India's Risk Leadership Imperative: The CRO's Role in a Era of Regulatory Intensity and Cyber Threats

In the twelve months between April 2023 and March 2024, the Reserve Bank of India issued more than forty regulatory circulars, guidance notes, and enforcement actions directed at banks, non-banking financial companies, and payment system operators. The subjects ranged from digital lending norms and credit card pricing restrictions to IT governance frameworks, data localisation requirements, and climate risk disclosures. For India's Chief Risk Officers, the regulatory environment is no longer a background condition to be managed — it is a primary strategic variable that shapes capital allocation, product design, technology investment, and board governance.

Simultaneously, India's financial sector faces a cyber threat landscape that has escalated dramatically. The Indian Computer Emergency Response Team (CERT-In) reported over 1.3 million cybersecurity incidents in 2023 — a figure that includes attacks on critical financial infrastructure. The SWIFT messaging system, which underpins interbank settlements, has been targeted by sophisticated nation-state actors. UPI, which now processes billions of transactions monthly, is a target of both technical attacks and social engineering fraud at unprecedented scale. And the explosion of digital lending — with hundreds of NBFCs and fintech companies operating mobile applications that collect sensitive financial and personal data — has created an attack surface that India's financial system has never previously had to defend.

The Regulatory Intensity: RBI's Evolving Posture

The Reserve Bank of India under Governor Shaktikanta Das, and continuing under his successor, has adopted a posture of pre-emptive regulatory intervention that represents a significant departure from the historically reactive approach of Indian banking regulation. The corrective action against Paytm Payments Bank in early 2024 — a sweeping intervention that effectively shut down its banking operations — sent an unambiguous signal to India's financial sector: compliance failures will not be accommodated.

This posture is reflected in the RBI's approach to digital lending, where the 2022 guidelines and their subsequent refinements have imposed detailed requirements on loan origination, interest rate disclosure, recovery practices, and data sharing with borrowers. It is reflected in the Master Direction on Information Technology Governance, which imposes detailed requirements on board oversight of technology risk, cyber security incident reporting, and IT audit. And it is reflected in the recently issued guidelines on climate-related financial risk, which require banks to begin assessing and disclosing their exposure to physical and transition risks from climate change.

For the Chief Risk Officer, each of these regulatory developments has both a compliance dimension and a strategic dimension. The compliance dimension — ensuring that the institution meets the specific requirements of each circular — is necessary but increasingly insufficient as a definition of the CRO's role. The strategic dimension — advising the board and the CEO on how regulatory developments should shape product strategy, capital allocation, and business model choices — is where the best Indian CROs are distinguishing themselves.

SEBI's Risk Governance Expectations

While RBI's regulatory intensity primarily affects banks, NBFCs, and payment companies, SEBI's evolving expectations around risk governance have significant implications for listed companies and market intermediaries. SEBI's 2023 and 2024 circulars on corporate governance, related-party transactions, and risk management committee composition have raised the bar for risk governance across India's listed corporate sector.

SEBI now requires listed companies above a certain threshold to constitute a Risk Management Committee at the board level, with defined responsibilities for overseeing the company's enterprise risk management framework. This requirement has elevated the CRO's interface with the board — in many companies, the CRO now presents directly to the Risk Management Committee quarterly, a level of board visibility that was uncommon five years ago.

The committee structure also changes the internal politics of risk management. When the Risk Management Committee has independent directors with relevant experience — and SEBI's nominee director guidelines are pushing in this direction — the CRO has a natural ally in advocating for adequate risk management resources and a natural constraint on business unit leaders who would otherwise pressure the CRO to approve transactions that the risk framework would normally disallow.

Cyber Risk: From IT Problem to Board Issue

India's financial sector cyber risk landscape has undergone a qualitative shift in the past three years. The attacks that dominated the threat landscape five years ago were primarily opportunistic — phishing emails, ransomware campaigns, and credential theft. Today's threat actors include sophisticated organised crime groups with specific knowledge of Indian banking systems, as well as nation-state actors for whom disruption of India's financial infrastructure is a strategic objective.

