How chief risk officers can build the next generation of leaders

The risk function is evolving faster than ever—and so too must the profile of its leaders.

Historically, great risk leaders were characterized by deep technical fluency, business acumen, and a strong focus on compliance. While these traits remain essential, today’s disruptive environment—with the acceleration in AI, shifting regulatory priorities, rising geopolitical volatility, and growing complexity and interdependence in the risk landscape—demands even more from risk professionals and creates an opportunity to shape the risk function of the future. It is more important than ever that risk leaders act decisively amid uncertainty, maintain a strong external orientation, and harness technology and analytics to accelerate impact.

In many ways, the risk function is well positioned to cultivate these traits in individuals. Chief risk officers (CROs) and their teams operate across businesses and functions, have a say in most of an organization’s critical decisions while balancing growth and risk considerations, and play a key role in high-priority initiatives, such as regulatory responses, crisis management, and strategic transformations.

As the function evolves to navigate the raft of complexities confronting an organization, its leaders have an opportunity to evolve the risk function as a leadership incubator. Indeed, it can become a place that produces high-performing talent—subject matter experts as well as versatile generalists—equipped to step confidently into enterprise-wide leadership roles.

As Gert Kruger, CRO of FirstRand, told us, “Equipping people with broad skills creates a value proposition both for individuals to work in risk—who see risk as a career accelerator—and for the enterprise, which gains well-rounded leaders.”

Our ongoing research on the evolving role of the CRO has revealed the mindsets, skills, and habits that are essential to developing future-ready leaders.¹For more see Cristina Catania, Ida Kristensen, Marc Chiapolino, and Tijana Trkulja, “Which chief risk officer archetype are you?,” McKinsey, May 6, 2025, and “Accelerating impact from day one: A guide for new CROs,” McKinsey, July 2, 2025. Drawing on this research as well as McKinsey’s work on developing 21st-century leaders, we have identified four actions CROs and their teams are taking to position the risk function as a leadership factory:

• Develop a clear, forward-looking definition of what makes a great leader in today’s risk environment.
• Cast a wide net for talent by proactively identifying high-potential leaders within and beyond the risk function.
• Stretch, upskill, and elevate risk leaders by providing resilience-building experiences through rotations, high-ownership projects, and targeted development.
• Build sustained capability by hardwiring leadership development into systems, processes, and culture.

Define the 21st-century risk leader

CROs can work with senior leaders across and beyond the risk function to define a clear, forward-looking vision of great leadership—one that encompasses critical capabilities, creates shared standards, and focuses on consistent approaches to talent development. Crucially, this vision should emphasize that great leaders don’t just embody these capabilities themselves—they cultivate them in others. Indeed, the most effective leaders develop talent intentionally, create inclusive environments, and empower their teams to take ownership over decision-making. CROs can codify, communicate, and regularly revisit this vision to ensure their leadership development approach remains focused and adaptable as business needs evolve.

Based on our research and experience, we believe the 21st-century risk leader embodies five critical traits:

• Business fluency as a core skill: Risk leaders are expected to shape business outcomes and establish the organization’s risk stance by demonstrating commercial awareness and operational excellence in their role. This becomes even more critical as CROs increasingly serve as strategic partners to the business, helping to balance growth and prudence in an environment of heightened uncertainty and rapid change. In many organizations, up to half of risk officers were previously in senior business roles. “The role of the CRO is to actually take risk to grow the business,” said Nigel Williams, former CRO at Commonwealth Bank. “It is about choosing where you want to grow and what risks that you take.”
• Emerging technical and domain mastery: Emerging risk areas such as AI, cyber, and crypto are fundamentally reshaping the risk landscape. Risk functions need leaders with deep fluency in these domains—and the foresight to anticipate how they will evolve. As AI adoption accelerates, for example, leaders are expected to not only grasp the technical dimensions but also connect them to business strategy.
• Influence and executive presence: Leaders need to distill complex, technical, and ambiguous issues into clear, actionable recommendations so that they can credibly influence the business agenda. As Marlene Debel, MetLife’s CRO and head of MetLife Insurance Investments, told us, “At some point in your career, your technical skills become table stakes . . . what gets you the next role is your ability to also lead, manage, influence, and negotiate.” To do this well, risk leaders are expected to have the executive presence to engage with top leadership. As Trevor Adams, former CRO of Nedbank, said, “EQ [emotional quotient] is more important than IQ. Being technically smart is no longer enough. And being correct is not sufficient; it is how you convey the message.”
• Orthogonal thinking: The most effective leaders are able to assess today’s risks and opportunities, while also anticipating what may lie ahead—using orthogonal thinking to surface emerging threats and unconventional opportunities before they become visible to others. Orthogonal thinkers look around corners, challenge assumptions, and connect dots others might miss. They combine curiosity with constructive dissent, pushing teams to test conventional wisdom and explore second-order effects. As Maria Morris, chair of the Board Risk Committee at Wells Fargo, said, “The best risk talent are those who ask what if and why questions.” In doing so, they help organizations not only manage risk but redefine the boundaries of opportunity.
• Adaptability and resilience: In an environment where priorities can shift overnight, the most effective leaders have developed battle scars by stepping into ambiguity, driving transformation, and taking on challenges without guaranteed playbooks. They rally teams through disruption, abandon approaches that no longer serve, and model the grit and steadiness that inspire confidence.

