The bank for a changing world

We are looking for

IT Operational Permanent Control (OPC) Manager

Apply REF: ITO000998

Position Purpose

The IT OPC Manager is responsible for ensuring, for the IT activities within the Australasian entities, the realization of operational permanent control, including the measure and management of all operational and cybersecurity risks related to Information & Communication Technologies (ICT), in accordance to the Group / APAC IT Governance framework.  He/she is also responsible for the deployment and coverage of the IT Risk Management Group (ITRMG) framework within the local entities.

 

As per the BNP Paribas Internal Control Charter, operating IT entities and their managers are accountable for the risks they are exposed to in accordance with the services they run or deliver.  In this respect, and in full compliance with the Group’s norms and regulations applicable at Group and local entity levels, the IT OPC Manager should for the IT entities under his/her oversight:

  • Assist in identifying and assessing operational IT risks the entities are exposed to;

  • Ensure the risk monitoring and mitigation framework is within the defined risk appetite;

  • Ensure the implementation and continuous adaptation of the risk framework;

  • Ensure proper awareness of the risk framework for all IT teams;

  • Provide consistent risk monitoring & registration tools; and

  • Provide risk management information and reporting to eligible bodies.

Purpose of Department

GPI is a key department that supports the proper execution of CIB ITO strategy in Australia and the APAC region.  It supports the application of general policies and best business practices, in accordance with CIB guidelines and local statutory requirements across all departments.

GPI department is responsible for:

  • Managing the implementation and ongoing support of Operational Risk controls and periodic Permanent Controls reporting

  • Monitoring the management of operational incidents

  • Following up internal and external audit findings and recommendations

  • Identifying process improvement and implementing strategic changes across the organization, following formal Project Management methodologies

  • Managing Business Continuity Planning (BCP) at the Territory level

  • Organizing Territory Operational Risk and BCP Committees

  • Coordinating outsourcing requests and execution of Service Level Agreements between BNPP Australia Branch and other parties
  • Managing Territory IT Security topics and liaising with the regional teams where necessary
  • Assisting in the implementation of new systems or enhancements of existing systems

Responsibilities

As part of operational risk management, the IT OPC Manager is responsible for ensuring the deployment of policies and procedures and, in coordination with the different bank stakeholders (2nd-line of defence local/regional, 2nd-line of defence ICT regional, IT Risk Management, OPC, CIB Anti-Fraud etc.), implementation and maintenance of an efficient IT risk framework within the his/her entity in line with the Level 2 procedure ‘Organizational framework and governance for Operational Risk Management and Permanent Control framework’ (RISK0327EN).

 

IT Risk

 

  • Management and reporting (to eligible bodies) of ICT risks (with if needed associated risk acceptance, risk profiles…) through both yearly RCSA realization and ad-hoc risk assessment on his/her perimeter in accordance with the EBA ICT risk taxonomy

    • Assisting the Function/Métier teams in identification and assessment of IT risks including regulatory questionnaires and industry standard (e.g. NIST, CIS) maturity assessment

    • Maintaining the list of IT operational risks at local level to facilitate monitoring and reporting of risk

      • Coordinating / identifying APAC IT risks with regular analysis and evaluation of the underlying risks (via the mapping and analysis of historical incidents having an IT cause, recommendations, control results…) with local Business Units, COO and Chief Information Security Officer (CISO)

      • Managing and reporting IT risk findings resulting from production incidents, application and infrastructure IT security risk assessment with local/regional IT Business Units and local COO and CISO (e.g. Territory Internal Control Committee (ICC), local Technology Risk Management Committee, APAC IT OPC Steering Committee…)

      • Identifying controls to mitigate the risks (new controls or update of controls)

  • Organization of local IT Risk Committee at least twice a year (according to the procedure RISK0339EN)

    • Providing support for various local IT Risk committees (IT Risk/OPC, Technology Risk Management Committee etc.) including logistic support, minutes issuance, actions follow-up etc.

