ISO standards declare risk management as integral to all corporate activities and suggest it should be comprehensive and integrated. Indeed, more organizations are talking about risk in this way, but when it comes to hiring for risk-focused roles, the hard skills listed in job postings are anything but comprehensive: accounting, audit and finance remain the dominant disciplines. Risk management professional Adley John Fisher suggests that until the hiring market catches up, risk will remain siloed.
If risk management is to be integrated, as suggested by ISO standards, it cannot exist in isolation — organizationally, cognitively or professionally. This raises a fundamental question: Do current hiring practices reflect this principle, or have they continued to reinforce silos despite the language of enterprise risk management (ERM) and integrated governance?
Over the past two decades, risk management has clearly evolved beyond its original concentration on insurance and financial loss. Today it spans operational resilience, cybersecurity, third‑party dependencies, ESG, climate transition risk, supply chains, AI governance and strategic decision‑making. In theory, this evolution requires interdisciplinary expertise and deep operational understanding across domains. The core issue, however, is whether global hiring behavior has intellectually and operationally caught up with this reality.
The persistent financial lens on risk
There remains a largely unspoken but widespread assumption in corporate environments that risk management is fundamentally a financial or accounting discipline. While risk management certainly protects financial interests, ISO 31000 explicitly defines risk as the effect of uncertainty on objectives, not merely on financial statements. The COSO enterprise risk management framework similarly frames risk as a strategic, enterprise‑wide concept, rather than a narrow financial control exercise.
In practice, though, the hiring market tells a different story.
Across a range of global job postings I’ve observed for risk management roles (including enterprise risk, operational risk, risk and compliance and GRC), accounting, audit and finance backgrounds remain preferred with CPA, CIA, CFA or equivalent accounting credentials, commonly listed as qualifications even for enterprise‑wide operational risk roles. This applies even to roles explicitly framed as non‑financial or strategic.
This preference reflects how many organizations operationalize risk governance rather than a formal exclusion of non‑financial expertise. ISO 31000 appears materially far less frequently in role requirements than accounting‑derived frameworks, such as SOX, IFRS, Basel or COSO, despite its explicit design as a cross‑sector, non‑financial risk standard and its widespread international recognition. This suggests that while language has changed, hiring cognition has not.
Audit and risk management: conceptually related, practically collapsed
Audit is undeniably part of the broader risk governance ecosystem. ISO 31000 acknowledges assurance activities as a supporting mechanism to risk management, not risk management itself. Audit, by design, is independent, retrospective and evidentiary, whereas risk management is embedded, forward‑looking, and decision‑facilitating.
Yet in hiring practice, this distinction is frequently lost.
Audit firms, particularly large and mid‑tier professional services firms, almost exclusively hire auditors with ACCA, ACA or equivalent accounting qualifications. This is understandable from a regulatory and liability perspective: Audit opinions are licensed products, and accounting bodies create legally defensible credentialing pipelines.
The problem arises when this audit hiring model is silently extended to risk management roles, a pattern repeatedly observed in enterprise risk recruitment and acknowledged by risk practitioners themselves.
Many organizations (including banks, insurers, listed companies and even technology firms) fill risk management positions primarily with: former auditors, finance controllers or accounting professionals transitioning laterally.
This pattern is consistently observed in risk recruitment analyses, which show that the dominant feeder pool for risk roles remains audit and accounting, even as risk portfolios expand into cyber, ESG and operational resilience.
What is missing from the hiring market
If risk management were genuinely treated as integrated and enterprise‑wide, hiring requirements would routinely include:
- Engineers (for infrastructure, operational, safety and systems risk)
- IT and cybersecurity specialists
- Sustainability and climate professionals
- Supply chain and logistics experts
- Certified risk professionals trained explicitly in ISO 31000 or ERM frameworks
Such profiles are rare exceptions rather than the norm, particularly for senior risk roles. Even when domain specialists are hired, they are often subordinated to finance‑led risk teams rather than integrated as equal contributors to risk identification and treatment. This creates a paradox: Risk management is declared enterprise‑wide, but its professional gatekeeping remains finance‑centric.
This disconnect is not accidental.
First, risk management lacks a protected professional boundary. Unlike accounting or law, risk management has no universally mandated license, allowing organizations to default to familiar credentials.
Second, corporate governance structures frequently anchor risk to CFO functions or audit committees, reinforcing the perception that risk is primarily a financial control issue rather than a strategic capability.
Third, audit education (even for certifications, such as CIA) remains heavily aligned with accounting‑based standards and financial assurance methodologies, further entrenching the financial lens through which risk is viewed.
A more integrated but undeveloped alternative
This does not mean accounting and finance professionals should be excluded from risk management. On the contrary, they are essential contributors. The issue is exclusivity, not inclusion.
A more robust risk function would:
- Pair accounting and audit professionals with engineers, technologists, sustainability experts and domain specialists.
- Treat ISO 31000 and ERM competence as core, not supplementary.
- Distinguish clearly between assurance (audit) and risk facilitation (management) in both role design and hiring.
Such a model aligns far more closely with how modern risks materialize and how major failures consistently occur outside purely financial controls.
Conclusion
Risk management in principle has moved decisively beyond insurance and finance. In practice, its hiring market has not fully followed. Many organizations still operationally collapse risk management into accounting and audit thinking, resulting in functions that are technically compliant but strategically brittle.
This approach is not wrong per se, but it is incomplete. It prioritizes familiarity over fitness and assurance over understanding. Until hiring practices reflect the interdisciplinary, integrated nature promised by ISO 31000, risk management will remain structurally siloed, regardless of how often integration is proclaimed.
Adley John Fisher is a risk management professional with experience in enterprise and operational risk across complex organizations. He has advised audit and risk committees on enterprise risk management frameworks and writes on how organizational structures shape risk visibility and decision‑making. He is the author of the risk culture management framework (RCMF), a practitioner model exploring the implementation gap in organisational risk culture. 
