Manager, Operational Risk - Information Risk, Technology and Cyber risks and Business Resilience at Standard Bank Group

Job Details

Risk Management: understanding all risks – from the economic to the political – that could affect our global business, and offering guidance
to all parts of the bank

Job Purpose

To support the Head of Integrated Operational Risk in the effective and proactive management of Information Risk, Technology and Cyber risks and Business Resilience within the Bank aligned to the business strategy, operating model and Group Risk management policies.
This includes partnership with Business functions, Information Technology, Corporate Functions and Risk stakeholders to ensure that the processes for identifying, measuring, controlling and reporting of Information risk, Technology and cyber risks and Business Resilience is aligned to the Group risk framework.

The provision, management and implementation of Information Risk, Technology and Cyber risks and Business Resilience management requirements across the Bank.
Acting as a trusted business partner who equips the business with the mechanisms to identify, mitigate and treat information, technology, cyber and business continuity risks.

Key Responsibilities/Accountabilities

Key Information Risk, Technology and Cyber risks management Responsibilities

• To pro-actively manage information risks/threats to the business in line with the requirements of the Information Security Standard - ISO 27002, Central Bank Prudential requirements and Standard Bank Group information risk objectives.
• Provide information and cyber risk subject matter expertise on the features and capabilities of the bank’s technology platforms and explore creative ways to address these risks based on new needs
• Delivers information risk assessments and guide on the appropriate risk control strategies, whilst aligning information risk strategies with business objectives.
• Manage the development, provisioning and successful execution of a proportionate information risk treatment program (e.g. mitigate, accept, transfer and avoid), as the
• Bank transforms to digital platforms
• Develop and maintain strong business and centre of excellence relationships, becoming a trusted partner, as well as building relationships with corporate functions such as
• Internal Audit, Compliance, Information Security, Information Technology, Corporate and Investment Banking, Wealth and Personal and Business Banking.
• Coordinate information and cyber risk self-assessment, risk assessment analysis, rating and provides control recommendations using the established Information Risk Management framework.
• Manage the engagement process of information risk assessments and acts as a liaison with centres of excellence to deliver value to the business
• Advices business personnel regarding the value and methods of safeguarding information.
• Provide a holistic view of the risks through comprehensive reporting to the bank’s information assets introduced by personnel, processes, technology and external events.
• Supports the ongoing knowledge management and formalization of the risks and threats the bank faces and how we choose to manage them through risk management reporting guidance.
• Manages risks to banks information assets and assists businesses by specifying adequacy of control(s) required and validating the effectiveness of controls implemented in conjunction with business risk appetite.
• Manage and track information risk control efforts and escalation to Head, Operational Risk where inadequate mitigation is evident.
• Creates risk metrics and reports for tabling at risk governance committees at required frequencies including but not limited to Risk Management Committee and Board Risk Committee, the right management structures and drive remediation of said risks.
• Effectively communicates with stakeholders to ensure support and commitment for the information risk and cyber security risk management program and to prioritize control initiatives and spending based on appropriate risk management.
• Coordinate incident response planning and investigation of information risk, cyber security and technology related breaches, and where necessary support disciplinary and legal processes arising from such breaches
• Initiate, facilitate and promote activities to create information risk awareness within the organization, including awareness of information risk related regulatory issues that have a potential impact to the environment in alignment with group wide awareness activities.
• Coordinate and serve as a facilitator and liaison between the Head, Integrated Operational Risk, Business lines, Embedded Information Risk and Information Risk Office for the successful remediation of information, technology and cyber risks.
• Establish cooperative dialogue between Business, Embedded Information Risk, Group Financial Crime Control, Information Risk Office and IT Security by visible and consistent action in monthly meetings.
• Promote a fit for purpose approach to adopting information risk best practices within business units.
• Promote compliance to information risk governance standards and policies.
• Manage, and develop business personnel knowledge to ensure better information protection and management across with the assistance of information risk practitioners through awareness, training and workshops.
• Acts as liaison between Business and various Governance, Control & Risk offices within the bank to create and maintain reporting, problem resolution, and other tasks necessary to continuous improvement and evolution of services.
• Provide assurance on the management of relationship with vendors and suppliers to ensure full information risk value of the contracts entered is realised to the Bank.
• Review and provide advice on existing innovation related standards, digital products and rollout of the same as relates to the information risk and technology risk associated with these activities.
• Participate in industry education and networking events, maintain relationships with external community and encourages continuous benchmarking of the Bank information risk, technology risk and cyber risk management against good practices and industry practice
• Proactive identification of key themes / initiatives / products and their potential risks across business unit and advising on improved management and mitigation of risks.