No individual will excel equally across all five traits. That is why CROs may benefit from cultivating two different but equally vital talent tracks in the function: deep subject matter experts who anchor the function in technical excellence (in areas like technology or model risk, for example) and risk generalists with integrative capabilities, who bring the breadth of experience and judgment to exert influence at the enterprise level. Both types of talent are critical, but CROs need to be explicit about the mix required in the risk function and be deliberate about the talent cultivation and development needed for each track.

Cast a wide net for talent

With a clearly defined profile of modern risk leadership, CROs can focus on spotting the individuals who embody these traits.

Successful risk leaders treat talent identification as a core leadership responsibility, which requires looking beyond the usual suspects and proactively identifying high-potential leaders before they disengage or move elsewhere. Leading CROs are now deliberately broadening sourcing channels beyond the traditional confines of the risk function to include adjacent areas such as data science, operations, finance, and technology. As we’ve explored in past research, the strongest candidates moving into risk and compliance for the first time often bring a set of transversal skills (for example, information processing and inductive reasoning) from their prior experience.

“We would not be able to accomplish what we need with monotone experiences and skill sets,” explained Ben Rosenthal, CRO of New York Life. “We need attorneys, auditors, actuaries, technologists, PhD mathematicians, physicists . . . you name the background.”

Spotting talent requires rigor and constant engagement. Traditional approaches such as structured reviews and HR processes can be systematically leveraged to identify and evaluate talent that meets the vision of a 21st-century risk leader. CROs can also create dedicated forums and programs that surface emerging leaders. These might include talent accelerators for early-career professionals or structured opportunities for rising leaders to present directly to the CRO at least once a year. Some CROs also use informal touchpoints to spot promising talent. Sadia Ricke, CRO of Standard Chartered, told us that she routinely has town halls, talent lunches, as well as one-on-one meetings with key people to get to know talent across the organization and identify the next generation of leaders.

Stretch, elevate, and upskill your risk leaders

Identifying the right talent is not enough on its own. Real growth happens when talent is tested through experiences that build enterprise perspective, sharpen judgment, and hardwire resilience.

Leading CROs do this by creating a portfolio of opportunities to accelerate development without disrupting business as usual. These opportunities are most effective when tailored to where individuals are on their growth path—whether deepening the expertise of technical specialists or broadening the perspective of enterprise risk generalists. Craig Broderick, former CRO at Goldman Sachs, told us that leaders can “start elevating those that are the most important and those that you would have the highest risk of losing if you don’t give them more profile and opportunity.” Here are three ways CROs can do this:

• Cross-pollinate through structured rotations: Design structured rotation programs that allow risk leaders to develop an enterprise-wide perspective while strengthening both technical depth and leadership range.

  Early-tenure employees can benefit from two- to three-year programs spanning multiple areas inside and outside risk (such as, operational risk, compliance, or business operations). A sample path could include two risk-domain rotations and one outside placement to develop commercial fluency and cross-functional collaboration skills.

  For more tenured talent, CROs can embed rotations within leadership accelerator or hybrid programs—pairing targeted experiences with mentoring, training, and project work. These rotations can be more flexible in duration (six to 18 months) and focused on closing readiness gaps for future enterprise roles (such as gaining first-line exposure or leading a transformation initiative). Ajai Bambawale, group head and CRO of TD Bank Group, told us that he makes a very conscious effort to move people between the business and risk, ideally looking for a two-way flow. He said that high-potential leaders are often placed into risk roles for two or three years before they return to the business.

