Standard / Permanent
The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer. The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering: - Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion. - Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organisation. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc. - Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity. - Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
The Global Operational Resilience & Crisis Management program within RISK ORC ICT is a critical component in ensuring the group’s ability to prevent disruptions to its critical services from occurring, continue to meet its objectives if a disruption or incident does occur and return to normalcy, when disruption or crisis is eliminated. This applies to Cyber, Technology, Supply chains, physical infrastructure and People .
Operational resilience management includes planning, integrating, testing and governing activities to ensure that the group can
• Identify and mitigate business and system disruption risks that could lead to before they occur
• Prepare for and respond to disruptive events (realized risks) in a manner that demonstrates command and control of incident response and crises, coordination and service continuity. Scenarios could include but not limited to Cyber Security Incidents, Technology/Systems Outage, People or Process Failures.
• Recover and restore mission-critical services and operations following an incident within the agreed risk appetite levels
The above is achieved through main teams such as Detection (Cyber Fraud) , IT Resiliency, Business Continuity Oversight and Crisis Management.
The position of Crisis Management Consultant will be part of the Operational Resilience & Crisis Management team and will be responsible for assisting with the management and execution of the bank’s crisis management function
- Assist in setting a group wide Crisis Management framework covering Technology Incidents, Cyber Crises as well as other traditional physical crisis scenarios (including: policy, standards, aide memoires, SOPs, playbooks, escalation protocols etc.
- Provide subject matter expertise where required during response to global crisis events and coordinate engagement and response of crisis managers
- Regularly and proactively assess global events or potential incidents which may require the engagement of the bank’s crisis management program
- Develop and manage the testing of global crisis management teams in partnerships with regional stakeholders
- Establish and maintain relationships with appropriate partner response teams and business units
- Act as a subject matter expert on the use of crisis management tools and resources including rapid notification and impact assessment tools
- Own, track and report on crisis management metrics, issue and change management actions, and post incident documentation including process improvement initiatives
- Support the development and implementation process for validating effectiveness of the crisis management program.
- Monitor the regulatory environment to ensure the company adheres to any crisis management legislation.
- Build and establish networks and relations with other key internal stakeholders (i.e. Global Security Operations, HR, Facilities, Legal, and Internal Comms).
Risk Management Environment:
• Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
• Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
• Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.
- Experience in crisis management or related field, preferably in the areas of Cyber and Technology domains.
- Must be able to interface and coordinate work efficiently and effectively with business partners
- Excellent communication and influencing skills, including ability to articulate complex issues and incorporate feedback
- Proficiency in crisis management best practices
- Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly;
- Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate;
- Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done;
- Being rigorous and thorough – especially when logging and tracking issues through to conclusion;
- Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management;
- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business;
- Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
- Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework
- Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements
- Is self-aware, anticipates problems, adapts and meets them head on.
- Strong stakeholder management, relationship building, influencing, facilitating and presenting skills
- Is solutions focused – measures their output on whether issues, problems or challenges are resolved as a criteria for success
- Professional qualifications relevant to Information Security and Business Continuity and (such as a university degree, CISSP, MBCI, CBCP, CISM or CRISC)
- Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.