Key Business Resilience Responsibilities/Accountabilities

• BCM Capability lifecycle management that includes:
• BCM Governance – Policy Enforcement and Programme Administration
• Business Impact Assessment & Risk Assessment - Analysis
• Business Continuity Strategy - Design
• Business Continuity Planning – Implementation
• Pro-actively manage business continuity risks/threats to the business in line with Central Bank of Kenya Prudential guidelines, Standard Bank Group requirements and requirements of the Business Continuity Standard - ISO 22301.
• Support and assist business entities in defining suitable and cost-effective recovery strategies/plans in accordance with policies, standards and framework best suited to their environment and aligned to the culture, complexity and risk appetite.
• Works with Business Continuity stakeholders/ representatives in business to conduct, document and sign off Business Impact Analysis in-line with business resilience standards.
• Assist the business with Business Continuity readiness by conducting Desktop Work- through Exercises with them.
• Create staff education and awareness training to promote BCM awareness and culture using mechanism such as intranet, E-Learning, Emails, Presentations, periodic workshops and Email communications.
• Coordinate the establishment and implementation of work area recovery site plan, document, maintain, rehearse and conduct recovery strategies exercises at WAR sites.
• Ensure third party recovery plans are validated in accordance to our recovery priority agreement.
• Manage and conduct business resilience exercises designed to ensure that all business functions and crisis teams are regularly tested in accordance to their criticality, capabilities and risk profile.
• Ensure BCM and IT DR are aligned with business risk appetite and recovery priorities, documented, tested and reported to create business awareness.
• Manage, train and administers the appropriate BCM tools ensuring they are up to date, functional and fit for purpose
• Promote, manage and implement business continuity program of work ensuring compliance with regulatory requirements.
• Provide monthly dashboard and Program of Work update report.
• Ensuring that the following business documents are up to date and ready for execution to recover their, people, business process, technology and facilities in the event of an emergency, crisis or disaster:
• Epidemic and Pandemic plan
• Emergency Management/Site Plan
• Crisis Management Plan (Including One-Pager)
• Business Recovery Plan (including a recovery priority list for both business and IT)
• Elections Readiness Plan
• Working with the Bank’s physical security office, keep abreast with developments worldwide that may impact business, by reading newspapers, internet news sites, TV, radio etc. Action should be taken to report/communicate to staff, on strikes, threats and possible disruption to the business via email, BulkSMS etc. (communication must be signed off by relevant authority).
• Ensure wardens and first aider training is conducted for assigned staff.
• Schedule and conduct call tree exercise in accordance with BCM standards and regulatory requirements.
• Attend BCM related training workshops and provide thought manager-ship on BCM related matters.
• Monitor, promote and maintain an understanding of current/future business continuity trends and threats.
• Coordinate Evacuation Exercise in accordance to BCM standards:
• Coordinate in-line with evacuation checklist (pre, during and post evacuation)
• Coordinate with premises, physical security and OHS teams:
• Briefing and de-briefing sessions
• Compile and distribute internal communications
• Facilitate exemptions process
• Publishing of final report and distribution to all stakeholders

Preferred Qualification and Experience

• Undergraduate degree in Information Technology, Computer Science/Engineering
• At least one professional information security qualification: CRISC, CISM, CISA, CISSP or any other technology risk/security
  related certifications
• Proven experienced with ISMS and similar related standards as well as cyber security technologies
  Good report writing, presentation and communication skills.
• 5 years work experience

Knowledge/Technical Skills/Expertise

Skills and knowledge

• A relevant tertiary qualification (an operational risk management qualification would be an advantage);
• Working knowledge of transaction processes relevant to products and services offered to customers e.g. within the corporate and investment banking and /or retail banking space;
• Practical knowledge of how to input, access and utilise information from the network/systems to analyse and forecast trends;
• A working knowledge of the banking operating systems and controls.
• Problem solving
  
  • The ability to identify and understand the business needs and strategies and then to interpret and convert these into Information risk and business resilience strategies;
  • The need to identify the long term operational needs to support the business effort;
  • The job requires the incumbent to be able to handle authority expediently, be orientated towards immediate accomplishments and to be a firm decision-maker;
  • Has a practical comprehension of the impact of the service provided and relationship to staff and customer;
  • Has a sound recall of processes and previous experience in order to assist with problems raised.
• Planning
  
  • The ability to meet tight deadlines;
  • Required to interpret, analyse, evaluate and formulate plans based on information from a number of sources including Information Risk and Business Resilience standards
  • Take a short to medium term perspective with regard to business planning;
  • Build in the provision for adjustment in planning and ensures plans are practical and in line with business objectives.
• Decision making
  
  • The job requires the incumbent to be able to handle authority expediently, be orientated towards immediate accomplishments and to be a firm decision-maker;
  • Consider all the facts, options and possible outcomes prior to making decisions;
  • Quick to act upon potential opportunities and take the initiative within limits of authority.

KEY PERFORMANCE MEASURES

• Embedding of Information Risk, Technology and Cyber risks Framework within Integrated Operational Risk.
• Leadership over Information Risk, Technology and Cyber risks Risk & Control Self Assessments (RCSAs), and follow up of closure of control gaps identified;
• Appropriate Key Risk Indicators documented, tracked and monitored;
• Information Risk and Business Resilience Program of Work undertaken within set timelines, and achieving desired objectives
• Business Continuity Management (BCM) updated and tested and fully compliant to Bank and regulatory requirements as contained in the Central bank Prudential guidelines;
• Satisfactory Information Risk, Technology and Cyber risks and Business Resilience audit reports.
• Satisfied customers as measured by internal feedback surveys.