  With two-thirds of his own career spent outside risk, Shaun Dooley, NAB’s former group CRO, can attest to the value of developing cross-functional experience. “People who want to move up in the organization—be it risk or any other function—need to move across business units: either from first line into the second line, or into the third line and all the way across to build broader context and understanding and expand their skill sets.”

• Champion moonshot projects: Assign top talent to spearhead bold initiatives. High-visibility and high-ownership assignments develop judgment, confidence, and the ability to lead through ambiguity. Jason Schugel, CRO at Webster Bank, described how crises create opportunity: “I’ve found that responses to regulatory actions create valuable opportunities to stretch and develop talent, regardless of their prior experience with this type of work.”

  Some risk roles may involve highly technical or specialized responsibilities that are difficult to step away from without causing disruption to business-as-usual operations. CROs and other leadership can consider ways to balance such opportunities. In cases where full-time reassignment is not feasible, they can adopt creative models such as creating coleads, rotational backfills, or phased involvement. The goal is to grow talent without compromising continuity—and to ensure that development opportunities are accessible even in tightly resourced teams.

• Create “side of desk” leadership roles: Not every stretch opportunity requires full-time reassignment. Consider creating “side of desk” projects that allow high-potential employees to take on additional leadership responsibilities without being fully pulled from their current roles. This approach is particularly valuable in teams with lean staffing or when testing an individual’s readiness for a broader set of responsibilities. Over time, these experiences build visibility, versatility, and leadership muscle without creating unwanted disruption.

Through all these opportunities, what matters most is intentionality. CROs can carefully curate development pathways that stretch leaders in the right ways, balancing technical mastery with enterprise exposure, and pairing day-to-day delivery with opportunities that accelerate readiness for bigger roles.

Build sustained leadership capability through systems and culture

Leading CROs embed leadership development into their function’s DNA, creating a self-reinforcing flywheel: identifying talent, developing it, showcasing it, and reinvesting those leaders back into the system as mentors and role models. This can require a three-pronged approach:

• Reinforce the risk function’s career value proposition: Risk can be positioned as the place where the best operational talent comes from—a launchpad for careers across the enterprise. The most effective risk functions make career paths visible, showcasing leaders who have come through risk on their way to broader roles, reinforcing the message that time in risk accelerates leadership potential and opens doors across the enterprise. They highlight that there is no single path to success: Some leaders build depth as subject matter experts, while others become versatile generalists—both equally valued and essential to the function’s long-term strength. They also signal real commitment to development by providing meaningful apprenticeship and exposure to the enterprise and its stakeholders. Done well, the function can become a brand in itself—known as both a proving ground and career accelerator, where talent gets tested, recognized, and prepared for the next step.

• Be deliberate about mentorship and apprenticeship: Make mentoring and feedback part of the daily rhythm, not an annual exercise. Highly effective CROs cultivate intentional apprenticeship within their organizations by pairing established risk leaders with emerging risk talent. These structured pairings are designed to provide coaching and accelerate development. When combined with stretch opportunities and deliberate exposure to high-profile leaders—such as the board and business unit heads—apprenticeships can help rising talent deepen their technical and enterprise capabilities, learn to navigate complex decision-making environments, and gain visibility with those who shape the organization’s agenda.
• Build a culture of learning from both inside and out of the risk function: The best ideas rarely come from a single source. Encourage leaders to take part in industry events, bring external voices into off-sites, and invite stakeholders—from business heads to former regulators to end customers—to share perspectives that ground risk in real-world impact. At the same time, push your own leaders to shape the conversation externally. Speaking roles and thought-leadership opportunities not only elevate the function’s profile but also reinforce risk as a forward-looking discipline and a platform where talent builds visibility, credibility, and career momentum.

Defining a modern leadership profile, broadening the talent aperture, and creating stretch opportunities are critical steps to building the next generation of risk leaders—but they must also be sustained by systems and culture. When CROs embrace this mandate, the payoff can be significant. By building a bench of leaders ready to navigate today’s increasingly complex risk landscape, CROs can future-proof their organizations and redefine the function’s role in the enterprise as a catalyst for resilience and innovation.