🌠 Architecture Explorer
All 25 functions across 5 groups. Sub-functions, areas, roles, industries, and recruiter lens for each.
🌏 The Landscape
Risk vs compliance vs legal — the three disciplines decoded. Career ladders. Qualification signals (FRM, LLB, CFE).
🔍 Role Deep Dives
What great looks like at each level. The hardest roles to fill. Killer interview questions by track.
🏭 Industry Lens
Risk/legal/compliance across BFSI, Pharma, Tech, Manufacturing — what travels and what does not.
📈 Compensation
India pay benchmarks by role and level. CRO vs CCO vs GC pay. BFSI premium. Listed company uplift.
📋 Practitioner Lab
Six scenarios: compliance vs risk confusion, startup GC search, BFSI compliance for fintech, CISO mandate, DPDP build. Jargon decoded.
The Complete Risk / Legal / Compliance Universe
25 functions across 5 groups. Click any card to explore sub-functions, areas, roles & recruiter lens.
FRM (Financial Risk Manager)
GARP-administered global qualification for risk management. Two parts: quantitative analysis and practice of risk management. Strong signal for: market risk, credit risk, risk analytics roles. In India: most common in private banks, foreign banks, and large NBFCs. The FRM is to risk what the CFA is to investments — a globally respected credential.
LLB / LLM (Law Degree)
India's legal qualification. LLB (3-year or 5-year integrated) is the base requirement for legal practice. LLM (specialised Masters) signals focus in a specific domain (corporate law, IP, tax law). National Law School graduates (NLSIU, NALSAR, NUJS) command a significant premium — treat these universities as India's equivalent of Oxbridge for legal careers.
CFE (Certified Fraud Examiner)
ACFE-administered global credential for fraud examination, investigation, and prevention. Strong signal for: forensics, fraud risk, AML investigation roles. CFE holders are trained in four domains: financial transactions, law, investigation, and fraud prevention. In India: relatively rare — a CFE on the CV is a genuine differentiator for forensics and investigations mandates.
CISA / CISM (Information Security)
ISACA certifications. CISA (Certified Information Systems Auditor) for IT audit; CISM (Certified Information Security Manager) for security management. Both are strong signals for CISO, IT audit, and GRC roles. Combined with CISSP (ISC2): the gold standard for senior CISO candidates. In India: increasingly required for BFSI CISO roles under RBI guidelines.
CA / ICAI (Chartered Accountant)
CA qualification signals forensic accounting depth — especially for investigations and internal audit. Most Chief Internal Auditors carry CA qualification. For risk roles in BFSI: CA + banking experience is a strong combination. CMA (Cost & Management Accountant) is less common but signals operational finance + controls understanding relevant to operational risk.
CIPP / CIPM (Privacy Certifications)
IAPP (International Association of Privacy Professionals) certifications. CIPP/E for EU GDPR; CIPP/A for Asia-Pacific. For India DPDP Act roles: look for candidates who understand the Act itself — formal certification is still sparse. Key signal: candidates who have led a DPDP gap assessment, not just those who attended a workshop. Privacy is too new in India for certification to be the differentiator — depth of implementation experience is.
Risk Analyst / Compliance Officer
Owns: A specific risk or compliance process. Technical depth + regulatory knowledge. Data production and monitoring.
Green flag: "Here's a model I built / a gap assessment I conducted — this is what I found and what changed."
Red flag: Analysts who only run existing processes without understanding the underlying risk or regulatory rationale.
Risk / Compliance Manager
Owns: A domain (credit risk, AML, contract legal). Owns the policy, the team, and the outcome metrics. Starts influencing, not just executing.
Green flag: "Here's a policy I redesigned — what triggered it, what I changed, and what the regulator said."
Red flag: Managers who maintain inherited policies without ever challenging or improving them.
Head of Risk / Compliance / Legal
Owns: The full function for a business unit or entity. Team, budget, regulator relationship, and board reporting. Deals with complexity and ambiguity.
Green flag: "I have presented to the board's Risk/Audit Committee — here's a difficult finding and how I managed the board's response."
Red flag: Heads who have never presented independently to a board committee — this is a non-negotiable for senior roles.
CRO / CCO / General Counsel
Owns: Enterprise-wide risk, compliance, or legal. Strategic advisor to CEO and board. Manages regulatory relationships at the most senior level. Shapes organisational culture.
Green flag: "The hardest decision I made as CRO/CCO/GC was saying no to a deal the CEO wanted — here's how I managed that."
Red flag: C-suite candidates who talk about their team's work without clear personal ownership of the most difficult decisions and regulatory moments.
