The Leaders in Risk Management & Compliance Executive Recruiting

CyberSecurity – Risk or Compliance Issue?

August 30th, 2017

For the past 16 years, I have had the pleasure of watching the risk and compliance professions evolve, stumble, steady, and become a critical mainstream function in financial service firms, as well as multi-nationals and healthcare firms. We have had the great fortune to fill senior risk and compliance roles at top firms including BlackRock, Blue Mountain Capital, Fidelity, Bank of Montreal, Goldman Sachs, GE, Wells Fargo, BP, Protiviti, Blue Shield of California, and Duke Health. It seems to be no coincidence that Risk Talent Associates never received a request for risk or compliance search assistance from Enron, Lehman, Bear Stearns, and certainly not from Bernie Madoff.

What are the biggest risks facing our clients in 2017? Tough question, because particularly in healthcare, where the risks often can involve loss of life, there is a vast shortage of clinically trained risk professionals. But, even with that challenge, the single greatest risk facing firms, our markets, and our way of life is CyberSecurity. Our research shows that most of the Fortune 100 firms appear to be working diligently on this, but then it drops off significantly. The number of posted Chief of Information Security openings far exceed the supply.

Here is what our new SEC Chairman Jay Clayton said in a recent speech on July 12, 2017 at the Economic Club in NYC:

“Speaking more generally, cybersecurity is also an area where coordination is critical. Information sharing and coordination are essential for regulators to address potential cyber threats and respond to a major cyberattack, should one arise. The SEC is therefore working closely with fellow financial regulators to improve our ability to receive critical information and alerts and react to cyber threats…. As a final comment on enforcement, I want to go back to cybersecurity. Public companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously. I also recognize that the cyber space has many bad actors, including nation states that have resources far beyond anything a single company can muster. Being a victim of a cyber penetration is not, in itself, an excuse. But, I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations. Said another way, the SEC needs to have a broad perspective and bring proportionality to this area that affects not only investors, companies, and our markets, but our national security and our future.”

Basically, Clayton is saying CyberSecurity is a critical area, and that the SEC needs to support, rather than punish, companies who are diligently working to eliminate and minimize cybersecurity threats. As a board member, you realize that much of your role is ensuring that stakeholders are protected from risks, and that the firm is doing its best to understand and mitigate risks. Where does your firm stand on CyberSecurity? If you don’t know the answer to this, that, in itself, is a risk.

The answer to the question is – CyberSecurity is the most significant risk that most people, and businesses, face. Specifically, CyberSecurity is an operational risk, and until this function becomes more mainstream, and mature, the role should either report to the Chief Risk Officer or to someone else in the CSuite.

Regardless of the reporting structure, frankly, the challenge isn’t simply finding smart IT guys to build systems to outwit the hackers. Hackers, by their nature, will find ways around the systems, or will prey on the weaker systems. Sure, firms need the best and the brightest technical resources. But, the challenge is finding the right people who can can interface between the business and tech – to make sure that customers, employees and shareholders are protected. Even the largest financial services firms in the world are dealing with this same issue.

Do you have senior risk and business people, who are thinking strategically about CyberSecurity risk?

Risk Talent has partnered with leaders in the CyberSecurity consulting industry. If we can make a connection for you, feel free to reach out. And, due to the nature of this beast, our CyberSecurity recruitment services include a pre-search discussion between industry-leading CyberSecurity experts and your management team, to ensure that both the short term CyberSecurity strategy, as well as the search/hiring plan, makes sense.

Recruiting Exceptional Risk Managers within Healthcare

July 13th, 2017

July 13, 2017

At Risk Talent,, we have seen a significant uptick in the number of risk professionals required by healthcare organizations. Demand far outweighs supply, and we don’t see that changing this decade. One of our clients recently discovered, from a JCAH review, that they were woefully understaffed with risk professionals, despite their recognition as one of the Country’s best hospitals in their care group.

Until recently, risk professionals at healthcare organizations have traditionally been focused on claims management. In the past few years that has changed, and hospitals are now required to specifically focus on enterprise and clinical risk management as well as patient safety as part of their day-to-day operations. Some healthcare organizations are now requiring that their risk professionals are also licensed healthcare providers, typically nurses, by profession.

So, how can healthcare organizations meet the growing demand for clinically-trained risk professionals? Here are a few tips:

1) If you have exceptional risk professionals on your team, make sure to take good care of them. Are they being paid market compensation? If not, you are sure to lose them, given the growing demand.

