- GTO Program Executive Office
- ORM Product/Business Managers
- Technology Ops Risk
- Technology GIS Security Solutions
- Technology Governance
- Technology GIS Governance and Change
-Technology Architecture Management
- Technology L&C
- GIS Geographies
- Financial Crime Compliance
- Group's external auditors
- External Penetration Testing Preferred Suppliers
To ensure that Group level Technology and Cyber-security - cross cutting- and change related activities involving regulatory, material Technology project (including Cyber Stress testing), incident and developmental activities are properly assessed & that the risk / return and control cost / benefit decisions are made transparently on the basis of a proper assessment and in accordance with the Group's standards and its Risk Appetite.
Risk Control Ownership of Functions Operational Risk
- Ensure that the rapidly evolving regulatory changes around Information and Cyber security and Technology Risk are engaged upon, whether a risk appetite has been set by the first line for each of these areas, and control tests incorporated (where appropriate) into the ORF
- Challenge the technology functions assessment of cyber security threats and vulnerabilities and ensure that risk assumption and cost of control trade-offs are being made transparently and in an informed manner,
- Review and challenge the process, engagement and pipeline of Technology regulatory audit, external audit, client activities.
- Support scenario stress testing of Top Risks around Information and Cyber Security and/or Technology
- Develop and continually improve on GTO / GOR cyber stress testing frameworks to further imbed new requirements and changing methodologies
- Ensure that effective management response plans are in place to respond to extreme but plausible scenarios (e.g. cybercrime).
- Support material projects and/or group programs with key technology and information security related obligations (regulatory or other) that are material to the group. Ensure obligations are understood and incorporated into project slate.
- Perform deep dive reviews for significant regulatory change (e.g. historically in 2014: MAS TRM, HKMA Customer Data Protection etc), ensure continuous oversight and monitoring on upcoming Cyber regulatory events and challenges.
- Review and challenge proposed GTO HORPs / PARs
- Support review of Technology Root Cause Analysis (RCAs) where GTO is the process control failure owner through any Significant Operation Risk Events Incidents or Failed Audit reports.
- Help maintain and evolve the Cross Cutting and Top Risk standard dashboard metrics and monitors in conjunction with GTO.
Obtain MIS on volume of incidents being reported to regulators and perform 2nd line review.
- Support management in the collation and thematic review of technology and security risk issues coming post engagement with internal and external stakeholders/peer banks/associations/qasi government departments.
- Attend GTO/GIS program meetings on periodic basis ensuring key technology risks are understood and managed.
- Escalate to management when appropriate action needs to be taken based on review or external intelligence..
- Work in conjunction with Tech L&C, and Technology and Governance maintain an up-to-date view of technology and information/Cyber security regulations and intelligence impacting the bank
- Based on the constant changing and evolving Cyber security external threat landscape recommend changes to business practice where necessary to reduce the level of operational risk exposure
- Cascade and question action plans against emerging technology events & regulations where appropriate.
- Deepen knowledge of team through external information sharing and cascade. Uplift CCRO knowledge when appropriate.
Knowledge & Skills: (List typical pre-requisites for high performance)
- 7-10+ years in an Technology and information security risk management function at a financial institution
- Certified Information Systems Security Professional (CISSP) qualification required,
- Certified Ethical Hacking (CEH), Certified in Risk Information Systems and Control (CRISC) desirable.
- Sharp business acumen (including ability to assess risk and appropriate levels of return), strong leadership qualities, excellent interpersonal skills and multi-cultural awareness and sensitivity.