RISK / LEGAL / COMPLIANCE
1 Introduction
2 Architecture
3 The Landscape
4 Role Deep Dives
5 Industry Lens
6 Compensation
7 Practitioner Lab
Functions Explored
0 of 25 explored
Layer 3 · Function Expert Guide
Risk / Legal / Compliance
25 functions across 5 groups — from Chief Risk Officer to Forensics. The complete recruiter's atlas for risk, legal, and compliance mandates at every level.
25
Risk/Legal Functions
5
Function Groups
83
Sub-Functions
498
Specific Areas
What This Guide Covers
Risk, Legal, and Compliance is SNH's most under-served and highest-value specialist mandate category. CRO searches, General Counsel placements, CCO mandates, CISO hires — all require domain knowledge that separates expert recruiters from generalists. This guide covers every function: credit risk and NPA management, AML/KYC compliance, India's DPDP Act 2023, BFSI regulatory compliance under RBI/SEBI/IRDAI, corporate legal and M&A, POSH, forensics, and GRC. For each function: what they actually do, the jargon decoded (VaR, IRAC, FEMA, CRAR, SOC2), and the exact questions that find genuine domain depth.

🌠 Architecture Explorer

All 25 functions across 5 groups. Sub-functions, areas, roles, industries, and recruiter lens for each.

🌏 The Landscape

Risk vs compliance vs legal — the three disciplines decoded. Career ladders. Qualification signals (FRM, LLB, CFE).

🔍 Role Deep Dives

What great looks like at each level. The hardest roles to fill. Killer interview questions by track.

🏭 Industry Lens

Risk/legal/compliance across BFSI, Pharma, Tech, Manufacturing — what travels and what does not.

📈 Compensation

India pay benchmarks by role and level. CRO vs CCO vs GC pay. BFSI premium. Listed company uplift.

📋 Practitioner Lab

Six scenarios: compliance vs risk confusion, startup GC search, BFSI compliance for fintech, CISO mandate, DPDP build. Jargon decoded.

The 5 Function Groups
Enterprise & Operational Risk
5 functions — Identifying and managing business-wide risk
Credit & Financial Risk
5 functions — Managing risk in lending and financial portfolios
Regulatory & Compliance
5 functions — Staying on the right side of regulators
Legal & Corporate Affairs
5 functions — Legal protection and corporate governance
Governance, Controls & Audit
5 functions — Oversight and assurance

The Complete Risk / Legal / Compliance Universe

25 functions across 5 groups. Click any card to explore sub-functions, areas, roles & recruiter lens.

