Role Description

The Risk Associate role supports the operationalization of the second line of defense Risk oversight of information technology, cybersecurity, and data risk for the SMBC Group Americas Division (AD) by performing independent review, effective challenge, and risk analysis in alignment with regulatory expectations, internal/head office policies, and industry standards.

The Risk Management Department (RMDAD) is the second line of defense in its role of monitoring and assessing business practices as related to the risk appetite framework for SMBC. Within the RMDAD, the Tech, Data and Cyber Risk Oversight (TDCRO) establish technology, data and cyber risk management policies and framework with defined roles and responsibilities across first and second lines.

Role Objectives: Delivery

Supports the TDCRO management in ensuring IT, data management, and cybersecurity risks are adequately governed, managed and controlled.

Supports the independent review and credible challenge of 1st Line of Defense risk assessments, controls, metrics, and remediation plans related to IT, data, and cyber risk domains.

Assist in the maintenance and periodic update of technology, data, and cybersecurity risk management frameworks, policies, standards, and procedures.

Provides review and challenge on IT, data management and cybersecurity policies, standards, control framework, risk metrics/indicators, risk and control self-assessment ("RCSA").

Support the preparation of technology, data, and cybersecurity risk reporting for management and risk committees, including issue tracking and escalation.

Collaborate with cross-functional stakeholders across risk, technology, cybersecurity, and data teams

Qualifications and Skills

Well-versed in technology & cyber risk practices with the ability to connect and align with the firm's operational risk management processes.

2+ years of direct work experience within the financial services industry, with IT risk management, control testing, regulatory/audit, or cybersecurity experience.

Foundational understanding of enterprise risk management concepts, including risk assessment, control design, issue management, and RCSAs.

Working knowledge across multiple technology, cyber, or data risk domains (e.g., SDLC, application security, Data Management, IT governance, infrastructure Architecture, IT asset management (incl. End of Life and Shadow IT), Infrastructure management application lifecycle management, change management, back-up and availability of critical systems, Service management, Event, Problem and incident management, Helpdesk, SLA- service quality, Cloud, ... ).

Familiarity with technology, cyber and data risk management industry frameworks and standards (e.g., NIST, ISO, COBIT).

Foundational knowledge of Tech/Cyber/Data Management regulatory guidance

Strong written communication skills, with experience supporting management or committee-level reporting.

Proficiency in Excel and PowerPoint; experience with Power BI or data visualization tools preferred.

Strong organizational skills with ability to successfully manage multiple, concurrent priorities.

Work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important.

Strong desire to deliver a quality work product in a timely and efficient manner.

Bachelor's/University degree required and Master's degree preferred.

CISA, CRISC, CISM, CISSP certifications (or exam taken) preferred.

SMBC's employees participate in a Hybrid workforce model that provides employees with an opportunity to work from home, as well as, from an SMBC office. SMBC requires that employees live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during their interview process. Hybrid work may not be permitted for certain roles, including, for example, certain FINRA-registered roles for which in-office attendance for the entire workweek is required.