La banque d'un monde qui change

Nous recherchons un

Operational Risk Manager - Information & Communication Technology

Horaires Temps plein
Métier Risques
Marque BNP Paribas
Niveau d'études Niveau BAC+2/3
Postuler REF: BRA000157

Department Overview:


The Information and Communications Technology RISK department (RISK ORC ICT) is part of the Group Risk Functions within BNP Paribas. It is a part of the second line of defence (2LOD) under the Bank’s Chief Cyber & Technology Risk Officer.   RISK ORC ICT has responsibility for the independent identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. RISK ORC ICT performs its independent oversight through the support of global teams, centers of excellence and local teams and in close coordination with other 2LOD functions such as Operational Risk, Data Protection and Compliance.


Key Responsibilities:


Responsible for the development and implementation of a regional-wide ICT risk assessment program for the Corporate & Institutional Banking (CIB) business in the Latin America: Brazil, Mexico, Colombia and Argentina. The successful candidate will have proven track record of developing and implementing risk management programs in global organizations, with robust knowledge of technology, risks, architectures and related tools. Prior ICT risk experience (IT, Cyber, Vendor…etc.) & exposure to the Global Financial Services industry is a requirement. 

The individual will develop and communicate the ICT risk management requirements and engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operations. Negotiation and Conflict Management skills are an absolute must. The individual will ultimately represent the ICT risk profile for the organization and will present findings to Board and executive committees. Excellent presentation & executive presence skills are necessary. Experience interacting with regulatory agencies is required.

This is a high visibility role that will drive the program and accelerate the deployment of the second line of defense to meet Group policies and comply with regulatory requirements.  There is a need to integrate the requirements from Group, build a seamless integration with the Operational Risk framework already in place and coordinate with other 2LOD functions across the Americas, so an influencer, trust builder who can sell and execute a value proposition is important.

Governance and Oversight: 

Governance: Establish IT & Cyber Risk Management Program for the Latin America region within the three lines of defense model in alignment with the Group Policies and consistent with the operating model across the Americas. Ensure appropriate visibility to Senior Management on matters such as historical incidents, key risks, control deficiencies, regulatory matters, emerging threats etc. Drive effective implementation and communication of operational risk management policies and guidelines. Establish appropriate risk management governance committees, arrange agendas and chair meetings as appropriate. 

Advisory: Provide IT & Cyber risk management consulting to the business, operations technical and  IT departments.  Establish oversight for the IT and Operations Transformation projects including the review of major outsourcing partners from a technology perspective. 

Risk Management Environment:

• Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments (RCSAs), Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.

• Monitoring & Reporting: Establish and maintain the Business-IT Risk Profile for the operations across Latin America. Implement a process to regularly monitor operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.


• Control & Mitigation improve the effectiveness of the Internal Controls Framework by reviewing the control environment, its design, documentation and effectiveness on IT and Information Security matters. Design and coordinate Independent Testing engagements to ultimately test the effectiveness, in coordination with Group RISK ORC ICT resources. Review and challenge the effectiveness of risk treatment strategies such as remediation plans for control deficiencies.


Business Resiliency and Continuity:

• Oversee and drive the business resiliency and continuity plans to ensure the ability of the bank to operate on an ongoing basis and limit the losses in the event of severe business disruption. Coordinate with the third and first lines of defense frequent tests to these plans to ensure coverage and adequacy.


Regulatory Compliance:

• Monitor regulations and laws across the region that have requirements/impact on ICT matters and support/oversee regulatory exams as required.

• Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the Bank in a manner that complies with applicable policies.

- Bachelor degree.

- Fluency in Portuguese, English and Spanish.



- Information Security, Operational Risk and IT Risk management experience specifically in cyber risk assessment, third party and technology risk assessments;

- Experience in a Technology Risk, Information Security or an IT Audit role;

- Team player – focus on the success of the whole team. Working well both with others, as well as individually;  

- Ability to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of suppliers and customers; Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done;

- Excellent stakeholder management skills;

- Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate;

- Knowledge and practical experience with wholesale banking products, services, systems and regulatory environment;

- Knowledge and practical experience with wholesale banking products, services, systems and regulatory environment; 

- Excellent listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly;

- Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not  always workable or realistic considering costs and benefits; 

- Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate;

- Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;

- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the business;

- A robust understanding of large-scale technology infrastructure and emerging technologies: SDN, CLOUD, IoTs, etc; 

- Thorough understanding of the ISO 2700X, NIST series of standards and guidelines;

- Experience in preparing and presenting formal, high impact documents.   



BNP Paribas is committed to providing a work environment that fosters diversity, inclusion, and equal employment opportunity without regard to race, color, gender, age, creed, sex, religion, national origin, disability (physical or mental), marital status, citizenship, ancestry, sexual orientation, gender identity and gender expression, or any other legally protected status.






















Primary Location: BR-SP-São PauloJob Type: ConvencionalJob: RISKSSchedule: Tempo Inteiro Behavioural competency: Capacidade de colaborar/trabalho em equipe, Impacto/Capacidade de influenciar, Espírito crítico, Capacidade de adaptação, Capacidade de se comunicar - oralmente e por escrito, RigorTransversal competency: Capacidade de desenvolver e adaptar um processo, Capacidade de análiseReference: BRA000157