regulatory scrutiny, operational resilience, private equity expectations and Board visibility have combined to elevate the CRO role from technical guardian to strategic partner.
Yet while expectations have accelerated, the talent landscape has tightened.
Across a series of recent executive risk and compliance leadership searches, a consistent theme has emerged: organisations are not struggling to be ambitious about the CRO they want, instead they are struggling to reconcile that ambition with market reality.
The challenge is no longer simply identifying capable candidates. It is understanding where flexibility is required, which trade-offs are acceptable, and whether the organisation itself is positioned to attract the leader it believes it needs.
Or put more bluntly: the question is no longer “can we find the right CRO?”, but instead, “what do we need our CRO to do and are we willing to compromise?”
Mindset vs skillset
Our most successful searches in recent times have prioritised candidate mindset over perfectly aligned experience.
Boards and CEO have often begun with highly specific capability wish lists: prior SMF accountability, identical product exposure, transformation experience, technology fluency, regulatory credibility, and proven leadership credentials and stakeholder management experience. By themselves, these are reasonable requests; however, collectively, they are unrealistic and most likely unobtainable.
What led to successful outcomes was a shift in emphasis:
-
Separating specialist expertise from leadership impact, recognising that a CRO does not need to be the strongest technician in every risk domain if they can build and lead the right capability around them.
-
Dropping identical product requirements when it became clear that leadership capability transferred across product classes. Could you consider hiring a strong technician underneath the CRO who does bring relevant product knowledge?
-
Relaxing prior SMF expectations in favour of candidates with clear regulatory credibility and a realistic pathway to approval.
-
Reframing transformation experience from ‘someone who has already done a very similar mandate’ to ‘someone with evidence of influencing change in complex environments.’
-
Separating specialist expertise from leadership impact, recognising that a CRO does not need to be the strongest technician in every risk domain if they can build and lead the right capability around them.
-
Understanding what you want to achieve through the hire will help you secure a CRO that majors in the core areas to increase the chance of success. Do you want someone to fix a problem or regulatory challenge, or do you want someone to drive growth?
In a transforming risk landscape, the ability to shape the function increasingly outweighs the ability to have already done the exact role elsewhere.
The question becomes uncomfortable but necessary: are you truly hiring for a modern CRO, with a seat at the executive table and a leader of the firm?
Evolution of technology, AI and cyber risk
With technology, AI and cyber risks increasingly being viewed as a key theme and concern for CROs and organisations, these are no longer viewed as deep, specialist domains but rather as front and centre of a modern CRO mandate. There is an increasing trend for technology and cyber risk functions to sit outside of operational risk and report directly to the CRO. Senior risk leaders are expected to be comfortable navigating and, importantly, managing these risk types.
Based on recent conversations Leathwaite have had with over 40 CROs across the financial services market, 83% said technology and cyber risk were at the top of their priorities. Other key topics raised by CROs included geopolitics, market volatility and competitive dynamics.
However, the market reality is nuanced. The expectation that a single individual can combine deep enterprise risk leadership with credible cyber and technology oversight significantly narrows the pool.
Successful organisations recognised that it was the role of the CRO to challenge and govern cyber risk and hold cyber and technology functions accountable, rather than replace the CISO. It is preferable for a CRO to be able to hold credible, knowledgeable conversations with technology leadership, rather than requiring hands-on cyber experience themselves.
In practice, organisations which insist on specific technology risk experience struggle to find balanced CRO profiles, while those focused on leadership, presence and mindset are able to access a far broader and more credible market.