CRO (NBFC / Fintech)
RBI's Scale-Based Regulation now mandates CROs at larger NBFCs. Requires credit risk + operational risk + regulatory risk + model risk simultaneously. The qualified pool is concentrated in PSU banks and top-tier private banks. Fintech CROs with digital lending experience are extremely rare.
General Counsel (Technology / Startup)
Needs: contracts (volume), data privacy (DPDP), employment law (rapid hiring/firing), M&A/fundraising legal support, and regulatory interface — simultaneously. Most lawyers specialise in 1-2 of these. A GC who spans all of them is the hardest single legal hire in the market.
Head of AML (Large BFSI)
Requires: PMLA depth, FIU-IND relationship management, transaction monitoring technology, and investigation management all at once. RBI has materially increased AML enforcement — the bar for this role has risen faster than the talent pool.
DPO / Head of Data Privacy (DPDP)
DPDP Act 2023 is less than 2 years old. Fewer than 500 professionals in India have led a full DPDP gap assessment and implementation. Everyone in this space is learning — the premium is for those who have started, not those who have completed.
CISO (Board-ready)
CISO candidates who can run a SOC AND present cyber risk in business language to a board are extremely rare. Most CISOs are strong on one or the other. RBI's mandate for board-level cyber reporting has made this combination non-negotiable for BFSI CISOs.
Head of Model Risk
AI and ML in credit and risk decisions has exploded the demand for model validators. Requires: statistics + finance domain + regulatory understanding of model risk (SR 11-7 equivalent). The pool is thin globally — India's pool is even thinner, concentrated in foreign banks and large private sector banks.
For CRO candidates
"Tell me about a time you recommended against a business opportunity on risk grounds — what was the risk, how did you frame it to the CEO/board, and what was the outcome?" Tests: conviction, influence, and risk communication to non-risk audiences.
For Credit Risk candidates
"What was the NPA level in your portfolio at its peak during your tenure — what drove it up and what did you specifically do to bring it down?" Tests: whether they own credit outcomes or just manage credit processes. IRAC norms understanding is non-negotiable.
For CCO / Compliance candidates
"Describe a regulatory examination where the examiner found a gap you had not anticipated — how did you respond in the room and what did you put in place afterwards?" Tests: authenticity, regulatory relationship management, and learning agility.
For General Counsel candidates
"Give me an example where you had to give the CEO legal advice they did not want to hear — what was the situation, what was your advice, and how did you manage the relationship?" Tests: independence, courage, and executive relationship management.
For AML / Financial Crime candidates
"Walk me through a STR you filed — what was the pattern that triggered it, how did you investigate, and what was the outcome with FIU-IND?" Tests: operational investigation experience vs policy-only knowledge.
For CISO candidates
"Tell me about a cyber incident you personally managed — what was the attack vector, how did you contain it, and what did you present to the board?" Tests: incident response experience AND board communication ability — both are required at CISO level.
🏠 BFSI (Banks, NBFCs, Insurance)
Priority risk/legal/compliance functions: Credit risk (NPA, IRAC, CRAR), AML/KYC (PMLA mandatory), RBI/SEBI/IRDAI regulatory compliance, ALM/liquidity risk, CISO (RBI cyber mandate)
Key signals: Regulator interaction experience, specific regulatory examination management, Basel/RBI framework depth
Red flag: Non-BFSI risk/compliance professionals for regulated BFSI roles without material transition preparation
💉 Pharma & Life Sciences
Priority functions: Regulatory affairs (CDSCO, FDA), IP (patent management for drugs), UCPMP compliance, clinical trial regulations, data privacy (clinical trial data)
Key signals: CDSCO inspection experience, US FDA dossier preparation, drug master file management
Red flag: Generic regulatory affairs candidates for pharma without specific drug/device regulatory submission experience
💻 Technology & Fintech
Priority functions: Data privacy/DPDP (highest data volumes), CISO (cyber risk), commercial contracts (high volume), regulatory compliance (RBI if licensed), employment law (fast hiring/firing cycles), IP/technology law
Key signals: DPDP Act implementation experience, RBI sandbox/NBFC regulatory experience for fintech, SaaS contract depth
Red flag: Traditional legal/compliance candidates without technology understanding for tech GC roles — tech companies need lawyers who understand APIs, SaaS models, and data architecture
🏭 Manufacturing & Conglomerates
Priority functions: Operational risk (factory + supply chain), EHS compliance (Factories Act, PESO), IP (product patents), labour law (union environments), GRC, contract legal (vendor/customer)
