In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 18,000 employees* and a presence in 13 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships. . 
 
Worldwide, BNP Paribas has a presence in 68 markets with more than 193,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.  

* excluding partnerships

At BNP Paribas, we passionately embrace diversity and are committed to fostering an inclusive workplace where all employees are valued, respected and can bring their authentic selves to work. We prohibit Discrimination and Harassment of any kind and our policies promote equal employment opportunity for all employees and applicants, irrespective of, but not limited to their gender, gender identity, sex, sexual orientation, ethnicity, race, colour, national origin, age, religion, social status, mental or physical disabilities, veteran status etc. As a global Bank, we truly believe that inclusion and diversity of our teams is key to our success in serving our clients and the communities we operate in.

https://careers.apac.bnpparibas/ 

Department Overview
The Global Operational Resilience program within RISK ORM is a critical component in ensuring the Group’s ability to prevent disruptions to its Vital services from occurring, continue to meet its objectives if a disruption or incident does occur and return to normalcy, when disruption or crisis is over. This applies to Cyber, Technology, Supply chains, physical infrastructure and People.

This is part of the Second Line Of Defence (2LOD) teams under the Bank’s Chief Operational Risk Officer.  

Operational resilience risk management includes planning, integrating, testing and governing activities to ensure that the group can:

•    Identify and manage business and system risks that could lead to disruptions before they occur.
•    Prepare for and provide risk oversight of disruptive events (realized risks) in a manner that demonstrates command and control of incident response, coordination and service continuity. Scenarios could include but not limited to Cyber Security Incidents, Technology/Systems Outage, Third Party Suppliers, People or Process Failures.
•    Ensure check & challenge and risk advisory on resilience of mission-critical services and operations following an incident within the agreed risk appetite levels.

The above is achieved through main teams such as Cyber Resilience (Detection, Cyber Fraud), IT Resilience, Business Continuity and Crisis Management, Third Party tech Risk. 

BNP Paribas is looking for Operational Resilience and Third Party Technology Risk Regional Head within the APA RISK ORM Team, based in Singapore or Hong Kong.

Position Purpose


The role holder will be part of the RISK ORM team, with Group wide as well as APAC region Risk oversight responsibilities for the defined areas. Responsibilities will include second line of defense oversight for Operational Resilience Domains such as Business Continuity/DR, IT Resilience, Cyber Resilience (including Cyber Fraud), Third Party Resilience and Crisis Management.

The role holder will work with the support of and in close co-operation with colleagues in RISK ORM ICT APAC, RISK ORM APAC, Group RISK ORM Operational Resilience as well as 1st line of defense ICT, business and offshoring teams and stakeholders.

The candidate shall be an all-round specialist in Operational Risk with focus on Operational Resilience, Information and Communication Technologies, which include IT Processes, Governance and Cyber Security related subjects. The candidate shall play a leading role in the successful completion of assigned assessments from start to finish and shall be competent to strengthen team spirit, improve team skills on different Operational Resilience subjects and ensure the quality, relevance and traceability of all identified gap.

As a subject matter expert on Operational Resilience, including Cyber and IT Resilience, Cyber Fraud etc., the successful candidate shall stimulate and bring knowledge and innovation to the RISK ORM APAC and Global RISK ORM Operational al Resilience teams, helping to elevate the knowledge base and skills of the team.

Responsibilities

Direct Responsibilities

Governance & Oversight
•    Provide risk oversight of Operational Resilience, Third Party Tech Risk, Cyber Fraud related areas, consulting to the business, technical and operations groups
•    Provide direction, support and oversight with respect to management of security and technology risks of core systems and applications, and its resiliency
•    Drive effective implementation and communication of Operational Risk Management policies and guidelines

Risk management environment
•    Identification & Assessment: Ensure that the identification and assessment of operational risks are effectively done across the organisation by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis

•    Monitoring & Reporting: Implement a process to regularly monitor operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.

•    Control & Mitigation: Improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.

    Risk Disclosure: Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors. Defines approach for determining what operational risk disclosures are made and the internal controls over the disclosure process. Implement a process to assess the appropriateness of the disclosure, including the verification and frequency.

Operational Resilience Global role
•    Support Global Head of RISK Operational Resilience in and contribute to the Group transformation program to identify Vital Services for the Group, Conduct resilience risk pilot initiatives, working closely with the 1 LoD stakeholders.
•    Lead and Perform relevant 2nd Line Of defence thematic or issue based deep dives at Group level.
•    Manage assurance/oversight of Operational Resilience directly owned controls and in-directly owned Resilience controls and ensure these controls are tested for operational effectiveness
•    Provide active advisory, partnership, challenge or approval to applicable risk owners to ensure appropriate prioritization and resolution
•    Support the business in identifying (through control testing) Resilience gaps in process, controls and also in remediating these 
•    Contribute to the design, development and specification of new/redesigned processes, systems, information, risk controls, testing regimes, documentation and supporting materials

•    Crisis Management: Ensure 2nd line of defence risk oversight of Crisis Management program 
•    Contribute to the development of the crisis management framework; including: policies, standards, aide memoires, SOPs, playbooks, escalation protocols, etc.
•    Deliver independent crisis exercises and test incident and crisis response capability.
•    Develop and implement process for validating effectiveness of the crisis management program.
•    Lead or Participate in After Action Reviews.
•    Build and establish networks and relations with other key internal stakeholders 

