The bank for a changing world

We are looking for


Apply REF: RIS001199

About BNP Paribas Group:

BNP Paribas Group is a leading European bank with a strong global footprint across 72 markets and more than 202,000 employees. The Group provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships

About BNP Paribas India Solutions:

Established in 2005, BNP Paribas India Solutions is a wholly owned subsidiary of BNP Paribas Group, a leading bank in Europe with an international reach. With delivery centers located in Mumbai and Chennai, we are a 24x7 global delivery center. We partner various business lines of BNP Paribas such as Corporate and Institutional Banking, Wealth Management, Retail Banking through three verticals - Information Technology, Operations and Finance Shared Services.

About Businessline/Function :

The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defense under the Bank’s Chief Cyber & Technology Risk Officer.   The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions.   This is achieved by delivering:   - Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion. - Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organisation. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc. - Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc) or our Internet connectivity. - Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.

Job Title:








Business Line / Function:


Reports to:



(if applicable)



N/A – Transversal Role

Number of Direct Reports:


Directorship / Registration:



Position Purpose

Responsible for the development and implementation of an enterprise-wide ICT risk governance program. Successful candidate will have proven track record of developing and implementing risk management programs in global organizations, with robust knowledge of technology, risks, architectures and related tools. Prior ICT risk experience (IT, Cyber, Cloud, IAM…etc.) & exposure to the Financial Services industry is a must.  Experience with GRC tools and NIST standards is preferred.
Individual will develop and communicate ICT Risk Policies to ensure that ICT risk considerations are accounted for in all the bank’s initiatives. Negotiation and Conflict Management skills an absolute must. Bank is undergoing a significant tech and ops reorg/transformation including outsourcing functions, streamlining and refactoring applications. Will support this effort from an independent risk assessment of these projects and will present findings to board and exec committees. Excellent presentation & executive presence skills necessary. Experience interacting with regulatory agencies is required.


Direct Responsibilities


Governance and Oversight: 
• Support in establishing IT & Cyber Risk Management Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework.

• Support effective implementation and communication of Operational risk management policies and guidelines. 
• Support and oversee management of security and technology risks of core systems and applications. 
• Oversee the Operational risk management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices. 
• Provide IT & Cyber risk management consulting to the business, technical and operations groups. 
• Support Establishing appropriate risk management governance committees arrange agendas and chair meetings as appropriate. 
• Help establish GRM’s oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners. 

Risk Management Environment:

 • Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.

• Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.

• Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.


Contributing Responsibilities

Enhance the India CoE by taking initiatives with the local team

Technical & Behavioral Competencies

·        Exposure to conducting technical risk assessments/ ICT Governance to identify ICT risks and designing mitigation controls in (at least 3) of the following areas

o    Application Security

o    IT Technologies (End User Computing, Infrastructure Computing, Middleware, Storage Solutions)

o    Cloud & Virtualization Technologies (IaaS, PaaS, SaaS)

o    Communication Technologies (Networking including SDNs, Segmentation, Wireless & Mobile)

o    Application Development/SDLC (Agile & Waterfall)

o    Data Management (including Data Mining)

o    Networks and Network Security

o    Identity & Access Management Security

o    Threat & Vulnerability Management

o    Encryption Technologies & Key Management


- 10+ years of relevant experience

- On hand experience on dealing global stakeholders

- Good know how on Technology Risk Policies and Procedures reviews

- Excellent Presentation skills

-Ability to articulate risk management concepts to all levels of the organization

- Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly;
- Ability to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of suppliers and customers;
- Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not  always workable or realistic considering costs and benefits;
- Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate;
- Adapting personal approach to suit situations, individuals, groups and cultures. Flexible in relation to getting the job done

Team-player – focus on the success of the whole team. Working well both with others, as well as individually;
- Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;
- Being rigorous and thorough – especially when logging and tracking issues through to conclusion;
- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest  in the role of Risk Assessment in business
- Ability to express views clearly and fluently, both orally and in writing

Specific Qualifications (if required)

Industry certification in Information/ Cybersecurity like CISSP, CEH, AWS/ Azure etc.

Skills Referential

Behavioural Skills: (Please select up to 4 skills)

Personal Impact / Ability to influence

Communication skills - oral & written

Ability to deliver / Results driven

Client focused

Transversal Skills: (Please select up to 5 skills)

Ability to understand, explain and support change

Ability to set up relevant performance indicators

Ability to develop and adapt a process

Ability to manage a project

Analytical Ability

Education Level:

Bachelor Degree or equivalent

Experience Level

At least 10 years

Other/Specific Qualifications (if required)

Shift Requirements: Overlap with America’s Region will be required; flexibility to work in alignment with PST/ CST zones is a must.

Primary Location: IN-MH-MumbaiJob Type: Standard / PermanentJob: RISKSEducation Level: Bachelor Degree or equivalent (>= 3 years)Experience Level: At least 7 yearsSchedule: Full-time Behavioural competency: Ability to collaborate / Teamwork, Proactivity, Personal Impact / Ability to influence, Attention to detail / rigor, Organizational skills, Adaptability, Ability to deliver / Results driven, Active listening, Communication skills - oral & written, Client focused, Critical thinking, Ability to synthetize / simplify, Creativity & Innovation / Problem solving, Resilience, Decision MakingTransversal competency: Ability to understand, explain and support change, Ability to manage a project, Ability to conduct a negotiation, Ability to inspire others & generate people's commitment, Ability to develop others & improve their skills, Ability to develop and adapt a processReference: RIS001199