IT Risk Measurement: IT Processes Risk
BNP Paribas is a leading European bank with an international reach. It has a presence in 73 countries, with more than 192,000 employees – including more than 146,000 in Europe and over 4,000 in Portugal alone.
BNP Paribas is present in Portugal since 1985, having been one of the first foreign banks to operate in the country. Today, BNP Paribas has several entities operating directly in this territory, offering a wide range of integrated financial solutions to support its clients and their businesses.
Worldwide, the Group has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporate and institutional clients) to realise their projects through solutions spanning financing, investment, savings and protection insurance.
The Information and Communications Technology Risk department (ICT) is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defense under the Bank’s Chief Cyber & Technology Risk Officer. Among others, the department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering:
- IT processes Risk Assessments working with the Technology and Security teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion.
- Horizontal Risk Assessments: Assessing technology risks in relation to a particular theme or technology across the organization. Examples could be assessments of the firewall change process, applications processing, applications hosted in the cloud, etc.
- Vertical Risk Assessments: Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
- Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
- Recurrent analysis of maturity of controls on all entities of the Group.
Risk Measurement within RISK ORC ICT in one of the activities of the Information and Communications Technology (ICT) Risk department. BNP Paribas is looking for Lead auditor for the Application Risk Control and assessment, which will help of the team to identify and reduce risks on the information system (alignment of strategy with business needs, software development life cycle, IT project management, IT architecture, IT security, etc.) and thus improve the Bank business as usual.
ROLE AND RESPONSIBILITES
The candidate is responsible for the development and operation of worldwide ICT applications controls risk assessments activities inside Risk Measurement.
These assessments will be top-down risk assessments starting at an IT process level down to technical components.
The IT process risk assessor will perform assessments on its own or participate to assessments performed with other Risk Measurement teams. The team can bring value on scoping risks or transforming technical risks into business risks – for Retail, Investment Bank, Insurance, and other.
RISK ORC ICT is in a start-up mode. The role will help create the function, develop methodologies and train other teams. There is a need to consolidate some of the other existing Operational, IT & Cyber risk functions from other teams, so an influencer and trust builder who can sell a value proposition is important. Planned activities are:
Governance and Oversight
- Participate to the establishment of an IT & Cyber Risk Management Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework.
- Drive effective implementation and communication of Operational risk management policies and guidelines.
- Support planning and staffing model for program and hiring processes.
- Provide support and oversight with respect to management of security and technology risks of core systems and applications.
- Establish and oversee the Operational risk management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices.
- Provide IT & Cyber risk management consulting to the business, technical and operations groups.
- Establish appropriate risk management governance committees, arrange agendas and chair meetings as appropriate.
- Establish Risk Management oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners.
Risk Management Environment
- Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk & Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis.
- Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the Board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
- Control & Mitigation: Improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.
Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors.
Control of concepts related to network infrastructure and information security, including emerging threats and attack methodologies, in particular:
- >5 year experience in Information Technology, specifically in risk assessment, application controls, architecture and technology assessments.
- 5+ Information Technology experience specifically in IT risk assessment, It operation, architecture and technology assessments.
- Develop a risk assessment approach, train teams and execute assessments.
- Team-player: focus on the success of the whole team. Working well both with others, as well as individually.
- Good stakeholder management skills.
- Developing and implementing risk management programs in global organizations, with robust knowledge of technology, risks, architectures and related tools.
- Prior ICT risk experience (IT, Cyber, Vendor, etc.) & exposure to the Financial Services industry is a must.
- Interest or experience in a Technology Risk, Information Security or an IT Audit role.
- Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly.
- Ability to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of suppliers and customers.
- Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits.
- Being rigorous and thorough – especially when logging and tracking issues through to conclusion.
- Ability to manage the workload as to meet the realistic targets and priorities set in conjunction with management.
- Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
Please note that only applications submitted in English will be considered.
In case you are selected for this role, further documentation will be requested to support your hiring process.
BNP Paribas is an equal opportunity employer and proud to provide equal employment opportunity to all job seekers. We are actively committed to ensuring that no individual is discriminated against on the grounds of age, disability, gender reassignment, marriage or civil partnership status, pregnancy and maternity, race, religion or belief, sex or sexual orientation. Equity and diversity are at the core of our recruitment policy because we believe that they foster creativity and efficiency which in turn increase performance and productivity. We strive to reflect the society we live in, while keeping with the image of our clients.
Primary Location: PT-11-LisbonJob Type: Standard / PermanentJob: RISKSEducation Level: Not indicatedExperience Level: Not IndicatedSchedule: Full-time Behavioural competency: Creativity & Innovation / Problem solvingTransversal competency: Analytical Ability