2) If you are looking to upgrade your risk team, rely as heavily as possible on employee referrals. It is always best to hire people who are already within the networks of your employees. If you need help developing your employee network, some firms that can help are Teamable and Workable. Or, check out this article on the components of an exceptional employee referral program.

3) Make sure that your recruitment team pays special attention to candidates who have risk management skills, including certifications such as CPHRM, which is a special risk certification for healthcare professionals. Many times, qualify candidates apply on-line, and the recruiters miss the resumes. In most cases, you are paying for these applications, so make sure you review them, and act on them.

4) If your Applicant Tracking System doesn’t allow for easy MOBILE APPLY, you are missing out on 75% of candidates. There are simple and easy ways to work around your ATS limitations. Check out for an easy overlay to make your ATS mobile friendly.

5) and Resume Library offer vast resume libraries that are easily searchable. Encourage your in-house recruiters to search databases to find local and qualified clinical and enterprise risk management candidates.

6) Job Alerts – in 2017 many people set alerts to notify them about specific job/location combinations. For instance, someone might set a job alert to notify them when a risk director job in Chicago metro appears. Make sure you take advantage of job alert features.

7) Search – For critical roles, hiring a dedicated search partner is the best way to go. Risk Talent offers a wide variety of recruitment options, starting with electronic job posting management, to retained search.

At Risk Talent, we are always happy to share our knowledge with firms who are seeking exceptional risk and compliance talent. Feel free to contact us to start a conversation. Give us a call to pick our brains, and to get some free advice.

Risk Talent

Michael Woodrow


Impact of Trump Victory on the Risk Management Profession

November 17th, 2016

Everyone is trying to figure out – what happens now?  For the 7.4 billion people in our world, I think we can all agree – the world just got, at least a little bit, more risky for all of us.  But, what about for risk professionals?  I have been recruiting risk and compliance professionals for the past 15 years.  In the year I founded executive recruiting firm Risk Talent, 2001, with Enron, Arthur Anderson, and especially 9/11 – Risk Talent’s focus on risk management seemed to coincide with an inflection point of risk in the world.

Risk professionals, and those of us who recruit and entice them to make a career move, all benefited from the uptick in the financial markets from 2003 through Sept 15, 2008 when Lehman filed for bankruptcy and the mortgage crisis was in full swing – we can call them the boom years.

Those of us who survived the financial crisis have seen a steady flow of risk work since 2011, with the addition of pseudo-risk professionals – thousands of risk/compliance staff who were hired to help regulators”de-risk” the financial system and address the “too big to fail” scenarios.

So, now that President Trump is coming to Washington early next year, what is in store for risk professionals in 2017-2018?  We expect to see a significant uptick in financial services hiring for mid and senior level front office risk professionals, as the Trump administration lessens regulations, and allows banks to dip their toes back into prop trading with the repeal or “realignment”of the Volcker rule.  Bank stocks are already surging since the election. The S&P Financial index, XLF, is up 10% since the election, so the market certainly believes that bank profits will grow. We all know that profits, at good financial firms, are correlated with increased risk taking.

One challenge for financial firms – where to get the strong mid and senior level front office risk managers to sit within these trading desks. No one has been growing these people since Lehman.  Hedge funds have some of them, but hedge funds have been challenged, too.  So, where are these people?  Look for independent (read – oversight) risk professionals who have the market savvy to move into front office roles.  Some of them are out there, but they are few and far between. Look for junior portfolio managers who have risk experience in their background.  Prime brokerage risk professionals are also close enough to the markets to make a move into these key roles.

What else?  It is the responsibility of boards, and of risk professionals themselves, to step up and manage this coming Trump-inspired reduced level of regulation. We don’t want a return to the mortgage crisis or Enron.  Compensation, for the CEO, the portfolio/desk manager, and the risk professional should be longer term focused, and risk positions should be clearly measured, reported and transparent.  I urge the Trump administration to maintain/support many of the positive changes that were made post Lehman, such as the PCAOB and the compensation changes that the industry made.  As of Nov 8, 2016 , the world is already more risky than it was only last month.  But sound risk management is about knowing/measuring the risks that are out there, and deciding what to do about them, so that we can avoid either another Lehman situation, or worse, Armageddon.  Risk professionals, and the ultimate risk officer – boards of directors  – we are in for another wild ride.

Risk Management for Recruiters – Definition of key terms

August 15th, 2014

Risk Management for Recruiters

Definitions of Key Terms


Market Risk

Credit Risk

Operational Risk

Enterprise Risk



Risk Management for Recruiters

What is Risk Management

Risk Management is broad discipline both within as well as outside of financial services. In summary, risk management involves defining and addressing the risks that currently impact and/or could potentially impact a business. These risks can be addressed in many ways including insurance, hedging, processes, technology, and people.

