Your risk role has been live for three months.<\/p>\n
The applications are there. The shortlist isn’t.<\/p>\n
You’re calling it a talent shortage. It isn’t. The brief is describing a risk function that no longer exists. And the candidates doing the actual work in 2026 can see that before they finish reading the first paragraph.<\/p>\n
The organisations still hiring for CPS 230 implementation are already behind. The market has moved. Financial crime automation and AI governance are where the demand is concentrated right now. Most briefs haven’t caught up.<\/p>\n
That’s the problem. And it’s fixable before your next role goes live.<\/p>\n
<\/p>\n
This is the pattern showing up repeatedly across regulated Australian organisations right now.<\/p>\n
Operational risk, GRC, and compliance roles going live with solid applicant volume. Months passing. Nothing converting. The assumption becomes scarcity.<\/p>\n
The issue isn’t supply. It’s that the brief describes yesterday’s risk function.<\/p>\n
Risk has shifted into two dominant areas: financial crime and AML automation, and technology risk and AI governance. The regulatory pressure driving each is live and accelerating. Most job descriptions were written before either became the priority they are now.<\/p>\n
The candidates capable of delivering in these environments are reading outdated briefs and self-selecting out. Before you ever see them.<\/p>\n
<\/p>\n
This is the most immediate hiring pressure in the market. And most organisations are already behind on it.<\/p>\n
AML Tranche 2 reforms are due July 2026. The expansion brings professional services sectors into Australia’s AML\/CTF regime and deepens existing obligations across financial services.<\/p>\n
Customer due diligence requirements are expanding. Cross-sector exposure is increasing. The compliance surface area is growing fast.<\/p>\n
But the brief problem isn’t just about regulatory knowledge. It’s about the technical environment the work now sits inside.<\/p>\n
Transaction monitoring is automated. Alerts are model-driven. Detection thresholds are tuned through data science workflows.<\/p>\n
The financial crime function has already shifted from policy and procedure to systems and detection logic. Tranche 2 adds volume and complexity to a function that was already technically demanding.<\/p>\n
Most briefs still ask for “AML experience.” That framing doesn’t describe the delivery environment anymore.<\/p>\n
The candidates working inside modern financial crime systems see that immediately. They self-select out before you ever see them. If your financial crime brief doesn’t describe the technology environment and the Tranche 2 delivery load, you’re not reaching the shortlist you need.<\/p>\n
<\/p>\n
This is where we’re seeing the sharpest increase in demand right now.<\/p>\n
Banks, insurers, and payments businesses are actively building AI governance frameworks. Boards want to know who owns AI risk. Regulators are asking how automated decisioning systems are controlled and audited. The question of who can explain to APRA how a model makes credit or fraud decisions is no longer hypothetical.<\/p>\n
It’s a live hiring requirement.<\/p>\n
The profiles in demand need genuine fluency across control frameworks, data architecture, and AI systems. They need to challenge engineering teams in their own language. Not review documentation handed to them after the fact.<\/p>\n
When a client asks us to fill a technology audit role and we dig into what year one actually looks like, the conversation goes the same way every time.<\/p>\n
They tell us: “We need Big Four audit experience and strong stakeholder management.”<\/p>\n
We ask: “What are they auditing? Legacy financial controls or AI systems and modern technology platforms?”<\/p>\n
The answer is almost always the latter. The brief still describes the former.<\/p>\n
We fix the brief before we start the search. Not every client wants to hear it. The ones who listen find their hire. The ones who don’t are back in market six months later.<\/p>\n
<\/p>\n
Senior risk professionals understand the market. Compensation matters. But it’s not what’s losing you candidates.<\/p>\n
Across the mandates we’re working on right now, Heads of Risk in enterprise environments are benchmarking between $250,000 and $350,000 base. Senior Managers are landing in the $160,000 to $180,000 range. If your band is set against 2024 internal benchmarks, you’re already behind.<\/p>\n
Fix the band. But know that’s just the entry point.<\/p>\n
We’ve had risk professionals decline first interviews this year without a competing offer. When we follow up, three reasons come up consistently.<\/p>\n
The first is mandate clarity. The role didn’t define what they would own, what they could decide without escalation, or what authority actually looked like in practice. A Head of Technology Risk who needs CIO sign-off to implement a control isn’t heading anything. Senior candidates read the reporting structure before they read the job description.<\/p>\n
The second is flexibility. Three days in the office is where the market has settled for most senior risk management roles. Anything above that is a genuine barrier.<\/p>\n
Mandating four or five days isn’t a culture signal anymore. It’s a shortlist filter. It’s removing strong candidates before you ever speak to them.<\/p>\n
The third is stability. With restructures and redundancies running through financial services globally, senior candidates are actively assessing organisational risk before they move.<\/p>\n
A role that feels exposed, sits inside a recently restructured function, or lacks clear executive sponsorship will lose candidates to roles that feel more secure. Stability is a selling point right now. If your organisation has it, lead with it.<\/p>\n
<\/p>\n
These aren’t questions about whether you’re ready to hire. They’re questions about whether your brief reflects where the risk function actually sits today.<\/p>\n
<\/p>\n
The candidates who can govern AI systems, deliver on Tranche 2, and manage modern financial crime functions are active in the market.<\/p>\n
They’re not applying to your role.<\/p>\n
Not because of scarcity. Because the brief describes a function they’ve already moved past. They’re choosing roles where the mandate reflects the reality of the work, the flexibility reflects where the market has moved, and the organisation feels like a place worth the risk of joining.<\/p>\n
Your brief needs to describe where risk sits in 2026. Not where it was two years ago.<\/p>\n
If you’re planning senior risk hires and want a clear read on whether your brief is positioned for the current market, that conversation is worth having before the role goes live.<\/p>\n