Operational Risk/IT Risk Manager

To provide critical assurance and IT risk mitigation by providing a view as to the adequacy and effectiveness of the controls in place and where required assist in their development. A strong focus deals with facilitating and coordinating the implementation, on-going execution and continued enhancement of an effective and efficient IT risk management Framework (ITRMF) and Cyber resilience risk management framework (CRRMF) in line with the Operational Risk Management Framework (ORMF). To ensure the Group and its subsidiaries comply with relevant regulatory requirements and ensure alignment to international best practice.

Overall IT Risk Management
1.Assist in the development and implementation of an end-to-end Information Technology (IT) risk management strategy and plan in respect of IT Project portfolios to effectively manage the associated risks and deliver on the full requirements of the Information Technology Risk Management Framework (ITRMF) and Cyber Resilience Risk Management Framework (CRRMF).
2.Working closely with the Information Technology Function and assist in the improvement of the information security risk profile through identification, assessment, measurement and monitoring of the function’s risks.
3.Understand and effectively implement existing frameworks and policies across the Group e.g. the ITRMF and CRRMF, and communicate all compliance standards.
4.Manage and assist business in the process of identifying and assessing related IT risks that may pose a threat to the achievement of business and project objectives as well as continuous monitoring and mitigation of the risk exposure through risk and control self-assessments.
5.Ensure the establishment and implementation of IT risk appetites and key risk indicators for IT, information security and projects risks.
6.Provide oversight and assurance on the management of IT risks and IT control environment within relevant business areas (including IT initiatives/ projects/Information security) and report any control gaps identified and the mitigation thereof.
7.Conduct IT risk and control reviews across the Group to evaluate whether related IT Risks are adequately identified, assessed, measured, monitored, controlled and mitigated.
8.Provide guidance and effective challenge on the IT risks assessments performed on new products, processes, systems and projects.
9.Ensure IT Disaster Recovery and Business Continuity plans are in place, reviewed, tested and updated regularly.
10.Provide ongoing feedback and reporting on the IT risk profile and risk universe through the Group Risk Management Committee (GRMC), Group Risk Committee (GRC) and other related governance and reporting structures.
11.Build collaborative relationships and effectively communicate with various stakeholders across the Group such as senior business management and the IT environment at large.
12.Regularly benchmark internal IT risk management principles/practices to industry best practice as well as ensure compliance with any regulatory requirements.
13.Cascade all learnings and sharing of information to business areas and risk management teams to create awareness of IT, InfoSec, Cyber and Project risks.
14.Ongoing support, education and training on IT risk management principles, Cyber and InfoSec risk by driving awareness campaigns.
IT Project Risk Management
1.Identification and prioritisation of key IT projects for monitoring.
2.Monitoring project performance and assisting in the mitigation of all IT project risks through project governance structures.
3.Identification, assessment, and tracking of risks that impact IT project timelines, deliverables, and allocation of risk owners.
4.Document risk response actions with timelines in agreement with IT project teams and business.
5.Track and monitor the effectiveness of risk response actions throughout the IT project lifecycle.
6.Provide guidance and effective challenge on the IT project risk management within applicable project SteerCos.
7.Reporting of risks identified within IT projects to SteerCos, Project Managers, Business Management and escalating to appropriate Risk Governance Forums.

Qualifications: 

1.Relevant BSc, BComm degree or Diploma specializing in IT and/or operational risk management.
2.Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP) or Information Systems Audit and Control Association certification will take preference.
Background/Experience:

1.Minimum 3 years’ experience in IT risk management, operational risk or IT security is essential.