In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 17,000 employees* and a presence in 13 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships.
Worldwide, BNP Paribas has a presence in 73 markets with more than 196,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.
BNP Paribas offers you an exciting career in an international business environment that is fast-paced, diverse and focuses on creating high-value relationships with our clients. We offer competitive salary and benefits, as well as a working environment where you’re valued as part of the team.
* excluding partnerships
The Information and Communications Technology Risk department is part of RISK. It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer. The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering: - Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion. - Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organisation. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc. - Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc) or our Internet connectivity. - Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
Responsible for conducting a regional-wide ICT risk assessment program. Successful candidate will have proven track record of developing and implementing risk assessment programs in global organizations, with robust knowledge of technology, risks, architectures and related tools. Prior ICT risk experience (IT, Cyber, Vendor…etc.) & exposure to the Financial Services industry is a must. Experience with GRC tools and other risk management information systems is preferred.
Individual will develop and communicate the risk assessment engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operations.
There is a need to consolidate some of the other existing Operational, IT & Cyber risk functions from other groups into this one and roll out across enterprise, so an influencer and trust builder who can sell a value prop is important. Negotiation and Conflict Management skills an absolute must. Bank is undergoing a significant tech and ops reorg/transformation including outsourcing functions, streamlining and refactoring applications. Will lead this effort form an independent risk assessment of these projects and will present findings to board and exec committees. Excellent presentation & executive presence skills necessary. Experience interacting with regulatory agencies is required.
Governance and Oversight:
• Establish IT & Cyber Risk Management Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework.
• Drive effective implementation and communication of Operational risk management policies and guidelines.
• Create and execute appropriate staffing model for program, hire resources, including the use of matrix resources from other business unit facing risk managers as appropriate
• Provide direction, support and oversight with respect to management of security and technology risks of core systems and applications.
• Establish and oversee the Operational risk management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices.
• Provide IT & Cyber risk management consulting to the business, technical and operations groups.
• Establish appropriate risk management governance committees, arrange agendas and chair meetings as appropriate.
• Establish GRM’s oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners.
Risk Management Environment:
• Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
• Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
• Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.
Business Resiliency and Continuity:
• Oversee and drive the business resiliency and continuity plans to ensure the ability of the bank to operation on an ongoing basis and limit the losses in the event of severe business disruption. Coordinate with the third and first lines frequent tests to these plans to ensure coverage and adequacy
• Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors.
• Defines approach for determining what operational risk disclosure are made and the internal controls over the disclosure process. Implement a process to assess the appropriateness of the disclosure, including the verification and the frequency.
- A professional qualification relevant to Information Security (such as a university degree, CISSP, CISM or CRISC);
- A good understanding of large-scale technology infrastructure;
- Excellent understanding of emerging technologies: SDN, CLOUD, IoTs…etc
- Thorough understanding of the ISO 2700X series of standards and guidelines; and
- Experience of formal document creation, such as the creation of presentations, reports or procedures. Presenting documentation in a professional and well-structured format;
- Strong MS Office skills (core applications).
The following will be of advantage: - Knowledge or practical experience of one or more of the following products:
o Archer Technologies SmartSuite Framework
o Tufin Operations Management
- Other professional qualifications/memberships, relevant to Information Security (Institute of Information Security professionals, CISA or QICA).
• Be a role model, supporting and fostering a culture of good conduct
• Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
• Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.