Head of RISK ORM ICT & COE

Established in 2005, BNP Paribas India Solutions is a wholly owned subsidiary of BNP Paribas SA, European Union’s leading bank with an international reach. With delivery centers located in Bengaluru, Chennai and Mumbai, we are a 24x7 global delivery center. India Solutions services three business lines: Corporate and Institutional Banking, Investment Solutions and Retail Banking for BNP Paribas across the Group. Driving innovation and growth, we are harnessing the potential of over 10000 employees, to provide support and develop best-in-class solutions.

About BNP Paribas Group:

BNP Paribas is the European Union’s leading bank and key player in international banking. It operates in 65 countries and has nearly 185,000 employees, including more than 145,000 in Europe. The Group has key positions in its three main fields of activity: Commercial, Personal Banking & Services for the Group’s commercial & personal banking and several specialised businesses including BNP Paribas Personal Finance and Arval; Investment & Protection Services for savings, investment, and protection solutions; and Corporate & Institutional Banking, focused on corporate and institutional clients. Based on its strong diversified and integrated model, the Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporates and institutional clients) to realize their projects through solutions spanning financing, investment, savings and protection insurance. In Europe, BNP Paribas has four domestic markets: Belgium, France, Italy, and Luxembourg. The Group is rolling out its integrated commercial & personal banking model across several Mediterranean countries, Turkey, and Eastern Europe. As a key player in international banking, the Group has leading platforms and business lines in Europe, a strong presence in the Americas as well as a solid and fast-growing business in Asia-Pacific. BNP Paribas has implemented a Corporate Social Responsibility approach in all its activities, enabling it to contribute to the construction of a sustainable future, while ensuring the Group's performance and stability

Commitment to Diversity and Inclusion

At BNP Paribas, we passionately embrace diversity and are committed to fostering an inclusive workplace where all employees are valued, respected and can bring their authentic selves to work. We prohibit Discrimination and Harassment of any kind and our policies promote equal employment opportunity for all employees and applicants, irrespective of, but not limited to their gender, gender identity, sex, sexual orientation, ethnicity, race, colour, national origin, age, religion, social status, mental or physical disabilities, veteran status etc. As a global Bank, we truly believe that inclusion and diversity of our teams is key to our success in serving our clients and the communities we operate in.

Job Title:

Head of RISK ORM ICT & COE

Date:

Department:

RISK ORM

Location:

Mumbai

Business Line / Function:

Group RISK

Reports to:

(Direct)

ISPL CRO 

Grade: 

(if applicable)

VP2/ VP 3/Director

(Functional)

Head of RISK ORM NETWORK

Number of Direct Reports:

3 direct and 30+ N-1

Directorship / Registration:

NA

Position Purpose

Description of the environment

RISK Operational Risk Management (RISK ORM), created early 2021 to oversee operational risks within the mandate of the RISK function, is organised, under the responsibility of the Group Chief Operational Risk Officer (Group CORO), around 3 Poles: RISK ORM Framework, RISK ORM Technology & Transversal Risks and RISK ORM Network.

RISK ORM Network is made up of all the Operational Risk Officers (OROs) acting as the second line of defence (LoD2) within the Group’s operational entities (Poles, Business Lines, Functions, Transversal Activities).

In this context, the Head of RISK ORM ICT & COE, whose missions are presented below, reports hierarchically to ISPL CRO and Functionally to the Head of RISK ORM NETWORK 

The Head of RISK ORM ICT & COE role contributes with his/her team to establish ICT risk profiles for the IT perimeters in ISPL, identify and reduce risks on activities with an ICT risk, and the activities delegated to third-party service providers. The role also contributes to the Group’s operational resilience oversight, LOD2 action plans (PCA) monitoring, anti-fraud activities, technical security reviews, supervisory affairs, risk profile, and governance initiatives, and thus improve the efficiency of the overall activities for the Bank.

As the Head of RISK ORM COE -

• Contributes to protect the Bank by delivering the following operational risk services (per the RISK ORM S.A – RISK ISPL services agreement) described in the main missions of this document.
• Manage and develop the related following Teams in close link with the related Onshore Heads of OROs: 
  1. CoE ICT Controls Extension Program (CICEP),
  2. RISK ORM Operational Resilience,
  3. Cyber & Payment Systems Risk Tech & Automation Center,
  4. RISK ORM Framework on Supervisory Affairs, Governance & Group Risk Profile,
  5. CoE Outsourcing Controls Extension Program (COCEP).
• Implement and manage the relevant governance enabling transparency of deliverables with Local and the related Onshore Heads of OROs.

