The primary responsibilities include setting the enterprise policy and standard, defining and maintaining risk frameworks, monitoring and reporting aggregated risk and risk response, performing risk review and evaluation to identify & respond to risks and enable business objectives & decision making, and driving continuous improvement of risk management capabilities across businesses and divisions. Information risk refers to confidentiality, integrity and availability risk of all information due to potential theft, abuse (internal or external e.g. cyber, third party) and insufficient controls across the organization including information security and data governance. Technology risk encompasses all risks related to design, develop, and deploy application, infrastructure and end user technology solutions to meet business objectives with required ability and resiliency, specifically the risk of architecture & design, technology change, technology availability, disaster recovery, system security and end user computing. I&TR is led by Chief Risk Officer – IT. I&TR is looking for an experienced director to lead the 1st line Risk & Controls teams that represent each department in IT.
The IT Risk & Controls Director will work closely with the teams that represent each IT Department, the Director will be directly accountable for ensuring the consistent and logical application of the IT Risk Framework for the IT Division. The Director will be responsible for acting as the centralized coordination point for the Risk and Control team for risk and issue management, KRI/KPI development, Management reporting, Oversight reporting and escalation. The Director will also enforce data quality requirements for the process, risk and control data entered into the Governance Risk and Compliance tool. This position requires that the applicant have a strong understanding of I&T risks, operational risks, and the execution of risk management processes and governance within a large institution. The applicant must also have strong communication and management skills, and strong knowledge of industry best practices.
Understanding and managing Information and Technology risk associated with the operational processes for the IT division
Establishing the 1st Line of Defense policies, standards, procedures and processes consistent with the 2nd Line of Defense risk management policies
Executing 1st Line of Defense risk management processes demonstrating compliance with applicable 2nd Line of Defense risk management policies, standards and processes
Ensuring IT risks are appropriately managed within the risk appetite tolerances and limits
Providing transparency of risk exposures through implementing sound reporting for risk-based decision making
Performing aggregation and reporting of IT risk metrics and data
Executing at least monthly risk management meetings for each IT department to ensure risk transparency to all stakeholders
Conducting quarterly SOX Risk and Control status assessment and reporting for each IT department
Managing risks processes related to IT-wide risk management reporting tool and systems
10-12 years of experience working with SOX, practical experience in internal/external audits, risk management – methods and techniques for the assessment and management of risk
Ability to operate as a self-motivated, pro-active, and result-driven problem solver with excellent analytical and communication skills
Ability to understand IT business processes, management objectives, risk appetite and tolerances and impact of changes to risk profiles
Project Management experience
Experience in IT governance and controls, including governance frameworks, COBIT, FFIEC, COSO, ISO-31000, etc.