About BNP Paribas Group:
BNP Paribas is a top-ranking bank in Europe with an international profile. It operates in 71 countries and has almost 199 000 employees. The Group ranks highly in its three core areas of activity: Domestic Markets and International Financial Services (whose retail banking networks and financial services are grouped together under Retail Banking & Services) and Corporate & Institutional Banking, centred on corporate and institutional clients. The Group helps all of its clients (retail, associations, businesses, SMEs, large corporates and institutional) to implement their projects by providing them with services in financing, investment, savings and protection. In its Corporate & Institutional Banking and International Financial Services activities, BNP Paribas enjoys leading positions in Europe, a strong presence in the Americas and has a solid and fast-growing network in the Asia/Pacific region.
About BNP Paribas India Solutions:
Established in 2005, BNP Paribas India Solutions is a wholly owned subsidiary of BNP Paribas SA, a leading bank in Europe with an international reach. With delivery centers located in Bengaluru, Chennai and Mumbai, we are a 24x7 global delivery center. India Solutions services three business lines: Corporate and Institutional Banking, Investment Solutions and Retail Banking for BNP Paribas across the Group. Driving innovation and growth, we are harnessing the potential of over 6000 employees, to provide support and develop best-in-class solutions.
About Businessline/Function :
At the Group level, the RISK ORM Independent Testing is in charge of supporting BNP Paribas Entities and Group Functions through RISK procedures and RISK ORM organizational framework and governance for operational risk management and a permanent control framework.
The Risk ORM, ORO-IT department (Operational Risk Officer IT) is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defense and the department has responsibility for identification of key operational and technology related risks to the Bank and influencing business and technology partners to take sound risk management decisions.
The Risk ORM, ORO-IT activities are carried out using risk based approach and may be conducted periodically at group or entity levels with continuous review and assessment as required. The frequency for testing may increase, for certain topics, where environments are subject to continued change due to mergers and acquisitions or improvements in IT and Business processes.
The Risk ORM, ORO-IT Testing activities aims to validate whether the risk mitigation framework operates as expected by verifying standards, policies and practices. RISK ORM, ORO-IT contributes to the residual risk determination process by validating the implementation of the required controls.
Sr. Associate/ Assistant Manager - ICT Controls testing
Business Line / Function:
Group RISK ORM
Lead- ORO IT India CoE
Global Head- ORO IT
Number of Direct Reports:
Directorship / Registration:
The below requirement is for ORO-IT Officer role and part of the Risk ORM, ORO-IT team and will be responsible for assisting with the management and execution of the bank’s IT risk management function within the 2nd Line of Defense.
The position is based in India Solutions Pvt. Ltd. (ISPL), Mumbai and reports to the Lead, ORO-IT (CoE) plus functionally to Global Lead Risk ORM, ORO-IT.
- Conduct ICT risk assessments across BNPP Group in accordance with Group RISK ORM ICT standards and policies
- Independently perform and contribute to independent risk assessment testing activities, carried out by the global teams as mentioned below:
- Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion.
- Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organization. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
- Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
- ICT GCP (Generic Control Plan) testing – Perform Generic controls testing to determine the performance and operational effectiveness of controls and develop detailed reports documenting the gaps identified and recommendations for improvement.
- Maturity Assessments – Conduct technical and process based analysis of maturity of ICT controls across BNPP Group entities.
- Partner with Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
- Contribute to the industrialization of RISK ORM, ORO-IT services by development of methodologies / tools for the achievement of assignments.
- Work in collaboration with other stakeholders from business and other RISK ORM teams to contribute towards influencing the ICT risk culture and reporting the risk status to the BNPP Board and senior management.
- Perform technical and process based ICT risk assessments in partnerships with regional / global stakeholders.
- Support the oversight, check & challenge and reporting on the performance and operating effectiveness of ICT / IT controls across BNPP entities, with a focus on high risk areas and critical business operations
- Provide subject matter expertise where required to business and technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
- Contribute to the industrialization of ORO-IT services by development of methodologies / tools for the achievement of assignments.
- Regularly and proactively monitor global events / incidents to determine new emerging risks areas and propose improvements to the risk assessment approach / processes.
- Establish and maintain relationships with RISK ORM, RISK ORM ORO-IT and BNPP entity stakeholders.
- Build and establish networks and relations with other key internal stakeholders (i.e. Global Security Operations, HR, Facilities, Legal, and Internal Communications).
- Support the development and implementation process for validating effectiveness of the ICT controlsRisk Management Environment:
- Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, and Quantified Measurement & Comparative Analysis.
- Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
- Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.
Technical & Behavioral Competencies
- Demonstrated passion towards uncovering control weaknesses in processes and technology.
- Results-oriented and strong teammate with excellent analytical, problem solving skills. Outstanding presentation, written and verbal communication skills.
- Knowledge of compliance standards like CIS, NIST and GDPR. With high level knowledge of secure development practices and standards such as OWASP.
- Proficiency in concepts related to network infrastructures, information system security including emerging threats and attacks methodologies, in particular:
- Network security, network equipment configuration, network protocols, network standards, supervision, "Conceptual Skills," "Decision Making," "Informing Others," functional and technical expertise, reliability, information security policy.
- Recognized skills for the integration of different security or data protection technologies within a coherent architecture to effectively cover the risks of the company.
- Good technical understanding of security technologies, including intrusion detection/prevention, correlation of events, firewall, antivirus, anti-spam, policy tightening, patch management and configuration management, audit, security development technique, etc.
- Knowledge of cryptographic standards for encryption, electronic signature, key management infrastructure (PKI).
- Conversant with native Platform or Common applications such as (non-exhaustive list): UNIX, Linux, Windows, Oracle, MS SQL, Microsoft Outlook, J2EE and.NET applications...
- Knowledge of IT Risk and Control Evaluation
Specific Qualifications (if required)
- 3 years of experience in risk assessment / controls testing / technical assessments, preferably in the areas of Cyber and Technology domains in a financial institution.
- Must be able to interface and coordinate work efficiently and effectively with business partners.
- Excellent communication and influencing skills, including ability to articulate complex issues and incorporate feedback.
- Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly.
- Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate.
- Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done.
- Being rigorous and thorough – especially when logging and tracking issues through to conclusion.
- Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management.
- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business.
- Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
- Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework.
- Team player – focus on the success of the whole team. Working well both with others, as well as individually.
Preferred Qualifications / Certifications :
- University degree and/or certification such as CISSP, CISA, ITIL, CISM or CRISC.
- Professional qualifications relevant to Risk Management, Information Security and securing emerging technologies such as cloud, mobile, product development lifecycle.
- Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements.
- Is self-aware, anticipates problems, adapts and meets them head on.
- Strong stakeholder management, relationship building, influencing, facilitating and presenting skills.
- Is solutions focused – measures their output on whether issues, problems or challenges are resolved as a criteria for success.
Behavioural Skills: (Please select up to 4 skills)
Attention to detail / rigor
Communication skills - oral & written
Ability to synthetize / simplify
Transversal Skills: (Please select up to 5 skills)
Ability to manage / facilitate a meeting, seminar, committee, training…
Ability to manage a project
Ability to understand, explain and support change
Ability to develop and leverage networks
Bachelor Degree or equivalent
At least 3 years
Other/Specific Qualifications (if required)