1
Enterprise & Operational Risk
Identifying and managing business-wide risk
5 functions
1🛡️
Chief Risk Officer (CRO)
The enterprise risk steward. Owns the risk framework, risk appetite, and board risk committee.
4 sub-fns
2🗺️
Enterprise Risk Management (ERM)
Systematic identification of all risks that could impair the business.
3 sub-fns
3⚙️
Operational Risk
Risks from people, processes, systems, and external events.
3 sub-fns
4🚨
Business Continuity & Crisis Management
Keeps the business running when the unexpected happens.
4 sub-fns
5📊
Risk Analytics & Modelling
Quantifying risk with VaR, stress testing, scenario analysis.
3 sub-fns
2
Credit & Financial Risk
Managing risk in lending and financial portfolios
5 functions
6💳
Credit Risk Management
Owns credit policy and portfolio quality. NPAs are the ultimate measure.
4 sub-fns
7📈
Market Risk Management
Interest rate, FX, and equity risk. Heavily quantitative.
3 sub-fns
8💧
Liquidity Risk
Ensuring the organisation can meet its obligations.
3 sub-fns
9🤖
Model Risk Management
Validates models used for credit, pricing, and risk decisions.
3 sub-fns
10🔍
Fraud Risk & Financial Crime
Detecting and preventing fraud, AML, financial crime.
4 sub-fns
3
Regulatory & Compliance
Staying on the right side of regulators
5 functions
11📋
Head of Compliance / CCO
The compliance function leader. Owns the regulator relationship and compliance programme.
4 sub-fns
12🏦
BFSI Regulatory Compliance
RBI/SEBI/IRDAI — India's financial regulators are active and exacting.
4 sub-fns
13🔎
AML & KYC Compliance
Anti-money laundering and know-your-customer. Mandatory for all financial institutions.
4 sub-fns
14🔒
Data Privacy & Protection (DPDP)
India's Digital Personal Data Protection Act 2023 created a new compliance function.
3 sub-fns
15⚖️
Corporate Compliance & Ethics
Code of conduct, anti-bribery, whistleblower management.
3 sub-fns
4
Legal & Corporate Affairs
Legal protection and corporate governance
5 functions
16👨‍⚖️
General Counsel / CLO
The chief legal officer. Strategic advisor to CEO and board.
4 sub-fns
17📝
Commercial & Contracts Legal
Drafting, reviewing, negotiating contracts — the volume function in most legal teams.
3 sub-fns
18🤝
M&A & Corporate Legal
Transaction legal — acquisitions, restructuring, JVs, fundraising.
4 sub-fns
19👥
Employment & Labour Law
Employment contracts, terminations, POSH, labour disputes.
3 sub-fns
20💡
Intellectual Property & Technology Law
Patents, trademarks, copyright, data licensing.
3 sub-fns
5
Governance, Controls & Audit
Oversight and assurance
5 functions
21🏛️
GRC (Governance, Risk & Compliance)
The integrated framework connecting governance, risk, and compliance.
3 sub-fns
22🔬
Internal Audit Leadership
Independent assurance to the board.
4 sub-fns
23📜
Regulatory Affairs (Non-BFSI)
Pharma, food, telecom — sector-specific regulatory compliance.
3 sub-fns
24🔐
Information Security & Cyber Risk (CISO)
CISO-level function. Cyber risk is now a board-level concern.
4 sub-fns
25🕵️
Forensics & Investigations
When something goes wrong — fraud, whistleblower, regulatory investigations.
3 sub-fns
The Landscape
Understanding the Risk / Legal / Compliance Universe
Three distinct disciplines. Career ladders. Qualifications decoded. What separates good from great.
The Three Disciplines — Risk vs Compliance vs Legal
Risk, Compliance, and Legal are frequently conflated — even by clients. Clarifying which discipline a mandate sits in is the most important opening question.
🛡️ Risk Management
FocusIdentify, quantify, and manage uncertainty that could impair the business
RolesCRO, ERM Manager, Credit Risk Head, Market Risk, Operational Risk
Key skillAnalytical, quantitative, forward-looking judgment
MeasurementRisk-adjusted returns, loss rates, NPA ratios, VaR accuracy
Career ceilingCRO, CFO (risk track), CEO (BFSI)
📋 Compliance
FocusEnsure the organisation adheres to laws, regulations, and internal policies
RolesCCO, AML Head, BFSI Regulatory Compliance, Data Privacy Officer
Key skillRegulatory knowledge, process design, regulator relationship management
MeasurementRegulatory findings, fine history, STR quality, audit outcomes
Career ceilingCCO, GC (compliance background), Board Risk Committee member
⚖️ Legal
FocusProtect the organisation's legal interests — contracts, disputes, regulatory
RolesGeneral Counsel, Commercial Lawyer, M&A Counsel, Employment Lawyer, IP Counsel
Key skillLegal drafting, negotiation, regulatory interpretation, litigation management
MeasurementLitigation outcomes, contract quality, regulatory penalty avoidance
Career ceilingGeneral Counsel / CLO, Board Director (legal background)
🔒 Where They Overlap
GRCGovernance, Risk and Compliance combines all three lines of defence
BFSI ComplianceRequires regulatory (legal) + process (compliance) + risk (prudential) depth simultaneously
Data PrivacySits at the intersection of legal (DPDP Act) + compliance (programme) + risk (data breach risk)
ForensicsRequires legal (privilege), risk (control failure), and compliance (regulatory investigation) skills
Career Ladders — Risk, Legal, Compliance
Risk Track
Risk Analyst / Quant
0-3 yrs
Risk Manager
4-8 yrs
Head of Risk
9-14 yrs
CRO
15+ yrs
Compliance Track
Compliance Officer
0-4 yrs
Compliance Manager
4-8 yrs
Head of Compliance
8-14 yrs
CCO
15+ yrs
Legal Track
Junior Counsel / Associate
0-4 yrs (LLB / LLM)
Senior Counsel / Legal Manager
4-9 yrs
Head of Legal
9-14 yrs
General Counsel / CLO
15+ yrs
Qualifications — What They Signal

FRM (Financial Risk Manager)

GARP-administered global qualification for risk management. Two parts: quantitative analysis and practice of risk management. Strong signal for: market risk, credit risk, risk analytics roles. In India: most common in private banks, foreign banks, and large NBFCs. The FRM is to risk what the CFA is to investments — a globally respected credential.

