The bank for a changing world

We are looking for

IT & Cyber Risks Relationship Officer

Apply REF: 1806RSK0727

BNP Paribas is a leading European bank with an international reach. It has a presence in 73 countries, with more than 192,000 employees – including more than 146,000 in Europe and over 4,000 in Portugal alone.

BNP Paribas is present in Portugal since 1985, having been one of the first foreign banks to operate in the country. Today, BNP Paribas has several entities operating directly in this territory, offering a wide range of integrated financial solutions to support its clients and their businesses.

Worldwide, the Group has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporate and institutional clients) to realise their projects through solutions spanning financing, investment, savings and protection insurance.

The Information and Communications Technology (ICT) Risk department covers areas such Availability & Continuity, Security, Change, Data Integrity and the Outsourcing Risks that are associated with the use of Information and Communication Technologies in our business, and is part of the Group Risk Functions within BNP Paribas.  It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer.  The department mission is:
  • Collaborate with the CRO (Chief Risk Officers) community across the Global operation to manage the ICT Risk exposure of their entity within the Group's stated Risk Appetite.
  • Develop and maintain a holistic, forward-looking view of ICT Risk throughout the Group.
  • Raise the ICT Risk IQ within the community via enablement, engagement and effective governance.
  • Ensure relentless preparation to negative events by continuously stress testing detection and response capabilities and improving recovery measures.
  • Partner with the first and third lines of Defense to ensure the effectiveness of the Group's ICT Risk Management Platform.
  • Advise the Business on the effective and risk aware approach to Accelerated Digital Transformation.

Successful candidate will have proven track record of developing, implementing and monitoring Technology and Information risk management programs in the entity.
Individual will communicate Risk ICT management policies, guidelines and standards across the organization ensuring security and technology risks are identified and managed effectively.
Provides advisory, and on-going support to IT and business line leaders regarding information technology and security best practices and trends.
Rely on Independent Risk assessment to validate effectiveness of controls and identify areas of focus.
Solid understanding of the Information Security threat environment, access controls and information technology control environments is also required.



Provide ORC (Operational Risk and Control) teams within the entities’ cluster with adequate assistance and advice while acting as a Single Point of Contact for them regarding the ICT Risk framework and teams. Achieve this target by:
  • Assisting ORC entities in:
    • The deployment of ICT Risk framework, focusing on the main cluster priorities and critical business impacts.
    • The definition, planning and conducting of ICT risk assessments exercises.
    • Planning and manage of independent technical testing.
    • The identification and reviewing of major ICT risks within large programs and emerging technologies.
    • Improving their surveillance and detection capabilities.
    • Providing support on incident response and crisis management.
  • Contributing in the definition and the prioritization of controls and mitigation actions.
  • Supporting in the elaboration of ICT Risk materials as part of Risk and IT strategic committees.

Ensure the role of 2nd level of defense, at the cluster level, regarding the effectiveness of the implementation of the ICT Risk framework, as well as the major identified ICT Risks, and provide accurate consolidated view. This will be achieved in particular by correlating input from Audit Findings, Incidents, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, and Quantified Measurement & Comparative Analysis.
Create, then animate the ICT Risk community within the cluster, in tight collaboration with CRO Community, in order to manage the cluster’s ICT Risk exposure within the Group's stated Risk Appetite, and exchange/share best practices on ICT Risks between the entities’ cluster. The animation should be performed in particular through regular committees and dedicated shared workspaces.
Coordinate, at cluster level, the regulatory requests as well as internal or external audits dealing with ICT risks, to ensure consistency, effectiveness and shared ICT Risks view.
Expected deliverables:

  • Project plan and actions plans related to the framework deployment.
  • Project plan and reviewed results for risks assessments exercises.
  • Plans and reviewed reports for technical independent testing.
  • Incidents analysis and post incidents analysis and review.
  • Major ICT Risks Heatmap per entity and consolidated view at cluster level.
  • Reviewed Mitigation actions plans.
  • Risks ICT synthesis and reporting within key strategic committees.
  • Committee’s charter, materials and minutes related to ICT Risk community animation.


  • 7 years minimum of experience cumulative experience in cyber security or IT risk management domains,
  • 10 years minimum of experience professional (plus)
  • Robust knowledge of technology, architectures and related tools
  • ICT risk skills: IT, Cyber security standards and technologies, Risk Management components (risk identification, assessment, monitoring, mitigation)
  • GRC tools and other risk management information system
  • Is a plus the Cyber security or IT Risk certifications strongly appreciated (ex: CISSP, CISM, CRISC, etc.)
  • Good knowledge of at least one of Banking Business Lines is a plus
  • Good stakeholder management skills.
  • Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly.
  • Ability to manage the workload as to meet the realistic targets and priorities set in conjunction with management.
  • Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.

BNP Paribas is an equal opportunity employer and proud to provide equal employment opportunity to all job seekers. We are actively committed to ensuring that no individual is discriminated against on the grounds of age, disability, gender reassignment, marriage or civil partnership status, pregnancy and maternity, race, religion or belief, sex or sexual orientation. Equity and diversity are at the core of our recruitment policy because we believe that they foster creativity and efficiency which in turn increase performance and productivity. We strive to reflect the society we live in, while keeping with the image of our clients.

Please note that only applications submitted in English will be considered. In case you are selected for this role, further documentation will be requested to support your hiring process. 

Primary Location: PT-11-LisbonJob Type: Standard / PermanentJob: RISKSEducation Level: Master Degree or equivalent (> 4 years)Experience Level: Not IndicatedSchedule: Full-time Behavioural competency: Decision MakingTransversal competency: Ability to understand, explain and support change