Job DescriptionThe Impact you will have in this role:
Cyber Security Risk Office (CSRO) is responsible for setting strategic direction in the areas of cybersecurity. Maintains corporate security policies and control standards, acts as a second line of defense via a robust collection of risk and control assessments, reports to leadership and the Board on the status of the Cyber Security Programs, acts as an operational arm for monitoring threat intelligence, understanding when threats are being targeted against the firm, and responding to potential incidents, and serves as the main interface for Regulatory and Client reviews that focus on cybersecurity. Cyber Security Risk Treatment Oversight is responsible for the oversight, management, facilitation and reporting of the Risk Treatment (Policy Deviation and Risk Acceptance) for Technology and Information Security related risks. Responsible for identifying, managing, measuring, and mitigating a spectrum of technology and security related risks in existing and new products, activities, processes, and systems. Accountable for providing advanced technical, analytical and management skills to CSRO.
Your Primary Responsibilities:
- Manage day-to-day intake, tracking, and progression of Policy Deviation (PD) and Risk Acceptance (RA) submissions through their full lifecycle, including renewals, extensions, and closure validation.
- Perform initial completeness and quality checks on PD and RA submissions to confirm alignment with documented procedures, required artifacts, and governance standards prior to second-line review.
- Maintain accurate status tracking for all open items, including aging, upcoming expirations, and SLA adherence, escalating concerns to program leadership as needed.
- Support risk treatment and policy deviation governance forums (e.g., CRTL forums, leadership reviews) through agenda coordination, materials preparation, and action item tracking.
- Document decisions, approvals, and conditions to ensure traceability, transparency, and defensible governance outcomes.
- Produce and maintain risk treatment and policy deviation metrics, including lifecycle performance, aging trends, renewals, and items approaching or exceeding tolerance thresholds.
- Support risk tolerance updates to enterprise metric repositories (e.g., IBM BPM or successor platforms) and validate data accuracy and consistency.
- Prepare standard and ad-hoc reporting materials for senior management, governance committees, and audit or regulatory inquiries.
- Maintain PD and RA procedures, job aids, templates, and governance documentation, including publication and upkeep in Navex or successor systems.
- Ensure documentation, evidence, and decision records meet internal audit, regulatory, and examination standards.
- Act as an operational point of contact for first line teams submitting PD and RA requests, providing guidance on process expectations, timelines, and documentation requirements.
- Partner with Cyber Security Risk Office stakeholders to ensure consistent application of risk treatment standards and governance practices.
- Identify recurring issues, thematic trends, or control gaps emerging from PD and RA activity and escalate insights to program leadership for credible challenge and prioritization.
- Support program initiatives such as tooling enhancements (e.g., RAPD migration to SmartSuite), lifecycle standardization, and reporting enablement.
**NOTE: The Primary Responsibilities of this role are not limited to the details above. **
Qualifications: - Bachelor's degree preferred or equivalent experience
- Minimum of 6 years of related experience in cybersecurity risk management, technology risk, remediation tracking, or GRC program operations.
Talents Needed for Success: - Strong organizational, analytical, and documentation skills with high attention to detail.
- Experience supporting risk exceptions, policy deviations, or remediation oversight in a regulated environment preferred.
- Experience with GRC tools, data visualization tools, data warehouse (e.g., Power BI, Snowflake, Archer, SmartSuite, ServiceNow).
The salary range is indicative for roles at the same level within DTCC across all US locations. Actual salary is determined based on the role, location, individual experience, skills, and other considerations.
About the TeamOur Risk Management teams work to protect the safety and soundness of our systems and are responsible for identifying, managing, measuring and mitigating a spectrum of key risk types including credit, market, liquidity, systemic, operational and technology in all existing and new products, activities, processes and systems.
The Technology Risk Management department is responsible for setting strategic direction in the areas of IT Risk and Information Security. They are accountable for maintaining DTCC's corporate security policies and control standards and acting as an operational arm for monitoring threat intelligence.