LLB / LLM (Law Degree)

India's legal qualification. LLB (3-year or 5-year integrated) is the base requirement for legal practice. LLM (specialised Masters) signals focus in a specific domain (corporate law, IP, tax law). National Law School graduates (NLSIU, NALSAR, NUJS) command a significant premium — treat these universities as India's equivalent of Oxbridge for legal careers.

CFE (Certified Fraud Examiner)

ACFE-administered global credential for fraud examination, investigation, and prevention. Strong signal for: forensics, fraud risk, AML investigation roles. CFE holders are trained in four domains: financial transactions, law, investigation, and fraud prevention. In India: relatively rare — a CFE on the CV is a genuine differentiator for forensics and investigations mandates.

CISA / CISM (Information Security)

ISACA certifications. CISA (Certified Information Systems Auditor) for IT audit; CISM (Certified Information Security Manager) for security management. Both are strong signals for CISO, IT audit, and GRC roles. Combined with CISSP (ISC2): the gold standard for senior CISO candidates. In India: increasingly required for BFSI CISO roles under RBI guidelines.

CA / ICAI (Chartered Accountant)

CA qualification signals forensic accounting depth — especially for investigations and internal audit. Most Chief Internal Auditors carry CA qualification. For risk roles in BFSI: CA + banking experience is a strong combination. CMA (Cost & Management Accountant) is less common but signals operational finance + controls understanding relevant to operational risk.

CIPP / CIPM (Privacy Certifications)

IAPP (International Association of Privacy Professionals) certifications. CIPP/E for EU GDPR; CIPP/A for Asia-Pacific. For India DPDP Act roles: look for candidates who understand the Act itself — formal certification is still sparse. Key signal: candidates who have led a DPDP gap assessment, not just those who attended a workshop. Privacy is too new in India for certification to be the differentiator — depth of implementation experience is.

Role Deep Dives
Inside the Risk / Legal / Compliance Org — What Great Looks Like
From Analyst to CRO / GC / CCO. The hardest roles to fill. Killer questions by track.
What Great Leadership Looks Like at Each Level

Risk Analyst / Compliance Officer

Owns: A specific risk or compliance process. Technical depth + regulatory knowledge. Data production and monitoring.

Green flag: "Here's a model I built / a gap assessment I conducted — this is what I found and what changed."

Red flag: Analysts who only run existing processes without understanding the underlying risk or regulatory rationale.

Risk / Compliance Manager

Owns: A domain (credit risk, AML, contract legal). Owns the policy, the team, and the outcome metrics. Starts influencing, not just executing.

Green flag: "Here's a policy I redesigned — what triggered it, what I changed, and what the regulator said."

Red flag: Managers who maintain inherited policies without ever challenging or improving them.

Head of Risk / Compliance / Legal

Owns: The full function for a business unit or entity. Team, budget, regulator relationship, and board reporting. Deals with complexity and ambiguity.

Green flag: "I have presented to the board's Risk/Audit Committee — here's a difficult finding and how I managed the board's response."

Red flag: Heads who have never presented independently to a board committee — this is a non-negotiable for senior roles.

CRO / CCO / General Counsel

Owns: Enterprise-wide risk, compliance, or legal. Strategic advisor to CEO and board. Manages regulatory relationships at the most senior level. Shapes organisational culture.

Green flag: "The hardest decision I made as CRO/CCO/GC was saying no to a deal the CEO wanted — here's how I managed that."

Red flag: C-suite candidates who talk about their team's work without clear personal ownership of the most difficult decisions and regulatory moments.

The Hardest Risk / Legal / Compliance Roles to Fill

CRO (NBFC / Fintech)

RBI's Scale-Based Regulation now mandates CROs at larger NBFCs. Requires credit risk + operational risk + regulatory risk + model risk simultaneously. The qualified pool is concentrated in PSU banks and top-tier private banks. Fintech CROs with digital lending experience are extremely rare.