Key signals: Factory safety compliance experience, union relations management, supply chain risk experience
Red flag: BFSI risk professionals for manufacturing operational risk — factory floor risk is fundamentally different from financial operational risk
💋 Healthcare
Priority functions: Clinical compliance (MCI/NMC regulations), data privacy (patient data under DPDP), IP (medical device patents), employment law (doctor employment complexity), corporate compliance (anti-bribery for pharma companies)
Key signals: Clinical trial compliance, hospital licensing compliance, ABDM (Ayushman Bharat Digital Mission) compliance awareness
Red flag: Generic compliance candidates without healthcare-specific regulatory understanding for hospital system compliance roles
⚡ Startups & VC-backed
Priority functions: GC (full-stack: contracts, employment, IP, fundraising, regulatory), data privacy (DPDP from day one), CISO (early-stage security programme), employment law (rapid team building and occasional departures)
Key signals: Built legal/compliance from scratch, managed ESOP legal, handled fundraising legal (SHA, CCPS documentation)
Red flag: Large-company legal/risk professionals for startup GC roles — the build-from-scratch, zero-bureaucracy, high-ambiguity context is fundamentally different
CRO (Chief Risk Officer)
Large NBFC / Private Bank: ₹1-3Cr
Mid-size NBFC / Fintech: ₹60-120L
Corporate (non-BFSI): ₹50-100L
RBI-mandated CRO in SBR Upper Layer NBFC: non-negotiable senior hire
CCO (Chief Compliance Officer)
Large regulated institution: ₹80-200L
Mid-size NBFC / Fintech: ₹40-80L
Corporate (non-BFSI): ₹35-70L
SEBI/RBI requirement for independent CCO in listed BFSI: board-level appointment
General Counsel / CLO
Large listed company: ₹80-200L
MNC India GC: ₹100-250L
Tech startup GC (Series B+): ₹40-80L + ESOP
GC of top 50 Indian listed company: ₹2-4Cr
Head of Credit Risk
Private bank (Head level): ₹60-130L
NBFC (Head level): ₹40-90L
Fintech lender: ₹35-80L + ESOP
Chief Credit Officer at large private bank: ₹1.5-3Cr
CISO
Large bank / tech company: ₹80-180L
Mid-size NBFC / enterprise: ₹40-90L
Startup CISO: ₹30-60L + ESOP
RBI cyber mandate has materially elevated BFSI CISO pay from 2022 onwards
Head of AML / KYC
Large bank: ₹50-100L
NBFC / Payment company: ₹30-60L
Fintech (licensed): ₹25-50L
MLRO designation in banking: mandatory senior appointment, not a coordinator
Scenario 1: Compliance vs Risk Role Confusion
Client says: "We need a CRO — someone to manage our compliance with RBI." You probe and find: they want someone to manage RBI examination responses, AML/KYC compliance, and the compliance calendar. There is no risk modelling requirement, no credit portfolio, no VaR.
The move: Clarify the mandate. What the client needs is a CCO or Head of Compliance, not a CRO. A CRO who comes from credit risk or market risk will not want this role — and will not be right for it. Reframe: "The function you are describing is Compliance, not Risk. Let me show you the difference in responsibilities, title, and candidate profile — and then let's make sure we are searching for the right person." Do not source CROs for a CCO mandate.
Scenario 2: Startup GC Search
Series C fintech (RBI NBFC licence, 400 employees, ₹800Cr AUM, fundraising planned). CEO asks for a GC. Budget: ₹35-45L. They need: RBI compliance management, contracts (vendor + customer), employment law (ESOP, exits), data privacy (DPDP), and fundraising legal support.
The move: The ask and the budget are misaligned. A lawyer who can handle all five areas simultaneously at Series C scale is a ₹60-90L profile at minimum — and likely needs ESOP on top. Map the scope, not the title. Present the client with a matrix: "Here are the 5 legal domains you need covered. Here is what a ₹40L lawyer can cover (2-3 of them), and here is what a ₹70L GC covers (all 5). Which gaps are you willing to cover with outside counsel?" Let them calibrate the trade-off.
Scenario 3: BFSI Compliance for Fintech
Fast-growing lending fintech (co-lending model with 3 banks, NBFC subsidiary) needs a Head of Compliance. They have been offering the role to compliance professionals from traditional FMCG/pharma companies. No takers from banking compliance because "the salary is not right."
The move: The client is fishing in the wrong pond. Co-lending compliance under RBI guidelines is banking compliance — PMLA, KYC, FEMA, co-lending circular, NBFC SBR guidelines. A pharma compliance head, however excellent, does not have this framework knowledge. Tell the client clearly: "For an RBI-regulated NBFC, you need someone who has worked inside a regulated BFSI institution. The talent pool is in banks and NBFCs, not FMCG. The salary gap is real — let's solve it with a compensation adjustment and ESOP, not by lowering the domain requirement."
Scenario 4: CISO Mandate
Large private bank. RBI cyber security circular requires board-level reporting on cyber risk. Current CISO is technically excellent (former SOC head) but struggles to communicate to the board. The board has asked for a more "senior" CISO. CEO is considering replacing him.
