ERM IT Risk Manager
The Enterprise Risk Management (?ERM?) IT Risk Manager reporting directly to the Chief Risk Officer. This position will help assure the execution of all enterprise-wide risk initiatives by managing and overseeing all Information Technology (IT) and Information Security (IS) ERM management activities. Efforts include the design, oversight of the IT Risk Management Program, periodic review of granular risk assessments and review of IT and IS policies, as well as, membership and attendance at associated Committee meetings and, participation in risk management activities within the IT and IS departments and other departments with IT or IS risks. The ERM IT Risk Manager is responsible to review the IT/IS Risk Management Framework and its various elements e.g., risk identification, monitoring, and reporting of Company-wise IT and IS risk issues and control gaps. This role is responsible for evaluating overall IT risk, maintaining an active and visible role, and reporting on IT actual, mitigated and residual risks. All compliance closure activities are coordinated through this role, including the control and actual submissions for closure. This position will also track major IT related projects from start to finish and verify compliance with regulatory findings.
- Identify, assess and evaluate risk to enable the execution of the ERM strategy for the IT Areas including Governance, Systems Engineering, Applications, Core Operations, Operations and Support Services, Infrastructure and IT Security as well as IS Areas including Cyber Security-Systems Monitoring and Compliance, Cyber Security Governance & Risk Compliance and Disaster Recovery & Business Continuity.
- Direct and execute the ERM IT/IS Risk Management Program.
- Collect information and review documentation to ensure that risk scenarios are identified and evaluated.
- Identify legal, regulatory and contractual requirements and organizational policies and standards related to IT and IS to determine their potential impact on the business objectives.
- Identify potential threats and vulnerabilities for IT/IS processes, associated data and supporting capabilities to assist in the evaluation of enterprise risk.
- Create and maintain risk tracking to ensure that all identified risk factors are managed.
- Develop risk scenarios to better self-identify risks and threats to the Company and its various objectives, and to estimate their likelihood and impact..
- Support the Company?s risk awareness program and training efforts to help assure that stakeholders understand risk concepts, and contribute to the risk management process, thereby promoting a risk-aware culture.
- Correlate identified risk scenarios to relevant business processes to assist in identifying risk ownership.
- Validaterisk appetite and tolerance with BPOs and key stakeholders to help assure alignment.
- Maintain sufficient, adequate evidence to support all conclusions.
- Develop and implement risk responses to help assure that risk factors and events are addressed in a cost-effective manner and in line with business objectives:
- Identify and evaluate risk response options and provide BPOs with information to enable risk response decisions.
- Review risk responses with the relevant stakeholders for validation of efficiency, effectiveness and economy.
- Applyrisk criteria to assist in the development of the risk profile for management approval.
- Assist in the development of risk response action plans to address risk factors identified in the organizational risk profile.
- Monitor risk and communicate information to the relevant stake holders to ensure the continued effectiveness of the enterprise?s risk management strategy:
- Working with the ERM Test Team, collect and validate data that measure key risk indicators(KRIs) to monitor and communicate their status to relevant stakeholders.
- Monitor and communicate key risk indicators (KRIs) and management activities to assist relevant stakeholders in their decision-making process.
- Facilitate independent risk assessments and risk management process reviews to ensure they are performed efficiently and effectively.
- Identify and report on risk, including compliance, to initiate corrective action and meet business and regulatory requirements.
- Monitor and report on information systems controls to ensure they function effectively and efficiently:
- Plan, supervise and conduct testing to confirm continuous efficiency and effectiveness of information systems controls as well as control deficiencies.
- Determine the approach to correct information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated.
- Review information systems policies, standards and procedures to verify that they address the organization's internal and external requirements.
- Assess and recommend tools and techniques to automate information systems control verification processes.
- Evaluat e the current state of information systems processes using a maturity template to identify the gaps between current and targeted process maturity.
- Provide information systems control status reporting to relevant stakeholders to enable informed decision making.
IT Policies/Governance and Compliance
- Participate in the development and updating of IT policies and procedures.
- Have oversight over DR testing including any updates for major changes in hardware, applications, business and regulatory requirements.
- Review testing and reporting of data backup restorations in accordance with Key Performance Indicators (KPIs), if any.
Audits and Reviews Preparation and Facilitation
- Track and assist in remediation of audit issues.
- Keep a tracking action list of all audit issues.
Projects and Initiatives related to IT
- Participate in IT projects and initiatives to bring pro-active risk management focus intosolutions.
- Performs special projects, and additional duties and responsibilities as required.
- Where applicable and when performing the responsibilities of the job, employees are accountable to maintain Sarbanes-Oxley compliance and adhere to internal control policies and procedures.
Education and experience:
- Bachelor?s degree in audit, IT audit or equivalent.
- Four (4) to six (6) years of as a Compliance Manager, Information Risk Specialist, or Information TechnologyAuditor.
- Two (2) to three (3) years of management experience in information technology functions.
- Experience in the financial/banking industry is preferred.
- CRISC Certification is preferred.
Knowledge, skills and abilities:
- Strong interpersonal skills / ability to develop relationships with business lines, internal audit and external auditors.
- Strong team player.
- Strong oral and written communication skills.
- Strong organizational and prioritizing skills.
- Computer literate with proficiency in Microsoft applications including; Word, Excel, Access, PowerPoint and Visio.
- Report writing skills.
- Ability to summarize and communicate technical data to a non-technical audience.
- Ability to influence business partners in addressing control issues and business practices; ability to lead without direct authority.
- Ability to handle a variety of projects simultaneously.
- Ability to handle confidential information in a mature and professional manner.
- Ability to work with concepts and work independently.
- Ability to ask the ?right? questions without having extensive knowledge in a particular business area.
- Ability to train, delegate, and review the work of lower level employees.
- Ability to prioritize and organize work assignments for a work group.
- Ability to maintain strict confidentiality.