General Counsel (Technology / Startup)

Needs: contracts (volume), data privacy (DPDP), employment law (rapid hiring/firing), M&A/fundraising legal support, and regulatory interface — simultaneously. Most lawyers specialise in 1-2 of these. A GC who spans all of them is the hardest single legal hire in the market.

Head of AML (Large BFSI)

Requires: PMLA depth, FIU-IND relationship management, transaction monitoring technology, and investigation management all at once. RBI has materially increased AML enforcement — the bar for this role has risen faster than the talent pool.

DPO / Head of Data Privacy (DPDP)

DPDP Act 2023 is less than 2 years old. Fewer than 500 professionals in India have led a full DPDP gap assessment and implementation. Everyone in this space is learning — the premium is for those who have started, not those who have completed.

CISO (Board-ready)

CISO candidates who can run a SOC AND present cyber risk in business language to a board are extremely rare. Most CISOs are strong on one or the other. RBI's mandate for board-level cyber reporting has made this combination non-negotiable for BFSI CISOs.

Head of Model Risk

AI and ML in credit and risk decisions has exploded the demand for model validators. Requires: statistics + finance domain + regulatory understanding of model risk (SR 11-7 equivalent). The pool is thin globally — India's pool is even thinner, concentrated in foreign banks and large private sector banks.

Killer Interview Questions by Track

For CRO candidates

"Tell me about a time you recommended against a business opportunity on risk grounds — what was the risk, how did you frame it to the CEO/board, and what was the outcome?" Tests: conviction, influence, and risk communication to non-risk audiences.

For Credit Risk candidates

"What was the NPA level in your portfolio at its peak during your tenure — what drove it up and what did you specifically do to bring it down?" Tests: whether they own credit outcomes or just manage credit processes. IRAC norms understanding is non-negotiable.

For CCO / Compliance candidates

"Describe a regulatory examination where the examiner found a gap you had not anticipated — how did you respond in the room and what did you put in place afterwards?" Tests: authenticity, regulatory relationship management, and learning agility.

For General Counsel candidates

"Give me an example where you had to give the CEO legal advice they did not want to hear — what was the situation, what was your advice, and how did you manage the relationship?" Tests: independence, courage, and executive relationship management.

For AML / Financial Crime candidates

"Walk me through a STR you filed — what was the pattern that triggered it, how did you investigate, and what was the outcome with FIU-IND?" Tests: operational investigation experience vs policy-only knowledge.

For CISO candidates

"Tell me about a cyber incident you personally managed — what was the attack vector, how did you contain it, and what did you present to the board?" Tests: incident response experience AND board communication ability — both are required at CISO level.

Industry Lens
Risk / Legal / Compliance Across Industries
What changes dramatically across BFSI, Pharma, Technology, Manufacturing — and what travels.
Skills That Travel vs Skills That Do Not
🌐 Skills That Travel Across Sectors
Enterprise Risk FrameworksERM methodology (COSO, ISO 31000) is broadly portable across sectors
Commercial LegalContract drafting and negotiation travels — with sector-specific calibration
GRC Framework DesignThree lines of defence and GRC operating model are sector-independent
ForensicsInvestigation methodology travels — sector-specific fraud patterns require calibration
Data PrivacyDPDP Act applies across sectors — privacy programme skills are portable
🔒 Skills That Do Not Travel
BFSI Credit RiskNPA management, IRAC norms, SARFAESI, CRAR — banking-only concepts
Insurance ComplianceIRDAI solvency, embedded value, actuarial interface — not portable
Pharma Regulatory AffairsCDSCO, US FDA dossier, drug master files — deeply sector-locked
Market Risk (Trading Book)VaR, CVA, prime brokerage — only relevant to financial institutions
AML/KYCPMLA-mandated in BFSI — different compliance obligations in non-BFSI
Industry-by-Industry Breakdown

🏠 BFSI (Banks, NBFCs, Insurance)

Priority risk/legal/compliance functions: Credit risk (NPA, IRAC, CRAR), AML/KYC (PMLA mandatory), RBI/SEBI/IRDAI regulatory compliance, ALM/liquidity risk, CISO (RBI cyber mandate)

