In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 17,000 employees* and a presence in 13 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships.
Worldwide, BNP Paribas has a presence in 73 markets with more than 196,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.
BNP Paribas offers you an exciting career in an international business environment that is fast-paced, diverse and focuses on creating high-value relationships with our clients. We offer competitive salary and benefits, as well as a working environment where you’re valued as part of the team.
* excluding partnerships
The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defense under the Bank’s Chief Cyber & Technology Risk Officer. Among others, the department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering:
Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion
Horizontal Risk Assessments: Assessing technology risks in relation to a particular theme or technology across the organization. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
Vertical Risk Assessments: Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity
Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions
Operational Resilience initiatives and programs that lead the region to anticipate, prevent, detect, withstand and recover from operational disruptions
The role holder will be part of a small team responsible for the implementation, management and innovation of 2nd line of defense risk management within the Information and Communication Technology (ICT) space in the APAC region.
This is a start-up role, where the role holder will work with the support of and in close co-operation with colleagues in RISK ORC ICT APAC, RISK ORC APAC, Group RISK ORC ICT as well as 1st line of defense ICT, business and offshoring teams and stakeholders.
The candidate shall be an all-round specialist in Information and Communication Technologies, which include IT Processes (Architecture, Network, Systems, Application), Governance, Cyber Security and Operational Resilience related subjects. The candidate shall play a lead role in the successful completion of assigned assessments from start to finish and shall be competent to strengthen team spirit, improve team skills on different ICT subjects and ensure the quality, relevance and traceability of all identified gap.
As a subject matter expert on ICT, the successful candidate shall stimulate and bring knowledge and innovation to the RISK ORC APAC and RISK ORC ICT APAC team, helping to elevate the knowledge base and skills of the team.
Governance & Oversight
Provide IT & Cyber risk management (including Operational Resilience) consulting to the business, technical and operations groups
Provide direction, support and oversight with respect to management of security and technology risks of core systems and applications, and its resiliency
Drive effective implementation and communication of Operational Risk Management policies and guidelines
Risk management environment
Identification & Assessment: Ensure that the identification and assessment of operational risks are effectively done across the organisation by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis
Monitoring & Reporting: Implement a process to regularly monitor operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
Control & Mitigation: Improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options
Risk Disclosure: Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors. Defines approach for determining what operational risk disclosures are made and the internal controls over the disclosure process. Implement a process to assess the appropriateness of the disclosure, including the verification and frequency.
- Manage the design, delivery, testing and management of Operational Resilience risk standards and associated controls
- Manage assurance/oversight of Operational Resilience directly owned controls and in-directly owned Resilience controls and ensure these controls are tested for operational effectiveness
- Provide active advisory, partnership, challenge or approval to applicable risk owners to ensure appropriate prioritization and resolution
- Perform relevant 2 Line Of defence thematic or issue based deep dives
- Support the business in identifying (through control testing) Resilience gaps in process, controls and also in remediating these
- Contribute to the design, development and specification of new/redesigned processes, systems, information, risk controls, testing regimes, documentation and supporting materials
Third Party Technology Risk: Provide 2 line of defence risk oversight of Third Party Cyber & Tech Risk program
Conduct independent technology and cyber risk assessment of Outsourcing risks
2 LoD Thematic review of critical suppliers from a Cyber & Tech Risk perspective
Assist Global Head in developing Group wide 2 LoD framework and policies regarding Third Party Tech Risk programs
Governance & Oversight
Contribute to the establishment of an IT & Cyber Risk Management program for the bank within the three lines of defence model in alignment with the Group Risk Management Framework
Assist with establishing appropriate risk management governance committees, arrange agendas and chair meetings as appropriate
Assist with establishing and oversight of the Operational Risk Management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices
Risk management environment
Technical & Behavioral Competencies
The successful candidate will have a proven track record in managing risk and technology in large/global organizations with robust knowledge of technology, risks and controls, IT and security architecture, operational resilience, and third party technology risk management. Prior ICT risk experience (IT, DR/BCM, Cyber security, Third Party, etc.) and exposure to Financial Services industry is a requirement. Experience with risk management tools and information systems is beneficial.
Generic Requested Skills
Excellent stakeholder management skills
Demonstrates a high level of commitment and self-motivation
Able to manage workload and set realistic and achievable targets
Eye for detail and ability to process high quantity of documents and correlate them
Highly organized and able to multi-task
Able to express views clearly and fluently both orally and in writing, considering the audience and avoiding technical jargon when necessary and appropriate
Able to work under pressure in international environment
Must be able to interface and coordinate work efficiently and effectively with senior business and technology partners
Excellent communication and influencing skills, including ability to articulate complex issues and incorporate feedback
Good team player, Strong stakeholder management, relationship building, influencing, facilitating and presenting skills
Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements
Is self-aware, anticipates problems, adapts and meets them head on.
Is solutions focused – measures their output on whether issues, problems or challenges are resolved as a criteria for success
Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework
Experience in business process re-engineering, experience with functional and enterprise technical architecture, good understanding of large-scale technology infrastructure
Understanding of emerging technologies e.g. IoT, Cloud, etc.
Understanding of ISO 2700X series of standards and guidelines
Significant experience in the field of Technology Risk Management, Operational Resilience, Cyber, Information Security and Crisis Management.
Strong Risk mindset with understanding of applicable Technology Risk and Resilience regulatory requirements
Proficiency in IT Service Management, Service Continuity domains
Experience within a regulated environment such as financial services industry
Act as role model, supporting and fostering an inclusive culture and one of good conduct
Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
Consider the implications of actions on colleagues, partners and clients before making decisions and escalate issues to manager when unsure
Specific Qualifications (if required)
Graduate or Post-graduate qualification in ICT domains, risk management or control function
Prior experience or practical understanding in IT, IT Security or other ICT domains required
Project management skills