Lead/Manager/Senior Manager - IT Risk & Control - CISA Certified

Job Overview

The Lead Risk & Control role is responsible for and has oversight over Operational Risk management, control management and audit management across the Portfolio (i.e. multiple domains) that has been assigned to the role. This role is key and responsible for continuing improvements in the Portfolio (i.e. multiple domains) approach to risk identification and mitigation, control management and audit engagement within the framework set out by the relevant authorities.

This operations role ensures a constant state of preparation, readiness and continuous improvement across process, risk management and reduction, audit success, documentation, MIS systems and reporting.

Advise and assist the Technology Portfolio (i.e. multiple domains) Head in driving and directing effective compliance with the prescribed operational risk management framework

Implement effective and efficient controls to minimise / mitigate operational impact

Ensure proper management of risk and timely resolution of issues

Promote understanding, practice and culture of Operational Risk within the Portfolio i.e. multiple domains.

Key Responsibilities

Risk Reviews

Scope and plan thematic risk / control reviews aligning with the Portfolio's key objectives, Group Internal Audit themes and key risk areas (may include suppliers where appropriate)

Scope and plan risk / control reviews of significant new projects

Provide guidance to SRMs / RMs on execution of risk / control reviews

Monitor material actions and risks arising from the reviews (Unit forums/TeRF)

Provide support and guidance on control design to SRM / RM and Process Owner. Review proposed addition of or change in controls.

Review and agree changes and / or new Control indicators (KCI, KRI, KCSA, CST etc) with R&C - Function Head

Represent the Portfolio (i.e. multiple domains) as the Single Point of Contact (SPoC) on internal and external audits and Subject Matter Expert (SME) on the audit working practices

Ensure that the affected Portfolio i.e. multiple domains (and units within) are sufficiently prepared for upcoming audits

Review adequacy of management response to audit findings

Review progress and timely closure of audit findings

Share thematic risk & audit findings across Portfolio i.e. multiple domains and units.

Process Risk Analysis (PRA)

Initiate PRAs as needed to support efforts in reviewing process and control effectiveness and risk identification

Review and endorse outcomes of PRA and track material actions and risks that arise from it

Provide support and guidance on control design to SRM / RM and Process Owner. Review and approve proposed addition of or change in controls

Review and agree changes and / or new Control indicators (KCI, KRI, KCSA, CST etc) with R&C - Function Head

Risk Forums

Deliver all risk forums within the Portfolio (i.e. multiple domains) and operates within the approved Terms of Reference (ToR), including membership, agenda, frequency.etc.

Facilitation of and pack production for the Portfolio (i.e. multiple domains) risk forums. Provide challenge to ensure robust Risk Management practice

Provide governance support to the RM / SRM at the unit risk forums

Submission of risk and control related details to Technology Services Risk Forum (TeRF), within schedule and at the required quality. To be approved by R&C - Function Head

Management Information

Ensure that management (and any other stakeholder as required) is kept aware of the risk, control & audit profile of the Portfolio i.e. multiple domains through periodical reporting

Ensure that all management information is produced in line with the defined schedule and quality and should support management decision and action

Ensure integrity of source and the processing of data to deliver accurate representation in management information

Validation of Controls: (KCI, KRI, CST, KCSA)

Review trend analysis of exceptions and identify systemic failures

Identify material exceptions and escalate

Issue Management (records in Phoenix & Riskwise)

Review and endorse new and changed records (including treatment plans and risk ratings)

Oversight of completeness and integrity of data.

People Management

Manage both the Portfolio (i.e. multiple domains) operational delivery as well as people management (employee engagement, remuneration, development, etc) aspects of SRM / RM in the team

Change Management

Drive implementation and adoption of agreed initiatives across the Portfolio i.e. multiple domains including training, communication and awareness.

Key Relationships

Portfolio i.e. multiple domains Heads and Process Owners within and outside of the Portfolio i.e. multiple domains in the management of controls

Peer Risk & Control Portfolio Leads in other Portfolio (i.e. multiple domains) in managing cross multiple domains operational risks and sharing of best practices

2nd line (GTO Operational Risk and Risk & Control) for advice and guidance and steering with regards to group initiatives

Group Operational Risk (GOR) for interpretation and effective implementation of its Policy and Procedures

GTO Operational Risk Portfolio (i.e. multiple domains) in-country, GSSCs, WB Operations and CB Operations on relevant technology risk and controls

Legal & Compliance for interpretation of and consultations on regulatory requirements

Process Governance team for process and control metrics

Group Internal Audit and external auditors on audit and reviews.

Key Measurables

Effectiveness of the controls and monitoring of operational risks and controls at the Portfolio i.e. multiple domains operational level

Satisfactory results on audits undertaken by Group Internal Audit, FSA, regulators and external auditors

Timely reporting and escalation of all operational risk exposures and control failures

Timely communication of changes to Policies, control environment and regulatory environment from Legal & Compliance and GOR

Monitoring and adherence to timelines on Risk & Control or Group initiatives

Cross team collaboration and leadership skills - proactive engagement with stakeholders

Succession planning for Risk Manager & Risk Controllers roles.

Authorities

Free access to Portfolio i.e. multiple domains Head, Line Managers, peer Risk Controllers / Risk Managers and Process Governance team

Free access to all documents and records within the purview of the Portfolio i.e. multiple domains Head and for area of responsibility, with the exception of information governed by specific policies, e.g. Chinese Walls

Free access to all meetings under jurisdiction

Recommend and implement actions and solutions to mitigate operational risks and enhance compliance at the Portfolio (i.e. multiple domains) operational level.

Experience and Skills

Overall 10+ years of overall work experience

At least 5 years experience in Operational Risk within technology

At least 10 years experience in any (combination of) technology discipline

An in-depth understanding of controls required to manage Technology Risk and preferable experience with tools that have been used in the industry to do so

An understanding of Technology Infrastructure / Applications / Project Lifecycle and the associated controls required through project delivery to manage and mitigate risk

Knowledge of approaches, tools, techniques for recognising, anticipating, and resolving operational or process problems

Confident and self-motivated leader with experience in effectively negotiating with and influencing others in a matrix environment

Ability and confidence to operate across a wide range of seniority levels, Portfolio (i.e. multiple domains) operational divides, locations and businesses

Be able to create and tailor clear and concise verbal and written communications to different audiences, fluent written and spoken English language skills

Possess a pro-active posture and committed to continuous improvement

Good presentation skills

Demonstrable analytical thinking

Data analysis and reporting skills

A team player who enjoys working with people on all levels as well as being able to work independently and under pressure to meet tight deadlines.

The following skills are not a pre-requisites, but will be advantageous:

Practical experience in engaging / managing technology audit engagement or being a member of a technology audit team

Experience in implementing ITIL or COBIT

Organizational Change Management experience. Plan for and overcome the issues encountered with change, deliver sustainable change

Project management experience / background, ideally with distributed teams

Experience in any other risk management discipline (Credit, Market..etc)

Experience working in an financial institution industry

Qualifications

Tertiary qualifications in IT, Business Administration or Commerce

ITIL Foundation certified

Certification in CRISC (Certified in Risk and Information Systems Control certification), Certification in CISA (Certified Information System Auditor) or any other related qualification would be beneficial

Any COBIT related certification would be beneficial