ICT Risk Assessments Senior Specialist
• Head of Emerging Technology & Governance Americas
MISSION AND OBJECTIVES
The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defense under the Bank’s Chief Cyber & Technology Risk Officer. The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering:
• Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion.
• Horizontal Risk Assessment: Assessing technology risks in relation to a particular large project, theme or technology across the organization. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
• Vertical Risk Assessments: Assessing risks to a product, service, technology or infrastructure. For instance, we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
• Strategy Risk Assessment: Assessing risks during Master bi-yearly strategic plans of Group entities.
• Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
• Recurrent analysis of maturity of controls on all entities of the Group.
Involved in running and improving the development and implementation of the worldwide ICT risk assessment program, the candidate will have proven track record of developing and implementing risk assessment programs in global organizations, with robust knowledge of technology, risks, architectures and related tools. Prior ICT risk experience (IT, Cyber, Vendors, etc.) is required.
Individual will develop, use and communicate the risk assessment engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operations.
This is a start-up role that will help create the function, drive program in a team of 10 people worldwide. There is a need to consolidate some of the other existing Operational, IT & Cyber risk functions from other groups into this one and roll out across enterprise, so an influencer and trust builder who can sell a value proposition is important. Negotiation and Conflict Management skills are an absolute must. Bank is undergoing a significant technical and operations reorganization/transformation including outsourcing functions, streamlining and refactoring applications. The candidate will participate to this effort from an independent risk assessment of these projects and will present findings to board and executive committees. Excellent presentation & executive presence skills is thus necessary. Experience interacting with regulatory agencies is required.
Risk Management Environment:
• Assessments: Participates to the identification and assessment of operational risks that must be effectively performed across the organization by correlating inputs from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
• Monitoring & Reporting: Participates to the implementation of a process to regularly monitor operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
• Control & Mitigation: Improves the effectiveness of the Internal Controls program by reviewing the control environment, assess risks in processes, control activities, information and communication and monitoring activities. Assesses operational risk response strategies. Validates risk transfer options. Participates to the development of the risk culture in the company. Measures periodically the designs and effectiveness of controls.
• Provides updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors.
• Participates to determining what operational risk disclosures are made and the internal controls over the disclosure process. Implements a process to assess the appropriateness of the disclosures, including the verification and the frequency.
Governance and Oversight:
• Participates in the establishment of the IT & Cyber Risk Assessment Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework.
• Participates to the effective implementation and communication of Operational risk management policies and guidelines.
• Provides support to other teams with respect to management of security and technology risks of core systems and applications.
• Participates in the overseeing of the Operational risk management infrastructure and ensures practices are consistent with regulatory expectations and industry sound practices.
• Provides IT & Cyber risk management consulting to the business, technical and operations groups.
• Participates to appropriate risk management governance committees and arranges agendas as appropriate.
• Participates to the oversight model of IT and Operations Transformation projects including the review of major outsourcing partners.
TRAINING AND OCCUPATIONAL EXPERIENCE
• 8 to 15 years Information Security experience specifically in risk assessment, third party and technology assessments.
• A professional qualification relevant to Information Security (such as a university degree, CISA, CISSP, CISM, CRISC, ITIL);
• Knowledge of regulations applicable to the financial sector (ie. Basel, ECB, AMF, FSA, FFIEC, SMA, HKMA, FED, CNI requirements, EBA…);
• Knowledge of control frameworks (COSO, Cobit…);
• Thorough understanding of the ISO27005/ISO31000 and overall the ISO 2700X series of standards and guidelines;
• A good understanding of large-scale technology infrastructure and information systems architecture;
• Excellent understanding of emerging technologies: CLOUD, IoTs, etc.
• Experience in the Financial Services industry is a must.
• Experience with GRC tools and other risk management information systems is preferred.
ESSENTIAL SPECIFIC REQUIREMENTS
• Bilingual : English and French, Spanish is an asset;
• Team-player: focus on the success of the whole team. Working well both with others, as well as individually;
• Good stakeholder management skills;
• Interest or experience in a Technology Risk, Information Security or an IT control role;
• Good listening and analytical skills; being able to come to a thoughtful and business focused conclusion quickly;
• Ability to co-operate and work well with others adopting an approachable style. Important as we work closely with a large and diverse set of suppliers and customers;
• Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits;
• Taking accountability for his actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;
• Being rigorous and thorough, especially when logging and tracking issues through to conclusion;
• Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management;
• Experience of formal document creation, such as the creation of presentations, reports or procedures. Presenting documentation in a professional and well-structured format;
• Strong MS Office skills (core applications) including capability to perform data analysis with XL.
• Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business;
• Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
SKILLS AND BEHAVIOURS
• Demonstrate proactivity and transparency;
• Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.
A recruitment policy that promotes equity and diversity:
Equity and diversity are at the core of our recruitment policy because we believe that they foster creativity and efficiency which in turn increase performance and productivity. We strive to reflect the society we live in, while keeping with the image of our clients.
We pride ourselves in applying non-discrimination rules to all our recruitments.
We will only contact the candidates selected who meet the job requirements in terms of training and experience.
About BNP Paribas
BNP Paribas is a leading bank in Europe with an international reach. It has a presence in 73 countries, with more than 195,000 employees, including more than 148,000 in Europe. The Group has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporates and institutional clients) to realise their projects through solutions spanning financing, investment, savings and protection insurance. In Europe, the Group has four domestic markets (Belgium, France, Italy and Luxembourg) and BNP Paribas Personal Finance is the leader in consumer lending. BNP Paribas is rolling out its integrated retail-banking model in Mediterranean countries, in Turkey, in Eastern Europe and a large network in the western part of the United States. In its Corporate & Institutional Banking and International Financial Services activities, BNP Paribas also enjoys top positions in Europe, a strong presence in the Americas as well as a solid and fast-growing business in Asia-Pacific.
About BNP Paribas in Canada
In Canada, BNP Paribas is one of the dominant foreign banks in the country and is committed to building its platform even further. Since becoming the operational hub for the Group’s activities in North America in 2013, it has grown significantly to reach more than 700 employees and is expected to continue growing in the coming years. With the continued development of technology and financial fields, BNP Paribas Canada continues to attract experts with diverse backgrounds as well as young and ambitious talent from across the globe. With the international mobility and capacity that very few companies can offer, BNP Paribas prides itself in providing a superior foundation for building a professional career - a place for people to learn, to achieve and grow.