La banque d'un monde qui change

Nous recherchons un

Risk ICT Advisor - IT & Cyber Consultants

Type de contrat

Standard / Permanent





Métier / fonction


Postuler REF: 1806RSK0727

BNP Paribas is a leading European bank with an international reach. It has a presence in 73 countries, with more than 192,000 employees – including more than 146,000 in Europe and over 4,000 in Portugal alone.

BNP Paribas is present in Portugal since 1985, having been one of the first foreign banks to operate in the country. Today, BNP Paribas has several entities operating directly in this territory, offering a wide range of integrated financial solutions to support its clients and their businesses.


Worldwide, the Group has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporate and institutional clients) to realise their projects through solutions spanning financing, investment, savings and protection insurance.


The Risk Assessment and Advisory (RAA) department, under the Group Cyber & Technology Risk Officer who in turn reports to the Group Chief Risk Officer (CRO), is part of the Group Risk Functions within BNP Paribas acting as a 2nd Line of Defence (LoD). With a multidisciplinary team (e.g. management, compliance, IT) integrated in the RISK ICT Global Lisbon CoE, this department has the responsibility for identification of key technology risks and influencing business and technology partners to take sound risk management decisions at Group Level.


This is achieved by delivering:

  • Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks
  • Tracking issues and agreed actions to completion
  • Horizontal Risk Assessments: Assessing technology risks in relation to a particular theme/domain or technology across the organization
  • Vertical Risk Assessments: Assessing risks to a product, service, technology, infrastructure or business cycle. For instance we may complete a vertical assessment (including Infrastructure, applications, data, threats etc.) or specific element (such an Internet connectivity)
  • Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing/advising their risk management decisions
  • Recurrent analysis of maturity of controls on all entities of the Group 



Involved in running and improving the development and implementation of the worldwide ICT risk assessment program, the Risk ICT Advisor will have proven track record of developing and implementing risk assessment programs in global organizations, with robust knowledge of technology, risks, architectures and related tools. Prior ICT risk experience (IT, Cyber, Vendors, etc.) is required.

The Risk ICT Advisor will develop, use and communicate the risk assessment engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operation at Group level.

Moreover, the Risk ICT Advisor will be responsible for the Risk Management environment, namely:

  • Identification and assessment of operational risks that must be effectively performed across the organization by correlating inputs from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis
  • Participate to the implementation of a process to regularly monitor operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines at Group level. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices
  • Improve the effectiveness of the Internal Controls program by reviewing the control environment; assess risks in processes, control activities, information and communication and monitoring activities.
  • Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors
  • Participate in the establishment of the IT & Cyber Risk Assessment Program for the Group within the three lines of defence model in alignment with the Group Risk Management Framework
  • Participate to the effective implementation and communication of Operational Risk Management policies and guidelines
  • Provide support to other teams with respect to management of security and technology risks of core systems and applications
  • Participate in the overseeing of the Operational Risk Management infrastructure and ensures practices are consistent with regulatory expectations and industry sound practices
  • Provides IT & Cyber Risk Management consulting to the business, technical and operations groups, assesse operational risk advise on the response strategies and measures
  • Participate to appropriate Risk Management governance committees and arranges agendas as appropriate
  • Participate to the GRM’s oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners and vendors 


  • Master Degree in ICT domains (or equivalent)
  • Minimum experience of 3 years in security and technology assessments and ICT risk analysis
  • Experience in Financial Services industry
  • Experience in Information Security, namely in Risk Assessment, Third Party and technology assessments, Change Management
  • Experience in GRC tools and other Risk Management Information Systems is a plus
  • Experimented/ certified in the international reference frameworks (such COBIT, COSO, ITIL, PRINCE2, PMI, etc.) and/or relevant knowledge of the main ICT security and control cycles (such change management, incident management, development, continuity, operations management, etc.)
  • Professional qualification relevant to Information Security (such as a university degree, CISSP, CISM or CRISC)
  • Knowledge of Regulations in the Financial sector (i.e., Basel, ECB, AMF, FSA, FFIEC, SMA, HKMA, FED, GDPR, among others)
  • Excellent understanding of emerging technologies: CLOUD, IoTs
  • Thorough understanding of the ISO27005 and overall the ISO 2700X series of standards and guidelines
  • Knowledge of Archer Technologies SmartSuite Framework and Tufin
  • Operations Management will be a plus
  • Proactive and problem solver
  • Solid communication and interpersonal skills
  • Fluent in English

BNP Paribas is an equal opportunity employer and proud to provide equal employment opportunity to all job seekers. We are actively committed to ensuring that no individual is discriminated against on the grounds of age, disability, gender reassignment, marriage or civil partnership status, pregnancy and maternity, race, religion or belief, sex or sexual orientation. Equity and diversity are at the core of our recruitment policy because we believe that they foster creativity and efficiency which in turn increase performance and productivity. We strive to reflect the society we live in, while keeping with the image of our clients.


Please note that only applications submitted in English will be considered. In case you are selected for this role, further documentation will be requested to support your hiring process. 

Primary Location: PT-11-Lisbon Job Type: Standard / Permanent Job: RISKS Education Level: Master Degree or equivalent (> 4 years) Experience Level: Not Indicated Schedule: Full-time