The risk function in a firm typically reports up to a Chief Risk Officer, who reports to the CEO, but in many organizations the reporting structure differs. Risk can report to the CFO, to the General Counsel, and even directly to the Board of Directors. The most common structure has risk reporting up to someone in the organization, usually a CEO, and almost always outside of a revenue-generating role. For instance, risk reporting to sales or to trading or even to the Chief Investment Officer significantly reduces the efficacy and independence of the role.

These terms are being defined below for recruiters and human resource professionals. While the definitions are accurate, they are meant to assist the recruiters in doing their job in sourcing and evaluating risk talent and not for risk professionals. Risk professionals should seek more detailed descriptions which can be found at and


1)   market risk – the risk that pricing in sthe financial markets will move against your position. A simple example is United Airlines and the price of oil. The price of oil is a market risk to United Airlines. United has little to no control over the price of oil. When its price moves up and down, this can significantly impact the profitability and even the viability of United Airlines because they rely on jet fuel, an oil product, to run their business.

2)   Credit risk – the risk that your financial partner will be unable to pay you back at the time funds are due. An example would be JP Morgan creating a $50 million bank line of credit for Starbucks. Credit risk is the risk that when the note is due, Starbucks would lack either liquidity or collateral to pay back the line balance. Another example is called counterparty credit risk. That credit risk involves the risk that the financial trading partner, maybe a bank or a hedge fund, is unable to complete a financial transaction such as an interest rate swap, due again to lack of liquidity or lack of collateral.

3)   Operational risk – the risk that operations, involving people, processes and technology will adversely impact your firm. These risks include fraud, errors, technology glitches, reputation, regulatory, etc. It is somewhat of a catch-all for risks that are not market or credit risks. Basel I, II III are international banking regulations that require mostly banks to set aside capital for these risks. Calculating these measurements is important, as capital set aside to cover potential operational losses cannot be deployed for other, more profitable, pursuits.

4)   Enterprise risk – this is the combination and inter-relationship of the three primary risks above. Pulling it all together is important. A simple example would be that, as shown above, the price of oil, a market risk, can impact United Airlines ability to pay back a bank loan, a credit risk. Or, software systems and their potential trading errors, can impact reputational risk if clients rely on this software to run their businesses. Most firms, including healthcare and insurance firms, are taking a hard look at enterprise risk.

For more information, please contact me at

Risk Recruiting Training – Risk for Recruiters 101

July 29th, 2014

Risk Recruiting Training Series

Risk for Recruiters 101

Recruiting Exceptional Risk Management Candidates

Last week we discussed the characteristics of an exceptional risk manager. Traits include quantitative, communicative, market savvy, and strategic. But, how would a corporate recruiter, who is accustomed to recruiting a broad range of professionals, source and recruit these exceptional risk managers?

There is no magic wand to source risk management candidates. However, a disciplined and structured approach is required, if you expect to generate candidates who will be appreciated by your hiring manager. Follow these five steps:

1)   Ask the hiring manager to verbalize the job description by walking you through it in detail – approximately 15-30 minutes. Don’t be too shy to have your hiring manager explain key terms. Feel free to contact me at Risk Talent to discuss the search. This is a free service that we provide.

2)   Draft a search plan and share it with the hiring manager. The key component to a search plan is to determine – where are the likely candidates working now? Make a list of 10-20 companies, minimum. The search plan should include the several steps to successfully complete the search. More on search plans in a later post.

3)   Execute the search plan by first posting the job on websites such as , Linkedin, and Indeed. However, if you stop here, you will likely fail. This is one step to the process but it isn’t enough.

4)   Go to LinkedIn and search for contacts at the search plan target companies, as per #2 above. Search on company name and risk, or company name and other key words from the job title or job description. Connect with these people so that you have access to their networks. Plan to source at least five candidates through this process. At Risk Talent, our goal is to source 20 qualified candidates for each role, but five is a good place to start. Keep working this step until you have sourced five quality candidates.

5)   Manage the flow that comes in from your job postings, but do this only at the beginning of each day, for a total of one hour per day maximum. Make it a habit not to look at replies to job postings after 10am each day. They can wait until tomorrow.

6)   Interview the candidates. More on interviewing risk management candidates in a later post.

7)   Manage the hiring manager interview process. More on that in a later post.


Get started. There are quality risk candidates out there.   If you post a job online and wait for candidate flow, you will be disappointed. Feel free to contact me for advice on risk recruiting at

PRM or FRM – Risk Certification Programs – Is it worth the effort?

