Information Risk, Policy Governance & Framework, Vice President

Industry: Finance & Insurance


8 - 10 years

Posted 58 days ago

This job is no longer available.

Your potential. Your opportunity. Discover your opportunity with Mitsubishi UFJ Financial Group (MUFG), the 5th largest financial group in the world with total assets of over $2.4 trillion (as ranked by SNL Financial, April 2016) and 140,000 colleagues in nearly 50 countries. In the U.S., we're 13,000 strong, working together to positively impact every customer, organization, and community we serve. We achieve this by delivering on our values, putting people first, fostering long-term relationships built on honesty and mutual understanding, and inspiring the best in each other. This is all part of our inclusive, high-performing culture supported by Total Rewards that include our cash balance pension plan. Join a team that's working to fulfill its vision to be the world's most trusted financial group.

Job Summary:

Reporting to the Frameworks Director, the Policy Vice President is responsible for defining and maintaining Information Risk Management (IRM) policies.

Major Responsibilities

  • Defines and maintains Information Risk Management (IRM) policies.
  • Defines and maintains the IRM policy framework based upon industry standards.
  • Defines and maintains the policy and standard creation and update processes including stakeholders and syndication and approval processes.
  • Builds and maintains IRM policies and standards and keeps relevant.
  • Supports the alignment of the policies and standards to both regulations and controls.
  • Defines supporting implementation guidance associated with the IRM policies.
  • Ensures policies adhere to enterprise standards and templates.
  • Ensures (new) polices follow the required approval process.
  • Ensures policies are updated as needed and always in good standing.
  • Represents IRM in other associates policy and standard syndication.
  • Collaborates with other subject matter experts to determine and communicate the business impact of changes to information risk management policy and standards. Ensures policy changes and new policies are appropriately communicated to the respective stakeholders.
  • Manages the annual review and refresh process for policies, standards, and the risk, threat, and control library, including stakeholder management and review coordination.
  • Manages the policy onboarding process, including stakeholder management for new and legacy policy identification and rationalization with the IRM framework.�
  • Manages the policy awareness program and conducts training on policies and standards.
  • Manages the business unit policy variance and policy exception review processes.
  • Maintains policy program service documents and procedures, including KPI reporting for the policy program.
  • Manages qualitative risk appetite statements for IRM and leads the annual refresh process.
  • Performs review and challenge on first line business units' programs to support compliance with policies, standards, laws and regulations.
  • Participates in key and strategic initiatives representing the IRM Governance team and provides subject matter expertise in the policy space.

Additional Requirements

  • 7+ years of work experience within financial services industry in a risk related position.
  • 5+ years' experience in writing IRM policies and standards is required.
  • 5+ years of technology experience in one or more of the following areas: Information Security, Technology Governance, Technology Audit, Information Technology Compliance, Technology Infrastructure or Application Development
  • Bachelor's degree is require preferably in Computer Science, System/Computer Engineering, Cyber-Security or Information Security
  • Expert knowledge of technology, infrastructure, network, applications, information security and associated risk management
  • Possess in-depth knowledge of Information Risk Management and IT processes
  • At least one security certification is preferred, such as Certified Information Security Management (CISM), Certified Risk Information Security Control (CRISC), or Certified Information Systems Security Professional (CISSP).
  • Proven knowledge of policy creation and maintenance; ensuring adherence and compliance.
  • Knowledge of the financial services industry and its regulations /laws.
  • Understanding of control and risk management concepts and knowledge of the operational aspects of the information risk business.
  • Understanding of respective industry best practices (e.g., NIST, ISO, COBIT, OWASP, ITIL)
  • Knowledge of risk management policies, methods, standards, processes, governance models, and industry standard risk analysis approaches.
  • Knowledge of current industry trends in information risk management.
  • Able to collaborate well with internal and external stakeholders.
  • Able to enforce and communicate related policies, procedures, and guidelines.
  • Able to be a subject matter expert on information risk management policies and standards.
  • Analytical thinking and solution-oriented mindset.
  • Able to lead across the organization and influence senior stakeholders towards consensus.

The above statements are intended to describe the general nature and level of work being performed. They are not intended to be construed as an exhaustive list of all responsibilities duties and skills required of personnel so classified.

We are proud to be an Equal Opportunity / Affirmative Action Employer and committed to leveraging the diverse backgrounds, perspectives, and experience of our workforce to create opportunities for our colleagues and our business. We do not discriminate in employment decisions on the basis of any protected category.

A conviction is not an absolute bar to employment. Factors such as the age of the offense, evidence of rehabilitation, seriousness of violation, and job relatedness are considered in all employment decisions. Additionally, it's the bank's policy to only inquire into a candidate's criminal history after an offer has been made. Federal law prohibits banks from employing individuals who have been convicted of, or received a pretrial diversion for, certain offenses.