La banque d'un monde qui change

Nous recherchons un

RISK ORC ICT Operational Resilience – IT Resilience Lead

Type de contrat

Standard / Permanent



Métier / fonction




BNP Paribas Overview


BNP Paribas has a presence in 75 countries with more than 185,000 employees, including 145,000 in Europe. It ranks highly in its two core activities: Retail Banking & Services and Corporate & Institutional Banking.


At BNP Paribas, we work continuously on behalf of our clients, helping them to realize their projects around the world. You can be an important part of this, helping us to serve our clients both in mature and emerging markets, providing them with financial solutions across a diverse range of expertise, products and services. Our origins lie in Europe, but nearly a quarter of our employees now work in our multi-award-winning Asia Pacific offices and we are a committed player in all markets.


Strong risk management, combined with the stability that comes from being part of one of the largest banking groups in the world, underpin our success. Joining us, you’ll become an integral part of a dynamic team that spans nationalities, cultures and backgrounds, drawing together people from around the globe and reflecting our commitment to international placements.


Department Overview


The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer.   The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions.   This is achieved by delivering:   - Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion. - Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organisation. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc. - Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity. - Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.


Key Responsibilities


The Global Operational Resilience & Crisis Management program within RISK ORC ICT is a critical component in ensuring the group’s ability to prevent disruptions to its critical services from occurring, continue to meet its objectives if a disruption or incident does occur and return to normalcy, when disruption or crisis is eliminated. This applies to Cyber, Technology, Supply chains, physical infrastructure and People .

Operational resilience management includes planning, integrating, testing and governing activities to ensure that the group can

  • Identify and mitigate business and system disruption risks that could lead to before they occur
  • Prepare for and respond to disruptive events (realized risks) in a manner that demonstrates command and control of incident response and crises, coordination and service continuity. Scenarios could include but not limited to Cyber Security Incidents, Technology/Systems Outage, People or Process Failures.
  • Recover and restore mission-critical services and operations following an incident within the agreed risk appetite levels

The above is achieved through main teams such as Detection (Cyber Fraud) , IT Resiliency, Business Continuity Oversight and Crisis Management.


The position of IT Resiliency/DR Lead will report directly to the Global Head of Operational Resilience and Crisis Management and will be responsible for the development and implementation of IT Resiliency and DR Risk Management and Control framework globally.


The individual will also be responsible for coordinating and executing resilience proving ‘events’ within a defined process that the bank's technology infrastructure, applications and services meet our internal and external resilience requirements, and IT resilience controls. This will involve working very closely with various internal stakeholders, collectively covering the bases of data recovery, IT continuity, and general validation and testing. The variety in your role means that you could be focusing on the general resilience of our systems, making sure we have the capability to withstand incidents and still maintain our critical services or you could be focusing on our back-up and data recovery capability.


  • Manage the design, delivery, testing and management of Technology Resilience standards and associated controls
  • Centralized governance of IT Resiliency Risks for the bank, independently identify, assess, mitigate, report and escalate material risks as appropriate. Examples could be risks related to IT Incident, Proble, Change and Capacity Management issues impacting production environment stability, Extreme Cyber Security Disaster Scenario, Wide Area Disruption, Full Loss Scenario of Data Centers/Cloud Infrastructure etc
  • Provide active advisory, partnership, challenge or approval to applicable risk owners to ensure appropriate prioritization and resolution
  • Perform relevant 2 Line Of defense thematic or issue based deep dives
  • Manage assurance/oversight of IT Resilience directly owned controls and in-directly owned Resilience controls and ensure these controls are tested for operational effectiveness.
  • Contribute to the design, development and specification of new/redesigned processes, systems, information, risk controls, testing regimes, documentation and supporting materials


Risk Management Environment:

  • Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
  • Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
  • Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.


Skills Required

  • Significant experience in the field of IT Resilience, IT Service Management, Disaster Recovery and Information Security Risk.
  • Strong Risk mindset with understanding of applicable Technology Risk and Business Continuity regulatory requirements in financial services sector.
  • Must be able to interface and coordinate work efficiently and effectively with business and technology partners.
  • Excellent communication and influencing skills, including ability to articulate complex issues and incorporate feedback.
  • Proficiency in IT Service Management, Service Continuity domains.
  • Good team player, Strong stakeholder management, relationship building, influencing, facilitating and presenting skills.
  • Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly;
  • Ability to co-operate and work well with others adopting an approachable style
  • Important as we work closely with a large and diverse set of suppliers and customers;
  • Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits;
  • Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate;
  • Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done;
  • Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;
  • Being rigorous and thorough – especially when logging and tracking issues through to conclusion;
  • Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management;
  • Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest  in the role of Risk Assessment in business;
  • Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
  • Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework

Skills Preferred

  • Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements
  • Excellent in the ability to understand how and why processes and solutions are designed to deliver specific outcomes
  • Is self-aware, anticipates problems, adapts and meets them head on.


  • Professional qualifications relevant to Information Security and Business Continuity and (such as a university degree, CISSP, MBCI, CBCP, CISM or CRISC)



  • Be a role model, supporting and fostering a culture of good conduct
  • Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
  • Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.

Votre avis nous intéresse ! Participer à notre sondage