July 24th, 2014

Over the years I have often times been asked by candidates if a PRM or FRM certification is required, or even appreciated by employers. For those of you who have completed these certifications, you know that the process is time consuming and challenging. In 13 years, with over 200 risk and compliance searches completed, I have never once been asked by a client to only recruit an individual with a PRM or an FRM designation. We are typically asked to make sure that a candidate has an MBA, or for more quantitative roles, clients typically want a Master’s degree or a PhD. But, never have we been asked to only source candidates with one of these certifications. That said, at Risk Talent Associates, we have found that individuals who are certified with a PRM or an FRM make themselves better risk management professionals and candidates, and they are more likely to be hired for a new role. The breadth and depth of these certifications provide a candidate with knowledge that often times helps them to better navigate their way through the interview process, as risk executives ask broad reaching interview questions. So, my advice to emerging risk professionals – get the certification, it will make you a better risk manager and also prepare you for the interview process when looking for a new role in risk.

Four components of an Exceptional Risk Manager

July 21st, 2014

Clients and newcomers to the field of risk management have often asked, “What makes a great risk manager?” In the 13 years that I have led Risk Talent Associates, the leading executive recruiting firm in risk management, I have found that exceptional risk managers have all four of the following traits:
1) Quantitative Skills – While some people are more quantitative than others, top risk managers understand the nuances of financial risk management and the metrics that are important. Not everyone has a PhD, but the best risk managers understand the models and the results at the detail level.
2) Market Savvy – Top Risk Managers need to know the financial markets, or their specific industry, such as healthcare. They need to know the nuances of their market including the products traded in financial services, or the key metrics in healthcare. In both cases, financial and healthcare, the risk manager must have intimate knowledge of the regulatory environment.
3) Strategic – Exceptional Risk Managers look forward. Internal Auditors look backward. Particularly in Enterprise Risk Management, the best risk managers need to be thinking about the risks impacting their firm today, as well as expected risks in the future.
4) Communicative – Exceptional risk managers can communicate key concepts and risks to varied constituencies. Communication with clients, board members, executives, regulators and others all must be handled professionally and delicately so that the risk issues are clearly understood.

Let’s talk about risk recruiting.

Risk Analytics – The Hottest Risk Management Skillset

March 27th, 2013

Risk Analytics Managers are in high demand in March, 2013 as financial services firms, including banks, hedge funds, asset managers, insurance companies, captive finance companies, GSE’s and regulators all look to upgrade talent in risk analytics – with particular emphasis on credit analytics.  At Risk Talent Associates,, we have seen steady increases in activity for this skill set.  Individuals with 10-15 years of experience are in the highest demand, because while Risk IT budgets continue to be tight, it appears that available resources are being allocated to this risk area and firms need individuals with experience, and who can manage a team,  on the risk side to lead these development efforts.  Why risk analytics in 2013?  Because financial firms are slowly but surely gearing up to take more risk, and they want to make sure to take smart risks.  Individuals with 10-15 years of experience are young enough to have renaissance skills, such as quantitative finance and programming, but they have also lived through the past couple of down cycles – valuable experience for new system build-outs.  For more information contact

Risk Hiring in 2013

January 9th, 2013

At Risk Talent Assoicates,, we are seeing a definite uptrend in recruiting activity in 2013. Client inquiries are up 40% already year to date, as compared to 2012. While we are only a week into 2013, the activity level seems to be at a four year high. My conversations with CRO’s seem to point to a slight uptick in headcount, but CRO’s are also saying that they are under business pressure to upgrade their risk organizations, so that if the economy picks up in 2013, they won’t be left with open positions and challenging recruiting. Please provide some insight on your thoughts for risk hiring in 2013.

Compensation is Up for Technology Risk Managers, Not Including Chief Risk Officers

April 15th, 2011

Risk Talent Associates, a risk management recruiting firm, stated in their 2010 Compensation Survey covering Technology & Software  that compensation for risk executives at all levels was up, except those with over 16 years of experience.  This year’s survey did not include Chief Risk Officers, a title that has been included in all past surveys. 

Our risk management recruiting surveys generally cover compensation for professionals from the Analyst/Associate level up through Chief Risk Officer.

Total Compensation, Salary and Bonus by Years of Experience (US Dollars)

Source: Risk Talent Associates Salary Survey 2010. All figures in US Dollars and rounded to nearest thousand.

Total Compensation, Salary and Bonus by Title (US Dollars)

Source: Risk Talent Associates Salary Survey 2010. All figures in US Dollars and rounded to nearest thousand.