McKinsey Global Institute

Addressing the revolving door in risk

As the field of risk management evolves, the value proposition for employees has to evolve as well.

It’s not just a figment of our collective anxiety: our complex and interconnected world really has become more volatile. The past few years have brought a succession of public health, economic, environmental, and geopolitical shocks. They’ve also shown that the price of inadequate risk management can be high. As episodes from the 2008 financial crisis to this fall’s meltdown in cryptocurrency platforms have shown, the consequences can quickly cascade in finance. The same is true in other sectors as well. Supply chain breakdowns have caused factory shutdowns and shortages of essential goods worldwide, while product safety failures have caused real harm and major legal liabilities. But risk isn’t only about extraordinary events; day-to-day operational failures can also lead to losses, regulatory action, and drops in share price.

Companies need to anticipate and avoid or manage a wider range of disruptions than ever before—and that’s where risk and compliance professionals come in. They are charged with keeping their employers resilient by protecting their finances, operations, technology infrastructure, organizational strength, reputations, and business models. Think of the credit risk analyst who flags shaky loan applications, the product safety engineer who certifies that standards are met, the healthcare compliance officer who protects patient data, the risk manager who warns about a reputational issue with a potential vendor, and the business continuity planner who swings into action when a typhoon hits a key supplier.

As risk management has become a bigger imperative, companies have been scrambling to fill these critical roles. 1 Previous MGI research projected that risk-related jobs will grow twice as fast as all occupations in the United States. In 2021, the US unemployment rate for compliance officers was less than half the national unemployment rate, the sign of a tight market.

In most cases where demand for talent outstrips supply, the advice would be to stop holding out for candidates who perfectly match a checklist of required skills and experience. Recent research from MGI and McKinsey’s People & Organizational Performance Practice analyzed four million de-identified online work histories through 2019, across four major economies. Zooming in on the 17,000 risk and compliance professionals in the data set shows that companies are already hiring people into these roles from an extraordinarily wide range of backgrounds. Here we look at which industries and occupations they’re coming from—and whether they’re staying to build careers in risk.

The talent scarcity that has spurred companies to hire from a broader pool may be due to risk and compliance being relatively new as a formal profession (see sidebar, “A brief history of risk management”). It may also be due to retention challenges. Only 13 percent of the people in our data set who started in a risk and compliance role remained in the field through the end of the period we observed.

Sidebar

Not all of this inflow and outflow is negative. There is value for companies and workers alike in having people rotate through risk. But an overreliance on individuals who are new to the field could become a vulnerability in and of itself. Employers and the profession as a whole can benefit from a greater emphasis on developing and retaining risk professionals with deeper expertise. As the field evolves, the value proposition for employees has to evolve as well. This is an opportune moment for companies to bring more of this function out of “back-room silos” and into the heart of the business.

Companies are already casting wide nets to fill the growing need for risk-related roles

The people in our data set who were risk professionals at the end of their observed work histories took two types of routes to get there. Some started out in the field and stayed in their professional lanes, building specialized expertise over time. But they were the minority; a far larger group transitioned into risk.

A whopping 90 percent of the risk and compliance professionals in our data set did not start in risk roles (Exhibit 1). 2 This is double the share of tech professionals who broke into their field from nontech occupations—a striking comparison, since tech is similarly a relatively new and fast-moving field where demand is projected to remain strong well into the future. As a discipline, risk is heavily reliant on bringing in fresh talent to fill roles. Indeed, there is often value in bringing someone into risk who has well-rounded business experience.

A whopping 90 percent of the risk and compliance professionals in our data set did not start in risk roles.

Ninety percent of risk and compliance workers started in non-risk roles
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Individuals with non-risk-related backgrounds master new skills when they enter the field. We refer to the jump in skills associated with a role move as the “skill distance” associated with that move; this metric reflects the fraction of skill requirements for a new role that were not part of the job someone previously held. The workers who were new to risk and compliance moved an average skill distance of some 40 percent. This is slightly higher than the 35 percent average across all occupations, but it is hardly insurmountable. Furthermore, this skill distance is roughly the same whether or not workers trying to break into risk and compliance change industries. Employers that take a skills-based view when evaluating candidates have the option to draw on talent across industries rather than just looking close to home.

