The bank for a changing world

We are looking for

Head of RISK ORC ICT APAC

Apply REF: CIBRISK10632

Responsible for the development and implementation of a regional-wide ICT risk assessment program. Successful candidate will have proven track record of developing and implementing risk management programs in global organizations, with robust knowledge of technology, risks, architectures and related tools. Prior ICT risk experience (IT, Cyber, Vendor…etc.) & exposure to the Financial Services industry is a must. Experience with GRC tools and other risk management information systems is preferred. 

 Individual will develop and communicate the risk assessment engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operations.

 This is a start-up role that will help create the function, drive program and will lead team of 5-7 in time. There is a need to consolidate some of the other existing Operational, IT & Cyber risk functions from other groups into this one and roll out across enterprise, so an influencer and trust builder who can sell a value prop is important. Negotiation and Conflict Management skills an absolute must. Bank is undergoing a significant tech and ops reorg/transformation including outsourcing functions, streamlining and refactoring applications. Will lead this effort form an independent risk assessment of these projects and will present findings to board and exec committees. Excellent presentation & executive presence skills necessary. Experience interacting with regulatory agencies is required.

Governance and Oversight:

  • Establish IT & Cyber Risk Management Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework.
  • Drive effective implementation and communication of Operational risk management policies and guidelines.
  • Create and execute appropriate staffing model for program, hire resources, including the use of matrix resources from other business unit facing risk managers as appropriate
  • Provide direction, support and oversight with respect to management of security and technology risks of core systems and applications.
  • Establish and oversee the Operational risk management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices.
  • Provide IT & Cyber risk management consulting to the business, technical and operations groups.
  • Establish appropriate risk management governance committees, arrange agendas and chair meetings as appropriate.
  • Establish GRM’s oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners.

 Risk Management Environment:

  • Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
  • Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
  •  Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.

   Business Resiliency and Continuity:

  • Oversee and drive the business resiliency and continuity plans to ensure the ability of the bank to operation on an ongoing basis and limit the losses in the event of severe business disruption. Coordinate with the third and first lines frequent tests to these plans to ensure coverage and adequacy

  Risk Disclosure:

  • Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors.
  • Defines approach for determining what operational risk disclosure are made and the internal controls over the disclosure process. Implement a process to assess the appropriateness of the disclosure, including the verification and the frequency.

  Skills & Experience Required:

  • 10+ Information Security experience specifically in risk assessment, third party and technology assessments.
  • Team-player – focus on the success of the whole team. Working well both with others, as well as individually;
  • Good stakeholder management skills;
  • Interest or experience in a Technology Risk, Information Security or an IT Audit role;
  • Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly
  • Ability to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of suppliers and customers;
  • Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not  always workable or realistic considering costs and benefits;
  • Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate;
  • Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done;
  • Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;
  • Being rigorous and thorough – especially when logging and tracking issues through to conclusion; Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management;
  • Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest  in the role of Risk Assessment in business;
  • Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate

 Competencies (Technical / Behavioral)

  • A professional qualification relevant to Information Security (such as a university degree, CISSP, CISM or  CRISC);
  • A good understanding of large-scale technology infrastructure;
  • Excellent understanding of emerging technologies: SDN, CLOUD, IoTs…etc
  • Thorough understanding of the ISO 2700X series of standards and guidelines; and
  • Experience of formal document creation, such as the creation of presentations, reports or procedures. Presenting documentation in a professional and well-structured format;
  • Strong MS Office skills (core applications).

The following will be of advantage: - Knowledge or practical experience of one or more of the following products:

-     Archer Technologies SmartSuite Framework

-     Tufin Operations Management

  • Other professional qualifications/memberships, relevant to Information Security (Institute of Information Security professionals, CISA or QICA).
Primary Location: SG-06-SingaporeJob Type: Standard / PermanentJob: RISKSEducation Level: Bachelor Degree or equivalent (>= 3 years)Experience Level: At least 10 years Behavioural competency: Ability to share / pass on knowledgeTransversal competency: Ability to develop and adapt a process