RISK - Head of RISK ORC ICT APAC
BNP Paribas Overview
BNP Paribas has a presence in 75 countries with more than 185,000 employees, including 145,000 in Europe. It ranks highly in its two core activities: Retail Banking & Services and Corporate & Institutional Banking.
At BNP Paribas, we work continuously on behalf of our clients, helping them to realize their projects around the world. You can be an important part of this, helping us to serve our clients both in mature and emerging markets, providing them with financial solutions across a diverse range of expertise, products and services. Our origins lie in Europe, but nearly a quarter of our employees now work in our multi-award-winning Asia Pacific offices and we are a committed player in all markets.
Strong risk management, combined with the stability that comes from being part of one of the largest banking groups in the world, underpin our success. Joining us, you’ll become an integral part of a dynamic team that spans nationalities, cultures and backgrounds, drawing together people from around the globe and reflecting our commitment to international placements.
The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer. The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering: - Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion. - Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organisation. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc. - Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc) or our Internet connectivity. - Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
for the development and implementation of a regional-wide ICT risk assessment program.
Successful candidate will have proven track record of developing and
implementing risk management programs in global organizations, with robust
knowledge of technology, risks, architectures and related tools. Prior ICT risk
experience (IT, Cyber, Vendor…etc.) & exposure to the Financial Services
industry is a must. Experience with GRC tools and other risk management
information systems is preferred.
Individual will develop and communicate the risk assessment engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operations.
This is a start-up role that will help create the function, drive program and will lead team of 5-7 in time. There is a need to consolidate some of the other existing Operational, IT & Cyber risk functions from other groups into this one and roll out across enterprise, so an influencer and trust builder who can sell a value prop is important. Negotiation and Conflict Management skills an absolute must. Bank is undergoing a significant tech and ops reorg/transformation including outsourcing functions, streamlining and refactoring applications. Will lead this effort form an independent risk assessment of these projects and will present findings to board and exec committees. Excellent presentation & executive presence skills necessary. Experience interacting with regulatory agencies is required.
Governance and Oversight:
• Establish IT & Cyber Risk Management Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework.
• Drive effective implementation and communication of Operational risk management policies and guidelines.
• Create and execute appropriate staffing model for program, hire resources, including the use of matrix resources from other business unit facing risk managers as appropriate
• Provide direction, support and oversight with respect to management of security and technology risks of core systems and applications.
• Establish and oversee the Operational risk management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices.
• Provide IT & Cyber risk management consulting to the business, technical and operations groups.
• Establish appropriate risk management governance committees, arrange agendas and chair meetings as appropriate.
• Establish GRM’s oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners.
Risk Management Environment:
• Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
• Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
• Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.
Business Resiliency and Continuity:
• Oversee and drive the business resiliency and continuity plans to ensure the ability of the bank to operation on an ongoing basis and limit the losses in the event of severe business disruption. Coordinate with the third and first lines frequent tests to these plans to ensure coverage and adequacy
• Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors.
• Defines approach for determining what operational risk disclosure are made and the internal controls over the disclosure process. Implement a process to assess the appropriateness of the disclosure, including the verification and the frequency.
Skills & Experience Required:
- 10+ Information Security experience specifically in risk assessment, third party and technology assessments.
Team-player – focus on the success of the whole team. Working well both with others, as well as individually;
- Good stakeholder management skills;
- Interest or experience in a Technology Risk, Information Security or an IT Audit role;
- Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly;
- Ability to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of suppliers and customers;
- Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits;
- Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate;
- Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done;
- Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;
- Being rigorous and thorough – especially when logging and tracking issues through to conclusion;
- Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management;
- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business;
- Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
A professional qualification relevant to Information Security (such as a university degree, CISSP, CISM or CRISC);
- A good understanding of large-scale technology infrastructure;
Excellent understanding of emerging technologies: SDN, CLOUD, IoTs…etc
- Thorough understanding of the ISO 2700X series of standards and guidelines; and
- Experience of formal document creation, such as the creation of presentations, reports or procedures. Presenting documentation in a professional and well-structured format;
- Strong MS Office skills (core applications).
The following will be of advantage: - Knowledge or practical experience of one or more of the following products:
o Archer Technologies SmartSuite Framework
o Tufin Operations Management
- Other professional qualifications/memberships, relevant to Information Security (Institute of Information Security professionals, CISA or QICA).
- Be a role model, supporting and fostering a culture of good conduct
- Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
- Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.
- [For managers only] Take responsibility for your team’s conduct and conduct risks.
Please note that all applicants must disclose whether that they possess the right to work in the U.K. as per the Immigration, Asylum, and Nationality Act of 2006.