Shifting into risk management from a nonrisk occupation also requires people to make more job moves through the course of their career—between 10 and 15 percent more, on average—than those who stay in the same risk occupation. Perhaps surprisingly, however, people who started in different risk-related occupations moved about 10 percent more frequently than those who started in nonrisk occupations. This holds whether or not they changed industries, perhaps reflecting the fact that specific types of risk functions are often siloed within companies—and that when committed risk professionals want to branch out and develop new capabilities, they sometimes have to change employers to do so.

Not only do most risk and compliance professionals shift roles, but nearly half of them switch industries over the course of their careers. As Exhibit 1 shows, those risk professionals who change industries undertake more role moves on average than those who remain within the same industry.

Overall, 70 percent of the risk and compliance talent moving across industries came from industrials, consumer discretionary products, finance, and technology (Exhibit 2). But companies in certain sectors are more likely to hire people who already “speak the industry language.” Sixty percent of risk professionals in finance and 57 percent of those in healthcare started within the same industry. In both of these industries, regulations tend to be extensive, reflecting the consequences associated with things going wrong in these areas. Companies can benefit from developing professionals who combine mastery of risk management, knowledge of unique compliance requirements, and general industry know-how.

Companies in certain sectors prefer to hire risk and compliance talent with industry experience
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Which non-risk-related occupations are the primary launching pads for people who enter the field?

Companies are hiring people into risk roles who started their careers in all sorts of other white-collar professions. Some emerge as more common launching pads. Ten occupations were the starting points for 45 percent of these risk and compliance workers with nonrisk backgrounds, although they collectively account for just 5 percent of the varied “desk jobs” that feed into the field (Exhibit 3). The greatest numbers were sales representatives, financial analysts, accountants and auditors, management analysts, and engineers.

Ten starting occupations launch 45 percent of workers who break into risk from other types of white-collar roles
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

When moving into risk-related occupations, almost 60 percent of those with nonrisk backgrounds navigate skill distances that are smaller than the average needed to enter the field. They include those who came from nine of the ten most common nonrisk starting occupations (with engineers being the exception). These jobs involve transferable skills, which makes a move into risk viable. Financial analysts, accountants and auditors, some marketing professionals, and customer service representatives all bridge a skill distance of 30 percent or less when they enter risk occupations. They are able to apply existing skills such as cost analyses, stakeholder presentations, and report preparation and dissemination, while adding new capabilities such as regulation impact evaluation, procedure monitoring, and scenario planning.

But people can and do make bigger professional leaps. Some 40 percent of workers entering risk from other types of occupations bridged an above-average skill gap; in fact, almost half of this group overcame a skill distance of 50 percent or more. This group includes people who started their careers as insurance sales agents, teachers, and billing clerks. For example, one individual in our data set worked as a head cashier for a communications company for a few years before becoming a Title 31 compliance officer, a job that involves reporting large casino transactions to thwart money laundering and identity theft. This career move involved a skill distance of about 70 percent.

Hiring managers can take a chance on someone who doesn’t fit the mold precisely if they see that the candidate’s mind works in a way that meshes with what the role requires. Regardless of starting occupations, workers moving into risk and compliance for the first time generally bring a set of transversal skills from their prior experience. These include information processing (the ability to compile, categorize, tabulate, audit, and verify data quickly and accurately), inductive reasoning (the ability to combine pieces of information and form general conclusions), and the ability to navigate a complex organization and influence others. These skills are not specific to any given domain, and they can make someone a great candidate for a role in risk and compliance. Importantly, selecting for these skills can remove the “paper ceiling” that often blocks many talented candidates without college degrees (including underrepresented minorities) from certain roles.

Few people stay on a risk and compliance career track over the long term

In addition to documenting how thousands of risk professionals first entered the workforce, our data set shows the subsequent paths of people who started their careers in risk. More often than not, those paths are leading them out of the discipline altogether. Eighty-seven percent of the workers in our data set who started in risk and compliance roles did not stay in the field. This is higher than the 67 percent of the total workers in our sample who left their starting occupational category (Exhibit 4).

Workers who started in risk and compliance left the field at above-average rates
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

The 13 percent who stayed in the risk profession throughout their observed work histories continued to make role moves and add skills over time. More than half of that group moved into a different risk occupation, a different industry, or both. One worker in our sample started as a financial examiner with a consumer discretionary company before taking a job as a compliance officer with a financial services company. After accumulating a few years of experience in that role, this individual went on to become the director of anti–money laundering and fraud at another financial company, then assumed a more general senior operational risk management role.