    • Consolidating and preparing contributions for various local/regional Internal Control and Permanent Control committees

    • Producing local IT Risk Profile report covering IT recommendations, IT historical incidents and controls results

IT Incident
  • Proper collection and analysis of IT historical incidents, validation of local IT incidents input into the dedicated Group system (based on CIB standardised criteria), and contribution to the definition and follow-up of associated action plans in addition to regular reporting

  • Contribution to the quantification of local IT potential incidents (for AMA entities) 

IT Control

  • Deployment and reporting (at minimum the major ones) of IT controls (OPC and operational, standard and/or specific) identified to mitigate risks

  • Bi-annual production of the ICT Permanent Control report based on provided templates  and signed by local COO

  • Identifying specific controls for the entities to meet local Regulatory requirements, and analysis of controls results

    • Verifying all the Level-1 control results (self-declarative) are signed off by respective IT units

    • Reporting local control results to measure residual risk level on IT processes

    • Verifying action plans related to controls results are identified and followed up by relevant IT units and reporting to the relevant local/regional stakeholders (COO, Head of RISK, CISO etc.)

  • Continuously improving the control framework to provide assurance that the internal controls meet best practice and regulatory requirements as appropriate

    • The role of Procedures Correspondent (cf. Level 2 procedure RISK0329EN)

    • Ensuring the deployment of regional procedures/processes, where applicable, locally

    • Assisting the local IT units to identify the procedure needs and ensuring that local IT procedures / processes are formalized, compliant with Group/Regional requirements, stored and updated on regular basis 

IT Recommendation

  • Follow-up and reporting (figures, alerts, etc.) of local IT recommendations within his/her scope (IG / Regulatory / external / Permanent Control actions / independent consultant)

    • Evaluating the confidence level for closure with the relevant IT units

    • Identifying potential issues and overdue recommendations and alerting management in a timely manner 

Continuous improvement

  • Identify controls (Level 1 and 2) for local entities based on IT teams and Regulatory requirements and analysis of controls results

  • Formalize / design new local IT controls and organize validation sessions with relevant IT units

  • Ensure consistency with the regional controls and remove duplications

  • Design, implement and continuously strengthen local risk and control reports/dashboard

  • Continuously strengthen the technology risk management framework to provide assurance that the internal controls and risk management meet best practices and regulatory requirements as appropriate



Technical Attributes

  • A solid background in operational risk management and control framework

  • Knowledge of IT practices: project management, security, continuity and production

  • Excellent analytical skills and reporting capabilities (KPIs, dashboards, metrics, assessment…)

  • A practical understanding of a large bank’s organization and systems

  • Familiar with process analysis and improvement, drafting of workflows and procedures

  • Prior experience in managing a team is preferred 

Personal Attributes

  • Excellent communication and stakeholder management skills

  • Client focused, with confidence dealing with Business Lines and Functions on a daily basis

  • Methodical, organized and analytical, with an outcome focus and strong problem solving skills
  • Attention to detail

  • Good interpersonal skills and team player

  • Reliable and self-motivated, take ownership of and be accountable to assigned tasks for self and team

  • Pragmatic, ‘can do’ attitude and proactive approach with strong ability to work on own initiatives and drive team delivery

  • Strong aptitude and interest in the financial sector

Experience and Qualifications
Candidates must possess tertiary qualification, preferably majoring in a quantitative discipline, with 5+ years of experience in IT Risk, Control and Audit environment.  Prior experience in IT Security Risk management and certification in CISA / CISSP would be advantageous.
Primary Location: AU-NSW-SydneyJob Type: Standard / PermanentJob: INFORMATION TECHNOLOGYEducation Level: Other Degrees / Certifications / Vocational, Technical or Professional QualificationsExperience Level: Not Indicated Behavioural competency: Ability to collaborate / Teamwork, Decision Making, Attention to detail / rigor, Ability to share / pass on knowledge, Communication skills - oral & written, Client focused, Organizational skillsTransversal competency: Ability to understand, explain and support change, Ability to develop and adapt a process , Analytical Ability