The CERT-In mandatory incident reporting requirement — introduced in 2022, requiring entities to report cybersecurity incidents within six hours — has both increased the RBI's visibility into the cyber threat landscape and imposed new compliance obligations on CROs. The six-hour reporting window is genuinely demanding: it requires that the CRO have incident detection capabilities good enough to identify significant breaches quickly, incident response protocols that allow a coherent picture to be assembled rapidly, and communication infrastructure that allows regulatory notification to happen while the incident response is still active.

HDFC Bank, ICICI Bank, and Axis Bank — India's largest private sector banks — have invested significantly in cyber risk infrastructure, including dedicated cyber risk functions within the risk management organisation, 24/7 security operations centres, and active participation in information-sharing frameworks like the Financial Services Information Sharing and Analysis Center (FS-ISAC). Smaller banks and NBFCs have much more limited cyber risk infrastructure, and the RBI's guidelines increasingly recognise this gap.

The CRO's Dual Mandate: Risk Guardian and Growth Enabler

The most sophisticated Indian Chief Risk Officers have moved beyond the traditional framing of risk management as a brake on growth. They have embraced what might be called the dual mandate: to protect the institution from existential risks while enabling the risk-taking that creates shareholder value. This framing — articulated clearly in the risk appetite frameworks of India's better-managed banks — positions the CRO not as the person who says no, but as the person who helps the board understand the risk-return trade-off of every significant decision.

This dual mandate is particularly evident in India's rapidly evolving lending landscape. The rise of digital lending — enabled by account aggregator, credit bureau data, and alternative data sources like GST filings and UPI transaction history — has created the possibility of extending credit to segments of the population that formal banking historically excluded. The CRO's role in digital lending innovation is to develop the risk models that allow the institution to lend at acceptable risk levels to these new segments — not to prevent the extension of credit, but to ensure that the credit decision is grounded in data rather than intuition.

"The best CROs I have worked with have two qualities in equal measure: absolute intolerance for governance failure, and genuine curiosity about how the business can take more risk intelligently. The combination is rare and invaluable." — Chairman, Risk Management Committee, a leading Indian private sector bank.

The Talent Dimension: India's CRO Pipeline

India's financial sector faces a significant challenge in building the next generation of Chief Risk Officers. The traditional CRO development path — credit risk through the banking system, market risk through treasury operations, and operational risk through internal audit — produces risk professionals with deep functional expertise but limited strategic breadth. The CRO of 2025 must also understand cyber risk, technology risk, climate risk, and model risk — domains that were not part of the traditional risk management curriculum.

At Gladwin International, our financial services risk practice has observed a significant shift in the profiles that boards and risk management committees are requesting. Five years ago, a strong credit risk background combined with regulatory fluency was sufficient for most CRO mandates. Today, we consistently receive mandates that specify requirements for technology risk literacy, data science familiarity, and the communication skills to present complex risk assessments to a board of directors that includes independent directors with limited financial services expertise.

The supply of executives who genuinely combine these capabilities is limited. India has excellent credit risk professionals developed through SBI, HDFC Bank, ICICI Bank, and the RBI itself. It has strong operational risk professionals developed through the major private sector banks and the Big Four consulting firms. But the intersection — credit risk depth, technology risk literacy, regulatory fluency, and board-level communication capability — is rare, and the competition for these individuals is intense.

Building this pipeline requires deliberate investment from India's financial institutions — in structured rotation programmes that expose risk professionals to credit, market, operational, and technology risk in sequence; in executive education programmes that build the strategic and communication capabilities that technical risk training does not provide; and in a willingness to consider CRO candidates from adjacent sectors — consulting, fintech, and insurance — who bring complementary capabilities to the traditional banking background. The institutions that make this investment will have a structural advantage in an environment where risk management capability is increasingly a determinant of regulatory standing, investor confidence, and ultimately competitive position.