Key signals: Regulator interaction experience, specific regulatory examination management, Basel/RBI framework depth

Red flag: Non-BFSI risk/compliance professionals for regulated BFSI roles without material transition preparation

💉 Pharma & Life Sciences

Priority functions: Regulatory affairs (CDSCO, FDA), IP (patent management for drugs), UCPMP compliance, clinical trial regulations, data privacy (clinical trial data)

Key signals: CDSCO inspection experience, US FDA dossier preparation, drug master file management

Red flag: Generic regulatory affairs candidates for pharma without specific drug/device regulatory submission experience

💻 Technology & Fintech

Priority functions: Data privacy/DPDP (highest data volumes), CISO (cyber risk), commercial contracts (high volume), regulatory compliance (RBI if licensed), employment law (fast hiring/firing cycles), IP/technology law

Key signals: DPDP Act implementation experience, RBI sandbox/NBFC regulatory experience for fintech, SaaS contract depth

Red flag: Traditional legal/compliance candidates without technology understanding for tech GC roles — tech companies need lawyers who understand APIs, SaaS models, and data architecture

🏭 Manufacturing & Conglomerates

Priority functions: Operational risk (factory + supply chain), EHS compliance (Factories Act, PESO), IP (product patents), labour law (union environments), GRC, contract legal (vendor/customer)

Key signals: Factory safety compliance experience, union relations management, supply chain risk experience

Red flag: BFSI risk professionals for manufacturing operational risk — factory floor risk is fundamentally different from financial operational risk

💋 Healthcare

Priority functions: Clinical compliance (MCI/NMC regulations), data privacy (patient data under DPDP), IP (medical device patents), employment law (doctor employment complexity), corporate compliance (anti-bribery for pharma companies)

Key signals: Clinical trial compliance, hospital licensing compliance, ABDM (Ayushman Bharat Digital Mission) compliance awareness

Red flag: Generic compliance candidates without healthcare-specific regulatory understanding for hospital system compliance roles

⚡ Startups & VC-backed

Priority functions: GC (full-stack: contracts, employment, IP, fundraising, regulatory), data privacy (DPDP from day one), CISO (early-stage security programme), employment law (rapid team building and occasional departures)

Key signals: Built legal/compliance from scratch, managed ESOP legal, handled fundraising legal (SHA, CCPS documentation)

Red flag: Large-company legal/risk professionals for startup GC roles — the build-from-scratch, zero-bureaucracy, high-ambiguity context is fundamentally different

Compensation
Risk / Legal / Compliance Pay Architecture — India 2024-25
Benchmarks by role and level. BFSI premium. Listed company uplift. Common client mistakes.
What Drives Pay in Risk / Legal / Compliance
📈 Pay Drivers
BFSI premiumRisk/compliance roles in regulated BFSI pay 25-40% above equivalent corporate roles
Regulator relationshipCandidates who have directly managed RBI/SEBI examinations command a significant premium
Listed company upliftLegal/compliance for listed companies pays 20-30% above unlisted equivalent
NLU pedigree (Legal)National Law School graduates: 20-35% premium at entry/mid-level over tier-2 law school
FRM / CFE / CISM certificationSpecialist certifications add ₹5-15L premium at manager-to-VP level
⚠️ Common Client Mistakes
CRO comp confusionStartup CRO at ₹40-60L will get a risk manager, not a CRO — regulatory mandated CRO needs ₹1Cr+ in BFSI
GC scope mismatchBudgeting ₹30L for a GC when the role needs M&A + compliance + employment breadth — that's a ₹80-120L search
Compliance vs risk conflationOffering a compliance salary for a risk role (or vice versa) signals the client does not understand the difference
DPDP/privacy marketNew enough that market data is sparse — do not anchor on old privacy comp — the DPDP premium is real and growing
Compensation by Role & Seniority
Total CTC in ₹ Lakhs per annum. India market, 2024-25. BFSI figures are at the higher end of the range.