•    Third Party Technology Risk: Provide 2nd line of defence risk oversight of Third Party Cyber & Tech Risk program 
•    Conduct independent technology and cyber risk assessment of Outsourcing risks
•    2nd LoD Thematic review of critical suppliers from a Cyber & Tech Risk perspective
•    Assist Global Head in developing Group wide 2nd LoD framework and policies regarding Third Party Tech Risk programs

Contributing Responsibilities

Governance & Oversight
•    Contribute to the establishment of an Operational Resilience governance for the bank within the three lines of defence model in alignment with the Group Risk Management Framework
•    Assist with establishing appropriate risk management governance committees, arrange agendas and chair meetings as appropriate
•    Assist with establishing and oversight of the Operational Risk Management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices

Risk management environment
•    Operational Resilience: Oversee and drive the operational resiliency program to ensure the ability of the bank to operate on an ongoing basis and limit the losses in the event of severe business disruption. Coordinate with the first and third lines of defence to test these plans to ensure coverage and adequacy.


Technical & Behavioral Competencies


The successful candidate will have a proven track record in managing risk and technology in large/global organizations with robust knowledge of technology, risks and controls, IT and security architecture, operational resilience, and third party technology risk management. Prior ICT risk experience (IT, DR/BCM, Cyber security, Third Party, etc.) and exposure to Financial Services industry is a requirement. Experience with risk management tools and information systems is beneficial. 

Generic Requested Skills
•    Excellent stakeholder management skills
•    Demonstrates a high level of commitment and self-motivation
•    Able to manage workload and set realistic and achievable targets
•    Eye for detail and ability to process high quantity of documents and correlate them
•    Highly organized and able to multi-task
•    Able to express views clearly and fluently both orally and in writing, considering the audience and avoiding technical jargon when necessary and appropriate
•    Able to work under pressure in international environment
•    Must be able to interface and coordinate work efficiently and effectively with senior business and technology partners
•    Excellent communication and influencing skills, including ability to articulate complex issues and incorporate feedback   
•    Good team player, Strong stakeholder management, relationship building, influencing, facilitating and presenting skills
•    Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements
•    Is self-aware, anticipates problems, adapts and meets them head on.
•    Is solutions focused – measures their output on whether issues, problems or challenges are resolved as a criteria for success
•    Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework

Technical Skills
•    Experience in business process re-engineering, experience with functional and enterprise technical architecture, good understanding of large-scale technology infrastructure
•    Understanding of emerging technologies e.g. IoT, Cloud, etc.
•    Understanding of ISO 2700X series of standards and guidelines
•    Significant experience in the field of Technology Risk Management, Operational Resilience, Cyber, Information Security and Crisis Management.
•    Strong Risk mindset with understanding of applicable Technology Risk and Resilience regulatory requirements
•    Proficiency in IT Service Management, Service Continuity domains
•    Experience within a regulated environment such as financial services industry

Conduct
•    Act as role model, supporting and fostering an inclusive culture and one of good conduct
•    Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
•    Consider the implications of actions on colleagues, partners and clients before making decisions and escalate issues to manager when unsure

Specific Qualifications (if required)
•    Graduate or Post-graduate qualification in ICT domains, risk management or control function
•    Prior experience or practical understanding in IT, IT Security or other ICT domains required
•    Project management skills

In addition, and to ensure compliance with HKMA ECF recommendations, the successful candidate will have one or more of the following professional qualifications

  First Line of Defence Second Line of Defence Third Line of Defence RECOGNISED CERTIFICATES IT Security Operations and Delivery IT Risk Management and Control IT Audit CSX Fundamentals Certificate Yes Yes Yes CSX Practitioner Certificate (CSX-P) Yes Yes Yes GIAC Information Security Professional (GIAC GISP) Yes Yes   GIAC Security Essentials (GSEC) Yes Yes Yes ISC2 Systems Security Certified Practitioner (SSCP) Yes       Professional Level CSX Specialist Certificate (CSX-S) Yes Yes Yes CSX Expert Certificate (CSX-E) Yes Yes Yes ISACA Certified Information System Auditor (CISA) Yes Yes Yes ISACA Certified Information System Manager (CISM) Yes Yes Yes ISACA Certified in Risk and Information Systems Control (CRISC)   Yes   ISACA Certified in the Governance of Expertise IT (CGEIT)   Yes   ISC2 Certified Information Systems Security Professional (CISSP) Yes Yes Yes ISC2 Certified Cloud Security Professional (CCSP) Yes Yes  

https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2016/20161219e1.pdf


 

Primary Location
HK-Hong Kong (HK)-Hong Kong
Job Type
Standard / Permanent
Job
RISK
Education Level
Bachelor Degree or equivalent (>= 3 years)
Experience Level
At least 10 years
Reference
RIS001916


Discover the different professions within BNP Paribas: Audit, Compliance, Risk and Legal

If it is your ambition to work in a profession that entrusts you with a high degree of responsibility and gives you the chance to contribute to strategic decision-making at BNP Paribas, the following roles might be ideal for you to consider.

Find out more

Why should I apply?

Basically, why would you want to join BNP Paribas over any other company?

BECAUSE YOU'RE THE KIND OF PERSON WHO WANTS...

  • What if we told you that working in our Group may not be quite what you think? BNP Paribas business lines and careers are constantly evolving to meet the expectations of our clients and society as a whole.

  • Feeling good about your job means bringing your whole self to work and being who you are. It’s also about having the resources you need to achieve a healthy work-life balance. Both of these are major commitments at BNP Paribas.

  • At BNP Paribas, developing your skills is as important to us as it is to you. And the skills you learn with us will help you through the rest of your working life.

Find out more