The move: Before recommending a replacement, probe the actual gap. Is the existing CISO unwilling to develop board communication skills, or just untrained? Sometimes the right solution is a VP-level communication support hire or an external presentation coach — cheaper and less disruptive than replacing a technically strong CISO. But if the gap is fundamental (no business judgment, cannot translate technical risk into financial impact), then a replacement search is warranted. Frame the search clearly: "We are looking for a CISO who is 50% technically credible and 50% board-facing communicator. These are two different skill sets — most strong CISOs are heavy on one."
Scenario 5: Building DPDP Compliance from Scratch
Large e-commerce company. DPDP Act 2023 applies. No DPO, no data inventory, no consent management. CEO asks for a "Head of Data Privacy" who can "get us compliant in 6 months."
The move: Set expectations on timeline and talent availability. A full DPDP compliance programme typically takes 12-18 months to implement properly — not 6. And the talent pool of people who have led an end-to-end DPDP implementation in India is fewer than 200 as of 2025. Advise the client: "The first hire should be someone who has at least led a DPDP gap assessment — a programme manager / privacy counsel hybrid. Pair them with a technology consultant for the consent management implementation and a law firm for the legal framework. Do not wait for a complete DPO candidate — they do not exist yet."
Scenario 6: Credit Risk in a Stress Cycle
Mid-size NBFC (MFI segment). NPA spiked from 3% to 11% in 18 months. Previous Head of Credit left. CEO wants to hire a new credit risk head "who can fix the portfolio."
The move: The mandate has two phases: stabilise, then rebuild. Probe the CEO: "Do you need someone to manage the existing NPA resolution (collections, write-offs, restructuring) or someone to rebuild the underwriting framework for future originations? These require different profiles." A credit head with strong collections and recovery experience (SARFAESI, DRT, OTS) is the right hire for phase 1. A strong underwriting / policy head is right for phase 2. Recommend a sequenced search if budget allows, or a rare hybrid who has done both — but be clear that the hybrid profile is thin. Ask: "What is your GNPA target in 12 months? Let's build the role profile from that outcome backwards."
NPA & IRAC
NPA = Non-Performing Asset. A loan where repayment is overdue beyond 90 days. IRAC = Income Recognition, Asset Classification, and Provisioning — RBI norms governing how banks classify and provision for bad loans. Every credit risk professional in BFSI must know IRAC intimately. Ask: "What was the Gross NPA and Net NPA of your portfolio, and what was the Provision Coverage Ratio?"
CRAR & Basel
CRAR = Capital to Risk-weighted Assets Ratio. India's banks must maintain a minimum CRAR of 9% (Basel III). This is the primary measure of a bank's capital adequacy. A CRO or Head of Credit at a bank must understand Pillar 1 (minimum capital), Pillar 2 (ICAAP), and Pillar 3 (disclosure) — the three pillars of Basel III. RBI implements Basel III through its Master Circulars.
FEMA
Foreign Exchange Management Act — governs all foreign exchange transactions in India. Compliance function for cross-border transactions: FDI reporting, ODI (outward investment), ECB (external commercial borrowing), FCGPR, FLA returns. Every company with cross-border transactions or foreign ownership must manage FEMA compliance. Key regulator: RBI's FEMA division. Non-compliance can result in compounding applications and penalties.
POSH
Prevention of Sexual Harassment (of Women at Workplace) Act, 2013. Mandatory for all employers. Requires: Internal Complaints Committee (ICC) formation, annual report, and investigation procedures. Listed companies must disclose POSH compliance in annual reports. POSH failures now attract SEBI scrutiny. Key metric: ICC has at least one external member, investigations are completed within 90 days.
DPDP & SOC 2
DPDP = Digital Personal Data Protection Act 2023 — India's comprehensive data privacy law. Requires consent for personal data processing, data principal rights management, and Data Protection Officer appointment for significant data fiduciaries. SOC 2 = Service Organization Control Type 2 — an American audit standard (AICPA) for service companies managing customer data. Common in tech and ITES. Both are now required by enterprise customers — DPDP for Indian law, SOC 2 for US enterprise contracts.
AML / KYC & VaR
AML = Anti-Money Laundering. KYC = Know Your Customer. Together they form the financial crime prevention framework for regulated institutions. PMLA (Prevention of Money Laundering Act) is the Indian statute. STR = Suspicious Transaction Report (filed with FIU-IND). VaR = Value at Risk — a quantitative risk measure expressing the maximum expected loss at a given confidence level over a time period. Example: "1-day 99% VaR of ₹50Cr" means there is a 1% probability of losing more than ₹50Cr in one day. The foundation of market risk management.