The modern CRO: how risk leadership is evolving beyond compliance

CROs are navigating threats from every direction. Cyber attacks grow more sophisticated. Geopolitical tensions create new sanctions considerations and PEP complications. In Australia, Tranche 2 AML reforms will bring 90,000 new entities into the compliance framework.

“The key regulators in the space have high expectations of what they’re looking for in the industry participants,” Liang says. “Regulatory horizon scanning, being able to be proactive rather than reactive in this space”, has become essential.

The bigger shift, though, is internal. That meticulous, process-driven mindset that builds great compliance careers? It can hold CROs back at the executive level.

“Once you step into the CRO role, you need to be thinking more like a business manager, to manage business strategy and growth,” Liang explains. “Understanding risk appetites, risk matrices, controls and the various processes that help protect the business can actually be tailored and streamlined, be fit for purpose so that we’re able to grow in a compliant fashion.”

“I’ve always reminded my team that risk is an enabler, risk is not an obstacle, or simply a protection mechanism for the business. Effective risk for CROs is being aligned with your CEO and the executive team, and … let’s take the risk reward matrix and flip it to prioritise reward. How do we find solutions to make things work?”

This means building genuine partnerships with regulators, with technology vendors, and with peers across the industry.

On regulator relationships, Liang draws from his time at ASIC: transparency pays dividends. “Even in working in some of the more high-risk businesses where the regulators probably know that there are a few items within your shop that can benefit from extra attention, they really do view you with greater credibility when you’re able to be forthright.”

It’s not about managing perceptions. It’s about recognising that everyone benefits from a more resilient payments system.

Liang sees real potential in AI: real-time payments screening, machine learning for transaction monitoring at scale, streamlined compliance processes. The efficiency gains are tangible.

But the risks are just as real. “AI, whilst it presents a lot of opportunities and hopefully help things become more efficient and streamlined, it can also be taken up by the other side, by bad actors.”

His conclusion? Automation enhances human capability; it doesn’t replace it. “You’re still going to need that human intervention. You’re still going to need your team and to train your team well so they can recognise the red flags or see when things aren’t matching up from a patterns perspective.”

Liang’s advice for aspiring CROs emphasises self-awareness rather than technical expertise.

“There are certain skills that compliance professionals, as they move up the ladder, become more embedded in terms of how they think through things. Whether that’s being wedded to the process, being more conservative, looking at the downside, or being very highly detailed. And it’s kind of ironic where when you have that seat at the table as a senior risk and compliance professional, that these things can become your blind spots if you’re not careful.”

His recommendations: develop coping mechanisms for pressure. Build relationships across the organisation. Show genuine care for your team. And don’t underestimate the power of being human.

“Having a sense of humour or at least humanness… where you’re able to show that you care, that you’re invested in the success and the growth of your team and the business, the more that you’re able to build friends and align stakeholders across the table.”

When asked about a defining moment, Liang describes migrating one of the Asia Pacific business’s largest card programmes when he was at a two billion dollar global payments unicorn, helping 3,500 merchants and issuing 110,000 Visa cards, while working across five time zones with cross-functional teams.
“That’s what makes you really proud of your team and what you do every day.”

Behind every framework and process, risk management is about enabling organisations to serve their customers safely. In an industry built on trust, that’s not just good compliance, it’s good business.