CRO (Chief Risk Officer)

Large NBFC / Private Bank: ₹1-3Cr

Mid-size NBFC / Fintech: ₹60-120L

Corporate (non-BFSI): ₹50-100L

RBI-mandated CRO in SBR Upper Layer NBFC: non-negotiable senior hire

CCO (Chief Compliance Officer)

Large regulated institution: ₹80-200L

Mid-size NBFC / Fintech: ₹40-80L

Corporate (non-BFSI): ₹35-70L

SEBI/RBI requirement for independent CCO in listed BFSI: board-level appointment

General Counsel / CLO

Large listed company: ₹80-200L

MNC India GC: ₹100-250L

Tech startup GC (Series B+): ₹40-80L + ESOP

GC of top 50 Indian listed company: ₹2-4Cr

Head of Credit Risk

Private bank (Head level): ₹60-130L

NBFC (Head level): ₹40-90L

Fintech lender: ₹35-80L + ESOP

Chief Credit Officer at large private bank: ₹1.5-3Cr

CISO

Large bank / tech company: ₹80-180L

Mid-size NBFC / enterprise: ₹40-90L

Startup CISO: ₹30-60L + ESOP

RBI cyber mandate has materially elevated BFSI CISO pay from 2022 onwards

Head of AML / KYC

Large bank: ₹50-100L

NBFC / Payment company: ₹30-60L

Fintech (licensed): ₹25-50L

MLRO designation in banking: mandatory senior appointment, not a coordinator

Practitioner Lab
Risk / Legal / Compliance Scenarios & Jargon Decoder
Six real recruiting scenarios with recommended moves — plus the jargon every SNH recruiter must know.
Practitioner Lab — Six Recruiting Scenarios

Scenario 1: Compliance vs Risk Role Confusion

Client says: "We need a CRO — someone to manage our compliance with RBI." You probe and find: they want someone to manage RBI examination responses, AML/KYC compliance, and the compliance calendar. There is no risk modelling requirement, no credit portfolio, no VaR.

The move: Clarify the mandate. What the client needs is a CCO or Head of Compliance, not a CRO. A CRO who comes from credit risk or market risk will not want this role — and will not be right for it. Reframe: "The function you are describing is Compliance, not Risk. Let me show you the difference in responsibilities, title, and candidate profile — and then let's make sure we are searching for the right person." Do not source CROs for a CCO mandate.

Scenario 2: Startup GC Search

Series C fintech (RBI NBFC licence, 400 employees, ₹800Cr AUM, fundraising planned). CEO asks for a GC. Budget: ₹35-45L. They need: RBI compliance management, contracts (vendor + customer), employment law (ESOP, exits), data privacy (DPDP), and fundraising legal support.

The move: The ask and the budget are misaligned. A lawyer who can handle all five areas simultaneously at Series C scale is a ₹60-90L profile at minimum — and likely needs ESOP on top. Map the scope, not the title. Present the client with a matrix: "Here are the 5 legal domains you need covered. Here is what a ₹40L lawyer can cover (2-3 of them), and here is what a ₹70L GC covers (all 5). Which gaps are you willing to cover with outside counsel?" Let them calibrate the trade-off.

Scenario 3: BFSI Compliance for Fintech

Fast-growing lending fintech (co-lending model with 3 banks, NBFC subsidiary) needs a Head of Compliance. They have been offering the role to compliance professionals from traditional FMCG/pharma companies. No takers from banking compliance because "the salary is not right."

The move: The client is fishing in the wrong pond. Co-lending compliance under RBI guidelines is banking compliance — PMLA, KYC, FEMA, co-lending circular, NBFC SBR guidelines. A pharma compliance head, however excellent, does not have this framework knowledge. Tell the client clearly: "For an RBI-regulated NBFC, you need someone who has worked inside a regulated BFSI institution. The talent pool is in banks and NBFCs, not FMCG. The salary gap is real — let's solve it with a compensation adjustment and ESOP, not by lowering the domain requirement."

Scenario 4: CISO Mandate

Large private bank. RBI cyber security circular requires board-level reporting on cyber risk. Current CISO is technically excellent (former SOC head) but struggles to communicate to the board. The board has asked for a more "senior" CISO. CEO is considering replacing him.

The move: Before recommending a replacement, probe the actual gap. Is the existing CISO unwilling to develop board communication skills, or just untrained? Sometimes the right solution is a VP-level communication support hire or an external presentation coach — cheaper and less disruptive than replacing a technically strong CISO. But if the gap is fundamental (no business judgment, cannot translate technical risk into financial impact), then a replacement search is warranted. Frame the search clearly: "We are looking for a CISO who is 50% technically credible and 50% board-facing communicator. These are two different skill sets — most strong CISOs are heavy on one."