As the Head of RISK ORM ICT ( ORO & Extended ORO):

• Contributes to protect the Bank through governance and oversight of ICT risk profile through RCSA, independent assessments, incident management and permanent control action processes
• Perform the ORO missions statement on ICT risks in close link with the related Onshore Heads of OROs and manage ISPL RISK ORM ICT ORO teams for the following perimeters:
  1. ISPL CIB IT,
  2. ISPL ITG International, which includes
     • ITG,
     • IPS IT,
     • CPBS IT,
  3. ISPL Transversal IT functions (e.g. ALMT IT, Market risk IT and IT CCCO) 

The mutualized Execution Platform (CICEP, COCEP ORO ICT pooling) teams play a key role in assessing the Bank’s ICT and Outsourcing risk posture. By ensuring, through LoD2 controls, it contributes to the measurement of the effectiveness of the mechanisms implemented through the execution of controls and facilitates the production of indicators to proactively propose a common understanding of the ICT, and third-party risks.

Key success of the role relies on building trusted partnerships with stakeholders and particularly with the RISK ORM Framework, Network, IT Group, TPRM, and related Onshore Heads of OROs. 

Responsibilities for RISK ORM CoE 

Manage the CoE ICT Controls Execution Platform (CICEP):

• Implement the CICEP ICT LOD2 controls review methodology and supporting guidelines.
• Perform end-to-end reviews of LoD2 ICT permanent controls in-line with the CICEP RACI.
  1. Validate yearly plan with Business Units (BU) stakeholders, including presentation of the scope and Ensure the validated LoD2 Control Plan is available in 360RiskOp.
  2. Perform the controls, review evidence, and action plans and Inform stakeholders (BU ORO, BU 1LOD etc.) of assessment progress.
  3. Present assessment findings to related Onshore Heads of OROs and Issue assessment reports .
  4. Execute the CICEP Standard Operating Procedures (SOP), and standard templates if required to perform LOD2 controls (aligned to RISK0414) on Verification, Re-performance, and Direct controls testing.

Manage the CoE Outsourcing Controls Execution Platform (COCEP):

• Manage the Common Outsourcing Controls Execution Platform (COCEP) activities relying on existing best practices of the Common ICT LoD2 Control Execution Platform (CICEP) model:
  1. Implement and structure the COCEP roles, responsibilities, and governance.
  2. Manage the industrialisation and the practice of the COCEP. Execute LoD2 controls on outsourcing GCL (RISK0418).
• Lead and manage the COCEP team to perform their missions.
• Oversee the process of the outsourcing register data quality of regulatory reporting.
• Support related Onshore heads of OROs in definition of their entity Outsourcing the Risk profile.

Perform Platform reporting:

• Produce a periodic report analysing the ICT and outsourcing operational risk management including the data quality indicators improvements and the LoD2 controls results analysis,
• Act as the secretary of the CICEP and COCEP steering committees process chaired by the Head of RISK ORM Network, 
• Produce operational reporting (link with RISK ORM COE ISPL reporting stream).
• Contribute to the regular governance meetings. Issue periodic reports to related Onshore Heads of OROs, (i) on the service related to the CICEP and COCEP, through dedicated indicators (ii) on missions, including suggestions for Permanent Control Actions (PCAs).

Participate and Support Operational Resilience program :

• Implementation of Group Operational resilience Policy at Territory/Region Level, including:
  1. Risk Oversight, Check and challenge, Response to Regulatory exams, Education and Awareness, Risk Opinion, Lead and participate in 1Lod Risk Assessment, IT Continuity Assessments for the Entity / Territory / Region, Participation and contribution to the Crisis Management exercise at Region and Group Level.
• Cyber Resilience and Fraud:
  1. Management of and contribution to Group communities related to Operational Resilience, Cyber Resilience and Cyber Fraud, Supporting and contributing to Group cyber anti-fraud program / projects.
• Third Party Technology Risk Management :
  1. Independent Assessment on TPTRM across different Group entities, Reviews of regulatory requirements impacting Third Party Technology Risk Management, Risk Opinion, review, check & challenge for baseline documents, procedures and policies, Check & challenge.

Participate and Support Cyber & Payment Systems Risk Tech & Automation Center:

• PCA reviews: 
  1. Oversight and monitoring of Permanent Control Actions, Validation of actions / evidences for action closure.
• Support, contribute and collaborate on the Technical Reviews/Testing Missions per the CPSRT annual Plan: 
  1. Penetration Testing, Application Security Reviews, Technical Security Reviews, Payments Security reviews, Infrastructure Testing, Thematic Reviews,
• Support Regulatory reviews/inspections.

Support Supervisory Affairs, Governance & Group Risk Profile:

• Policy and procedure reviews: 
  1. Establish regular governance channels with 1LoD management regarding ICT risk framework policies, procedures and requirements, Provide RISK ORM Framework managers regular updates on the progress of ICT risk policies and procedures,
  2. Ensure RISK ORM  involvement and high quality on the check and challenge of all new and updated 1LOD ICT risk framework policies, procedures and requirement, Consolidate and submit 2LOD check and challenge according to agreed due dates for each procedure.
• Participate to the RISK ID and Group ICAAP submission yearly Process : 
  1. Attend kick-off meetings , Establish a project plan to ensure contributors are engaged and project timeline is met, Coordinate validation of material risks lists with Group CORO and ensure submission of the draft and final RISK ID and ICAAP contributions in accordance with the timeline.