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="494" height="302"><defs><clipPath id="a"><path fill="white" d="M0 0h494v302H0z"/></clipPath></defs><g clip-path="url(%23a)"><path fill="%2360B9A3" d="M0 0h494v302H0z"/><path stroke="white" d="m.3-.4 494 302m-494.6 0 494-302" opacity=".2"/><path fill="%2360B9A3" d="M197 109h108v79H197z"/><path fill="white" d="M298.6 102c6.2 0 11.4 5.3 11.4 11.5v69c0 6.5-5.2 11.5-11.4 11.5h-99.2c-6.4 0-11.4-5-11.4-11.5v-69c0-6.2 5-11.5 11.4-11.5h99.2Zm-1.5 80.5c.7 0 1.5-.5 1.5-1.4v-66.2c0-.7-.8-1.4-1.5-1.4H201c-1 0-1.5.7-1.5 1.4v66.2c0 1 .5 1.4 1.5 1.4h96Zm-78.6-59.4c5.2 0 9.5 4.3 9.5 9.6 0 5.5-4.3 9.6-9.5 9.6a9.3 9.3 0 0 1-9.5-9.6c0-5.3 4-9.6 9.5-9.6Zm-7.6 47.9v-11.5l9.3-9.3a2.7 2.7 0 0 1 4 0l9.6 9.3L262 131a2.7 2.7 0 0 1 4 0l21 20.8V171h-76Z"/></g></svg>)
Location
Geography continues to quietly eliminate otherwise strong candidates.
In some cases, a firm's location preferences have filtered out candidates at the expense of that choice, materially reducing the talent pool. This is particularly prevalent when firms are located outside of London.
What can begin as a decision taken on culture and engagement grounds, can quickly become an access to talent decision.
Firms which have succeeded in this regard have not necessarily abandoned in-office expectations, but instead have demonstrated pragmatism, creativity and realism about the trade-off between proximity and capability. For example, reducing in-office requirements to bi-weekly or allowing candidates to work from regional offices, closer to home, as well as head office when expected.
Compensation
With mandates increasingly including transformation, Board exposure and regulatory pressure amongst others, initial packages often reflect the historical positioning of the function rather than the future ambition attached to it.
Tellingly, senior risk leaders increasingly interpret salary, bonus and long-term incentives as indicators of how seriously the organisation views the role itself. A mandate described as strategic but priced as operational quickly raises questions about influence, internal standing and the likelihood of meaningful change.
There is a danger in waiting until halfway through a hire to increase compensation flexibility: the obvious consequence of credible candidates ruling themselves out early is one, however, it can also reduce market confidence in the organisation’s clarity of intent.
Where organisations are realistic from the outset about aligning compensation potential to role requirements, and having the flexibility to adjust if those requirements change, successful outcomes are more often seen. This is not a demand to be market-leading, rather an acceptance of where they are positioned compared to the market.
Diversity
Diversity ambitions are both sometimes necessary and market-shaping. When combined with rigid sector, location and experience requirements, however, it intensifies competition within an already constrained segment of the market.
Where we have seen organisations make progress is with those who view diversity not as a constraint on a search, but rather as a reason to redefine their expectations and requirements for a CRO. This could be seen in a willingness to consider emerging leadership or a slightly different background from the one initially thought necessary.
Although ethnicity and gender have often been the two key areas of diversity clients have focused on, for some sectors such as Insurance, diversity of background and sector experience is, in our opinion, further down the list than it should be. As per the above point around “emerging leadership” we feel there is a real opportunity for firms to combine succession planning with an opportunity to look deeper into diversity of thought and experience when it comes to their ExCo minus one leaders.
Conclusion
If you were hoping this paper would confirm that unicorn CROs exist: individuals with identical sector experience, deep cyber expertise, transformation credentials, flawless regulatory pedigree, SMF readiness, cultural alignment and geographic flexibility – ultimately, they do not.
Or if they do, they have already been hired and are not looking to move.
The organisations that ultimately secure strong leaders successfully are not those who lower their ambition, but those who understand where compromise is intelligent rather than dangerous.
Every organisation operates within its own regulatory environment, ownership structure, cultural context and growth trajectory. But the direction of travel is consistent: expectations are rising faster than supply.
Organisations that succeed are those willing to question their own assumptions, move at pace, and make deliberate trade-offs between perfection and progress. Those that remain rigid often experience prolonged searches, repeated restarts, or hires that deliver reassurance rather than transformation.
The uncomfortable but essential question for Boards and executive teams is simple:
What are you willing to compromise on?
We acknowledge with a hire that ‘compromise’ isn’t the word you want to hear, but as advisors focused on senior risk and compliance leadership, this is the reality we help organisations navigate every day. The firms that answer these questions early secure the leaders who shape the future of their risk functions.
NB: The findings included in this paper are derived from five recent case studies within the financial services executive risk and compliance market. We would be happy to share further detail, comments and context on these.