Risk Management: understanding all risks – from the economic to the political – that could affect our global business, and offering guidance to all parts of the bank
Provide strong management and operational support to the Head Risk/Regional Head Risk in the management of the Bank’s Cyber and Information Technology and Security Risks. Provide oversight with the implementation of the Bank’s Information Technology and Cyber security programs and enforcement of the related policies to provide assurance of compliance with Cyber security and other Information Technology and Information Risk policies and requirements as a key enabler to achieving the business objectives of the organisation in the Bank.
- Develop and deploy the Cyber Security program and framework
- Ensure implementation of the cyber and information risk management strategy in line with the Bank’s strategy, frameworks and policies.
- Ensure that the Bank maintains a current enterprise-wide knowledge base of its users, devices, applications and their relationships, including but not limited to: Software and hardware asset inventory; Network maps (including boundaries, traffic and data flow); and Network utilization and performance data.
- Design cybersecurity controls with the consideration of users at all levels of the Bank, including internal (i.e. management and staff) and external users (i.e. contractors/consultants, business partners and service providers).
- Develop cyber related trainings and awareness programmes to improve technical proficiency of staff including executives.
- Ensure that regular and comprehensive cyber risk assessments are conducted. Ensure that adequate processes are in place for monitoring IT systems to detect cybersecurity events and incidents in a timely manner.
- Reporting to senior management and appropriate governance committees at agreed intervals on the following:
- Assessment of the confidentiality, integrity and availability of the information systems in the institutions.
- Detailed exceptions to the approved cybersecurity policies and procedures.
- Assessment of the effectiveness of the approved cybersecurity program.
- All material cybersecurity events that affected the institution during the period.
- Ensure timely update of the Cyber Incident Response Plans and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered. Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
- Incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
- Ensure frequent data backups of critical IT systems (e.g. real time back up of changes made to critical data) are carried out to a separate storage location.
- Continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to ensure that the institution can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
- Optimise the risk profile in the business units
- Ensure that information systems meet the needs of the Bank and the ICT strategy, in particular information system development strategies, comply with the overall business strategies, risk appetite and ICT risk management policies of the institution.
- Review all material planned changes in the business - strategy changes, product changes, segment changes, system changes and process changes - and provides a view of the potential risks that the changes may bring into the organization.
- Contribute and provide input to the business unit Management Committees including the New Product Committee and other relevant executive committees (as required) and critically reviews all business cases for these changes.
- Reviews control measures that have been designed for changes and provide guidance to process and policy owners on improvements required prior to implementation.
- Engage and liaise with the Bank’s Financial Crime Control (GFCC) and Information Risk function as subject matter experts. Conduct reviews of Manco reports and minutes to ensure two-way completeness of key IT and Cyber risk issues. (Shared responsibilities with functional area product line managers.
- Reports to reflect any key risks/issues highlighted in functional area reports.
- Conduct analysis of business impact and contributes to the formal process of driving risk acceptance for residual risk. For items where the residual risk is too high, prepare recommendations to decline the requested change, and escalate to senior management for consideration. Ensure appropriate processes to facilitate tracking of control remediation.
- Efficient and Effective Delivery in business unit
- Determine fit for purpose IT and Cyber Risk scenario’s to drive capital anticipation in business units.
- Oversee development of IT risk and Cyber risk management plans with the business unit leadership in line with risk assessment results.
- Align monitoring activity with Internal Audit and compliance scope of reviews to ensure collaboration and to avoid duplication.
- Track to closure all action plans arising from risk assessments, ops risk reviews, internal and external audits and regulatory inspections to improve the IT and Cyber risks and control environment.
- Ensure IT and cyber risk incidents are captured on the bank's operational risk system.
- Reviews system reports that provide information on incidents logged.
- Conduct detailed analysis of recurring issues and performs root cause analysis.
- Manage change risks in the business units
- Aid in determining high risk and/or high impact projects/programs/initiatives within the line of business.
- Conduct high level assessments of IT and Cyber risks throughout the life-cycle of projects/programs/initiatives to ensure identified risks are appropriately mitigated prior to the projects/programs/initiatives going live. Deliver value-adding risk assessments and advice to IT and cyber risk strategic and other initiatives to ensure changes to the risk profile are properly quantified and mitigated/managed within agreed risk appetite.
- Organisational Health – Live the Risk function values
- Coordinate efforts with broader team members to minimize duplication of effort, maximise efficiency and value for money.
- Take accountability for the overall achievement of own goals in people matters, customer experience, financial performance, risk, compliance and governance.
- Analyse effectiveness of cross-functional processes and systems in place in the area and identifies areas for improvement.
- Agree and manages services levels with stakeholders
- Compliance Ensure implementation and adoption within assigned portfolio of all Compliance, Anti-Money Laundering and Sanctions related requirements contained in policies, procedures and processes.
- This includes monitoring and identifying any material compliance related breaches and escalating them to line management and the Compliance Office.
- Stakeholder Engagement Builds and maintain credible relationships with stakeholders, including Group IT, IT Security and Information Risk Management, Exco and senior management, internal and external audit, peers and Industry forums.
Preferred Qualification and Experience
- First Degree
- Field of study: IT and Computer Sciences
- Other qualifications, certifications or professional memberships Information security risk certification. Network risk acumen an added advantage. Risk
- Management qualification an added advantage.
- Risk Management Job Family: Banking operating systems, processes and controls. Years: 5-7 Years
- At least five years of experience at middle/senior level management within Information Risk and IT security or assurance functions. Practical knowledge of risk and control frameworks and application in financial services industry. Be fully conversant in risk appetite, risk response and process improvement concepts.
- Competency Label: Risk/ Reward Thinking Competency Description: The ability to provide due consideration to risks, rewards and the cost of control measures in evaluating business opportunities, process and system changes Proficiency Level: SEASONED - Applies concepts without requiring supervision, able to provide technical guidance when required
- Technical competency 2* Competency Label: Risk Identification Competency Description: The examination of the essential elements of risk such as; assets, threats, vulnerabilities, safeguards, consequences and the likelihood of the threats materialising Proficiency Level: ADVANCED - Mastered the concept, able to act independently, provides guidance and training to others
- Technical competency 3* Competency Label: Risk Response Strategy Competency Description: The ability to facilitate the creation and adoption of an appropriate risk response strategy and to assign ownership for the risk response. Proficiency Level: ADVANCED - Mastered the concept, able to act independently, provides guidance and training to others
- Technical competency 4 Competency Label: Risk Measurement Competency Description: The ability to define and analyse risk identification information in a quantitative and/or qualitative way Proficiency Level: ADVANCED - Mastered the concept, able to act independently, provides guidance and training to others
- Technical competency 5 Competency Label: Risk Reporting Competency Description: The ability to prepare quantitative and qualitative analysis on the risk landscape in the business including interpretation and analysis for use by business users. Proficiency Level: ADVANCED - Mastered the concept, able to act independently, provides guidance and training to others
- Technical competency 6 Competency Label: Evaluating Risk Management Effectiveness Competency Description: The ability to determine if risk management and control measures are achieving the desired results and mitigating risks at the expected level Proficiency Level: ADVANCED - Mastered the concept, able to act independently, provides guidance and training to others
- Technical competency 7 Competency Label: Risk Acceptance Competency Description: The ability to facilitate a formal acceptance process of reviewing and accepting residual risk, depending on the outcomes of risk identification and measurement. Proficiency Level: ADVANCED - Mastered the concept, able to act independently, provides guidance and training to others