Scenario 5: Building DPDP Compliance from Scratch

Large e-commerce company. DPDP Act 2023 applies. No DPO, no data inventory, no consent management. CEO asks for a "Head of Data Privacy" who can "get us compliant in 6 months."

The move: Set expectations on timeline and talent availability. A full DPDP compliance programme typically takes 12-18 months to implement properly — not 6. And the talent pool of people who have led an end-to-end DPDP implementation in India is fewer than 200 as of 2025. Advise the client: "The first hire should be someone who has at least led a DPDP gap assessment — a programme manager / privacy counsel hybrid. Pair them with a technology consultant for the consent management implementation and a law firm for the legal framework. Do not wait for a complete DPO candidate — they do not exist yet."

Scenario 6: Credit Risk in a Stress Cycle

Mid-size NBFC (MFI segment). NPA spiked from 3% to 11% in 18 months. Previous Head of Credit left. CEO wants to hire a new credit risk head "who can fix the portfolio."

The move: The mandate has two phases: stabilise, then rebuild. Probe the CEO: "Do you need someone to manage the existing NPA resolution (collections, write-offs, restructuring) or someone to rebuild the underwriting framework for future originations? These require different profiles." A credit head with strong collections and recovery experience (SARFAESI, DRT, OTS) is the right hire for phase 1. A strong underwriting / policy head is right for phase 2. Recommend a sequenced search if budget allows, or a rare hybrid who has done both — but be clear that the hybrid profile is thin. Ask: "What is your GNPA target in 12 months? Let's build the role profile from that outcome backwards."

Risk / Legal / Compliance Jargon Decoded

NPA & IRAC

NPA = Non-Performing Asset. A loan where repayment is overdue beyond 90 days. IRAC = Income Recognition, Asset Classification, and Provisioning — RBI norms governing how banks classify and provision for bad loans. Every credit risk professional in BFSI must know IRAC intimately. Ask: "What was the Gross NPA and Net NPA of your portfolio, and what was the Provision Coverage Ratio?"

CRAR & Basel

CRAR = Capital to Risk-weighted Assets Ratio. India's banks must maintain a minimum CRAR of 9% (Basel III). This is the primary measure of a bank's capital adequacy. A CRO or Head of Credit at a bank must understand Pillar 1 (minimum capital), Pillar 2 (ICAAP), and Pillar 3 (disclosure) — the three pillars of Basel III. RBI implements Basel III through its Master Circulars.

FEMA

Foreign Exchange Management Act — governs all foreign exchange transactions in India. Compliance function for cross-border transactions: FDI reporting, ODI (outward investment), ECB (external commercial borrowing), FCGPR, FLA returns. Every company with cross-border transactions or foreign ownership must manage FEMA compliance. Key regulator: RBI's FEMA division. Non-compliance can result in compounding applications and penalties.

POSH

Prevention of Sexual Harassment (of Women at Workplace) Act, 2013. Mandatory for all employers. Requires: Internal Complaints Committee (ICC) formation, annual report, and investigation procedures. Listed companies must disclose POSH compliance in annual reports. POSH failures now attract SEBI scrutiny. Key metric: ICC has at least one external member, investigations are completed within 90 days.

DPDP & SOC 2

DPDP = Digital Personal Data Protection Act 2023 — India's comprehensive data privacy law. Requires consent for personal data processing, data principal rights management, and Data Protection Officer appointment for significant data fiduciaries. SOC 2 = Service Organization Control Type 2 — an American audit standard (AICPA) for service companies managing customer data. Common in tech and ITES. Both are now required by enterprise customers — DPDP for Indian law, SOC 2 for US enterprise contracts.

AML / KYC & VaR

AML = Anti-Money Laundering. KYC = Know Your Customer. Together they form the financial crime prevention framework for regulated institutions. PMLA (Prevention of Money Laundering Act) is the Indian statute. STR = Suspicious Transaction Report (filed with FIU-IND). VaR = Value at Risk — a quantitative risk measure expressing the maximum expected loss at a given confidence level over a time period. Example: "1-day 99% VaR of ₹50Cr" means there is a 1% probability of losing more than ₹50Cr in one day. The foundation of market risk management.