Many professionals appear to be treating risk and compliance jobs as training grounds rather than destinations—and this is not necessarily detrimental. It can be healthy for individual companies if workers rotate in and out of risk to become more well-rounded. They bring differing operational perspectives into the risk function, then diffuse what they learned into the fabric of the organization when their stint is over. It can also be healthy for broader industries to have risk professionals moving across companies (or even from industry to industry) to cross-pollinate best practices.

But should companies be concerned about the rate at which people are leaving the field altogether? If they have a thoughtfully designed rotational program to give their entire employee base a risk mindset and related experience, perhaps not. But in the absence of a deliberate rotational strategy, high turnover could be occurring because people dislike the roles as structured or cannot see paths to advancement. Companies in this boat need to take action to avoid developing but then losing expertise and institutional memory.

Meanwhile, demand does not appear to be waning anytime soon. Filling roles with people who are new to risk is one strategy for meeting demand; rotational programs are another. But companies need to think simultaneously about retaining people for the long haul.

Companies can create a stronger employee value proposition in risk and compliance

As our complex and interconnected world has gotten more volatile, the stakes associated with getting risk management right have never been higher. With risk and compliance becoming increasingly vital functions, companies need to position the field as a desirable career path that will attract more entry-level talent—and ensure that more people stay in the field to develop expertise over time.

A key place to start is by articulating the purpose attached to risk roles. In a 2021 McKinsey survey, 70 percent of respondents said that their individual sense of purpose is largely defined by their work; the importance of meaningful work was especially pronounced among younger respondents. Roles focused on climate and sustainability risks, in particular, may resonate with Gen Z workers. The risk function has a clear purpose attached to it: ensuring the organization’s stability, customer safety, and adherence to the rule of law. Beyond promoting these values in the hiring process, managers can help people see how their day-to-day work contributes to these priorities and recognize them as key contributors to the business.

Another priority for improving the appeal of risk as a professional path is reevaluating the day-to-day experience and responsibilities of specific roles. Some of them, particularly more junior-level compliance roles, have traditionally involved detailed review and documentation to ensure that regulations are followed to the letter and that all government reporting requirements are met. If companies situate this work in the back office, siloed away from frontline operations, it stands to reason that people might leave the field to vary their experience and raise their profiles. Now, however, compliance management systems can remove some of the administrative burden, which opens the door to making compliance jobs into meatier roles where workers can exercise more judgment.

In addition to reexamining and perhaps redesigning specific roles, clear learning and advancement tracks can help junior-level professionals develop into senior risk leaders. People need coaching and well-designed learning pathways to make a mental jump from documenting adherence to rules to thinking more holistically about potential threats and shoring up vulnerabilities. One aspect of this is becoming fluent with predictive analytics and the scenario modeling tools that are transforming the field. Companies can create a win-win by adopting cutting-edge risk management technologies and creating learning programs for mastering them, whether internal or external.

Another option for breaking down silos and formalizing risk training could be lateral rotations. This could have the benefit of giving employees in other functions a solid grounding in why risk management matters while giving junior-level risk professionals more exposure and a better understanding of the risk-related challenges on the front lines. Beyond rotations, involving risk and compliance employees in other types of cross-functional initiatives could improve their connectivity with the rest of the company.

As the nature of risk management changes, companies have an opportunity to elevate the entire function and bring more of it out of the back office.

Compensation is another important lever for attracting and retaining risk talent, just as it is in any tight market. In tracking the career moves people made over time, our data set showed that people who started in risk-related jobs were on track to roughly match the lifetime earnings of “desk workers” who started in nonrisk jobs across all industries. They are on track for 1.1 times higher lifetime earnings than the average worker—but tech professionals, who are similarly in demand, are on track for lifetime earnings that are 1.3 times higher than the average. While risk careers are a solid earning option, compensation may need to be reassessed if companies continue to expand their risk teams, extending a war for talent.

As the nature of risk management changes, companies have an opportunity to elevate the entire function and bring more of it out of the back office. It is possible to make this happen; after all, in the not-too-distant past, technology professionals were mostly walled off in IT departments and help desks. Now they are front and center in every aspect of corporate operations. In a volatile world, risk management similarly needs to permeate the broader organization and inform both operations and strategy. Risk and compliance professionals at all levels need opportunities to grow in tandem with the field.

Explore a career with us

Related Articles