Operation Risk Manager - Technology Services
About Standard Chartered
We are a leading international bank focused on helping people and companies prosper across Asia, Africa and the Middle East.
To us, good performance is about much more than turning a profit. It's about showing how you embody our valued behaviours - do the right thing, better together and never settle - as well as our brand promise, Here for good.
We're committed to promoting equality in the workplace and creating an inclusive and flexible culture - one where everyone can realise their full potential and make a positive contribution to our organisation. This in turn helps us to provide better support to our broad client base.
The Operation Risk Manager role is responsible for and has oversight responsibility over technology risk management, compliance assurance, audit management and remediation across the functions that have been assigned to the role. This role is key and responsible for continuing improvements in the function's approach to risk identification, risk assessment, risk response and mitigation, risk monitoring and reporting, regulatory and audit engagement support and remediation within the relevant risk, compliance, security and assurance framework, policy, standards or processes of the Bank, as well as regulatory requirements and mandates
This risk and assurance role ensures a constant state of compliance, readiness and continuous improvement across process and systems, risk management and risk reduction, compliance, documentation and reporting. Job Purpose:
Key Responsibilities: Risk Management
- Advise the Technology Service Head in driving and supporting effective risk management and compliance with the prescribed operational risk management framework and info security risk sub-type framework, policies, standards and processes of the Bank
- Ensure proactive and adequate management of risk and timely risk mitigation. Support the implementation of controls to mitigate the risk
- Report risk, compliance, audit and remediation performance and metrics to senior management to facilitate risk treatment decisions and informed investment decisions
- Promote risk aware culture within the Function for all staff to proactively identify risk, analyse risk and mitigate them
- Manage stakeholders' expectations and influence stakeholders in understanding risk and impacts, threat and vulnerabilities of the Bank and priorities in remediation
- Facilitate the prompt resolution of contention including risk ownership, remediation issue or action ownership, scope creep that may delay the risk assessment, remediation, etc
Scope and plan domain or thematic risk and control reviews aligning with the function's key performance objectives, audit themes and key risk areas (may include suppliers where appropriate)
- Scope and plan risk / control reviews of significant new projects
- Provide guidance to stakeholders on execution of risk / control reviews
- Track material actions and risks arising from the reviews
- Provide support and guidance on control design to Risk Controller and Process Owner. Review and approve proposed addition of or change in controls
- Review and agree changes and / or new KCI and KRI with ITO R&C / UORM
- Represent the Domain as the Single Point of Contact (SPoC) on regulatory, internal and external audit engagements and as representation to Subject Matter Expert (SME) on these engagement meetings or calls
- Review adequacy of management response to audit findings
- Review progress and timely closure of audit findings
- Share thematic risk & audit findings across functions and units
- Stay current of regulatory requirements, threats and leading industry practice and advise Technology Service Head in risk management and control design
- Identify potential failure in process, advise and support risk treatment / mitigation.
- Provide support and guidance on control design to Process Owner, Domain or Unit Heads. Review and approve proposed addition of or change in controls
- Review and agree changes and /or new KCI and KRI with ITO R&C /UORM
- Advise on the design of KCI and KRI. Monitor and report on KCI and KRI as per metric defined
- Conduct control sample testing (CST) on key control to attest the control operating effectiveness (COE). Review trend analysis of exceptions and identify systemic failures. Identify material exceptions and escalate
- Review the adequacy and effectiveness of policies, standards, guidelines, process. Identify any material gaps, advice on control improvement
- Ensure that all risk forum within the Domain operates within the Terms of Reference (ToR) including objectives, membership, agenda, frequency. Facilitation of functional risk forum meetings. Provide challenge to ensure robust risk management Work with Awareness and Communication service unit to promote staff awareness on risk, compliance, audit support and remediation
- Plan, drive and/or perform risk identification workshop and control adequacy review to identify risk, non-compliance, control gap, vulnerabilities and advise remediation, preventive, corrective controls to Service Head
- Ensure that the affected Domain (and units within) are sufficiently prepared for upcoming audits
- Serve as single point of contact to handle information request from, and provide responses to regulators, external or internal auditors. Attend audit meetings, calls and reviews.
- Facilitate the review and verification on audit findings for accuracy, impact, relevance, risk rating. Identify root causes, impacts
- Facilitate and advise remediation management action plans (MAP) with service owners
- Facilitate or manage the risk remediation to provide timely update on progress in remediation and timely completion.
- Review remediation to ensure risks are significantly drawdown
- Manage remediation as committed by STS service owners
- Review remediation artefact to verify findings are remediated in full
- Constantly publish audit and remediation performance metrics and status dashboards to management
- Ensure that management (and any other stakeholder as required) is kept aware of the risk, control & audit profile of the function through periodical reporting
- Prepare and provide management report on risk, compliance audit or remediation to management team (MT), risk committee, forum
- Ensure that all management information is produced in line with the defined schedule and quality and should support management decision and action
- Ensure integrity of source and the processing of data to deliver accurate representation in management information
- Manage stakeholder expectations and influence stakeholders in understanding risk and impacts, importance and priorities on risk identification, assessment, response / remediation and reporting
- Attend to any issue contention and resolve them including remediation ownership contention, remediation scope screep or challenge arising that may delay the remediation closure
- SPoC for the function on any Risk, Control or Audit change initiatives from Group or Technology Governance
- Drive implementation and adoption of agreed initiatives across the function including training, communication and awareness.
Experience, Skills & Qualification:
- Management Team, Core Infrastructure Services
- Service Heads and Process Owners within and outside of the function in the management of controls
- Service Heads and Operation Risk Managers (ORMs) in other functions (Security Technology Services, Technology Operations, Cloud Computing) in managing cross functional risks and sharing of leading practices
- Second Line (Group Operation Risk, Office of CISO) for advice and guidance and steering with regards to group initiatives, risk identification, assessment, risk response (treatment), risk monitoring and reporting
- Technology Risk and Control functions in ITO (ITO RC), in-country (Country RC), GBS
- Business (CIO) functions including Retail Banking, Corporate and Institutional Banking, Private and Wealth Management for relevant risk and controls
- Legal & Compliance for interpretation of and consultations on regulatory requirements, industry incidents
- Process Governance team for process and control metrics
- Group Internal Audit and external auditors on audit and reviews.
- 3 years and above of experience in Operation or IT risk management preferably in either Banking and Financial services sector, global IT shared service organization, or IT audit organization
- Good understanding of controls in Technology Risk and experience with tools in the industry
- Good understanding of regulatory compliance, IT risk and controls, cyber security. Knowledge of approaches, tools, techniques for recognising, anticipating, and resolving operational or process problems
- Experience in engaging / managing technology audit engagement. Experience in management response to audit reports is an added advantage
- Minimum 2 years of working experience in audit and remediation
- Strong communication, people management capabilities. Confident and self-motivated leader with experience in effectively negotiating with and influencing others in a matrix environment
- Ability and confidence to operate across a wide range of seniority levels, functional divides, locations and businesses
- Ability to gather and analyse facts and data in complex, global environment, provide value-added management analyse, visualisation and recommendation to management, make quality judgement and support critical decision such as investment or risk response / treatment
- Possess a pro-active posture and committed to continuous improvement
- CRISC or CISA or CISM or CISSP certified is definite advantage
- Knowledge and experience with core infrastructure and security technologies such as vulnerability management, network management are an added advantage
- Bachelor Degree in Computer Science/Information Technology, Engineering, Finance or equivalent
Apply now to join the Bank for those with big career ambitions.