Managing delivery of Information Risk Management services within TICR and ensure Information Risk Management team delivers against its objectives.
Managing & improving working relationships with key stakeholders in delivering risk management services within and outside the bank, including Operational Risk Partners (ORPs) and IT Security.
Continuous improvement of processes within Information Risk Management services to achieve better efficiency and effectiveness.
Effective management of Information Risk Management Team to ensure efficient utilization of resources, development of staff capabilities, and timely completion of agreed deliverables to stakeholders.
Support the manager in improving overall TICR practices & engagements.
Establish and maintain framework, policies, procedures and guidelines relating to Information Risk Management.
Define, review and implement information risk monitoring dashboards of metrics, trends and analytics.
Partner with ORPs, IT Security, Entity-level TICR teams and external organizations in monitoring newsworthy information risk incidents, assess if incidents are relevant to the Group, whether existing controls are adequate, and report to relevant Risk Management Committees.
Establish and conduct a Working Group focusing on discussions of Information risk incident reviews, proposals to embark on new initiatives, and progress and outcome reporting of Information risk mitigation initiatives.
Working Group to include Operational Risk Partners, IT Security and Entity-level TICR teams.
Develop & execute initiatives arising from discussions at the relevant Risk Management Committees and Working Groups, or from the manager.
Preparation of regular and as-needed information risk reports to present information risk profiles. This include consolidation of submission of Entity-level TICR reports, and reports from 1 st Line-of-Defense teams.
Participate in industry working groups and contribute to overall improvement of the information risk posture of the industry.
Degree in Computer Science or equivalent
Possess relevant industry qualifications – CISM, CRISC, PMP, CISA, CISSP
More than 10 years of relevant IT experience, of which more than 7 years are in technology risk & information security, or IT audit. Relevant IT experience include managing large-scale IT projects, application development & maintenance, production support, and/or infrastructure management
Experienced in executing risk assessment, risk reduction initiatives, assessment of effectiveness of controls
In-depth knowledge and experience with industry Information risk & security management frameworks, e.g. ISO 2700x
Knowledge and experience with legal and regulatory requirements pertaining to information risk & security
Strong influencing and stakeholder management skills