Responsibilities for RISK ORM ICT (

ORO & Extended ORO

As described in the standard ORO mission statement, perform, if relevant and for the related supervised perimeter[1], ORO Mission contributing to the reinforcement of the second line of defence in terms of technological risks

Supervise the deployment of the operational risk management framework for technological risks

• Pilot the major transformation programs, especially those linked to a recommendation from the Supervisor or to compliance with a regulatory provision (e.g. Control Monitoring Program, Third Party Risk Management, operational resilience, Cyberfraud Program, Cyberprogram, Data Leakage Protection Program).
• Ensure that operational risk regulations, norms, guidelines and methodologies are understood and implemented over time including, but not limited to:
  1. Governance: Contribute to ISPL ICC and support other territory/regional ICC (within scope of perimeters) to articulate the ICT risk profile of the pole/metier.
  2. Build ICT risk profiles through the execution of RCSA of the perimeters described above
  3. Carry out and supervise Independent analysis;
  4. Perform incident analysis;
  5. Ensure the use of Group operational risk management tools (e.g., 360 RiskOp) and related reporting;

• Build, in the framework of the associated Governance for technological risks :
  1. ICT RISK opinion, based notably on (i) 2nd level controls and independent analysis carried out, (ii)  the robustness of the system put in place by the first line of defence which may, if necessary, lead to permanent control actions;
  2. A qualitative and quantitative monitoring of ICT historical incidents, including in particular an analysis of the most important of them and supervision of the associated action plans concerning the Technological risks (cyber-attacks, data integrity risks, ICT change risks (Projects and IT organisation, vulnerability management, identity & access management, …), risks linked to Cloud, digital assets & emerging technologies, AI, data leakage, …

• Given the growing level of technology in Group's operational processes, contributes to the reinforcement of the second line of defence in terms of technological risks
  1. Ensure that the Governance relating to the management of operational risks (e.g. internal control committee) includes technological risk profiles.
  2. Strengthen the involvement of the second line of defence in the preparation of the Information Systems Strategic Committees (CSSI) and the major projects committees (CGP) and ensure their follow-up 
  3. Develop the supervision of the identification and assessment of technological risks by the first line of defence including in particular:
  4. Technological risk assessment exercises achievement;
  5. The identification of critical and vital IT assets, and the assessment of the impacts of the risks relating to these assets on the Business processes 
  6. The identification of critical “third parties”, and the assessment of the technological risks associated with their services as well as the impacts of the latter on the Business processes.
  7. Deployment of the methodology adopted by the Group in terms of operational resilience, in particular with regard to activities vital to the Group;
  8. Continuously improve the supervision of the collection of technological incidents within, ensuring that they are correctly documented and filled in the corresponding tools;
  9. Contribute to the implementation of second level controls in terms of technological risk
  10. Contribute to the development of Cyber and Operational Resilience communities

Managerial Responsibilities.

• Active Team player with positive attitude to bring the team together irrespective of team responsibilities. 
• Provide conducive work environment for a healthy working atmosphere in a competitive environment. 
• Upskilling team member’s basis the skill matrix and PDP follow through. 
• Promote training awareness, recognize team members, value their contribution, and provide opportunities for growth and mobility. 
• Fair dealing with staff members on day-to-day business deliverables and ensure administrative aspects including attendance, training and continuous feedback are totally intact. 
• Hiring team members with the right skill set, resolving conflicts, boost the team morale, create back up for perpetual succession and sustainable business delivery. 
• Key stakeholder management with Beneficiaries, local management and 1st LOD is mandatory. 

Technical Qualification and Behavioural Competencies.

• Demonstrate experience of interacting or managing complex and multicultural organization & teams 
• Demonstrate experience on leading or participating to Complex Program management at Regional or Group level ( like Operational resilience or Mutualized platform ) 
• Good Knowledge of operational risks procedure & tooling and a strong Lod2 control or IT audit experience is important  
• Good Knowledge of technological risks and their mitigant : cyber-attacks risks scenario , data integrity risks, IT risks related to changes (IT projects and organization, vulnerability management, access and identity, …), risks related to Cloud, digital assets and emerging technologies, data protection & leakage, etc.
• Knowledge of Outsourcing Risks and regulatory environment is a plus 
• Good Knowledge of IT (tools, languages, architecture) following past experiences in a team in charge of technological processus or its supervision. 
• Good Knowledge of BNPParibas Group, the different entity of the Group, RISK Organization and business is an important plus  
• At least 10 years of relevant experience in risk management, control function, preferably with relevant exposure to consulting or audit background.
• Knowledge and experience in financial services, including end-to-end process flows and associate risks and controls, knowledge of banking products in the area of Corporate & Institutional Banking is an advantage