IT Risk Manager

About BNP Paribas in Asia Pacific ( www.apac.bnpparibas )

In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 15,000 employees* and a presence in 14 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships.

Worldwide, BNP Paribas has a presence in 74 countries with more than 190,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.

BNP Paribas offers you an exciting career opportunity in an international, challenging business environment characterized by high pace and diversity with focus on creating valuable relations with our customers. We offer a competitive salary & benefits package and also an excellent work environment where you're valued as part of our team!

* excluding partnerships

Position Purpose

The mission of the IT Risk Manager is to ensure, for the IT activities within his/her entity, the realization of operational permanent control including the measure and the management of all operational risks linked to Information and Communication Technologies (ICT) including cyber security risks in accordance with the framework as defined by the IT Governance of BNP Paribas, as well as the deployment and coverage of the IT Risk Management Group (ITRMG) framework.
The coverage is APAC and the scope is all Business Units in charge of IT activities

Responsibilities

As per BNP Paribas internal control charter, operating IT entities, and first and foremost their managers, are accountable for the risks they are exposed to given the businesses or services they run or deliver.
In this respect, and in full compliance with regulations applicable at group level and at entity level, and in line with group's norms and requirements, the IT risk manager should for the IT entities under his/her oversight,:
• Assist in identifying and assessing operational IT risks the entities are exposed to.
• Ensure the risk monitoring and mitigation framework is within the defined risk appetite
• Ensure the implementation and continuous adaptation of the risk framework
• Ensure proper awareness of the risk framework for all IT teams
• Provide consistent risk monitoring & registration tools
• Provide risk management information and reporting to eligible bodies

ASSOCIATED MAIN ACTIVITIES:

As part of the operational risk management, the IT risk manager is responsible for ensuring the deployment of policies and procedures, and, in coordination with the different bank stakeholders (2nd line of defence Group/business/regions, 2nd line of defence ICT Group/business/regions, IT Risk Management Group, business OPC, CIB Anti-Fraud, etc.)
The implementation and maintain of an efficient risk framework within the his/her entity in charge of IT activities in line with the Level 2 procedure 'Organizational framework and governance for Operational Risk Management and Permanent Control framework' (RISK0327EN)

• IT Risk
• The management and reporting (to eligible bodies) of ICT risks (with if-needed associated risk acceptances, risk profiles, …) through both yearly RCSA realization and ad hoc risk assessment on his/her perimeter in accordance with the EBA ICT risk taxonomy.
o Assisting the Function/Métier teams in identification and assessment of IT risks including regulatory questionnaires and industry standard (e.g. NIST, CIS) maturity assessment
o Maintaining the list of IT operational risks at APAC level to facilitate monitoring and reporting of risk
• Coordinating/identifying APAC IT risks with regular analysis and evaluation of the underlying risks (via the mapping and analysis of historical incidents having an IT cause, recommendations, control results…) with APAC IT Business Units and APAC CIOs, CTO and CISO
• Managing IT risk findings resulting from production incidents, application and infrastructure IT security risk assessment with APAC IT Business Units and APAC CIOs, CTO and CISO and raised risks ( e.g.: ICC, APAC IT OPC Steering Committee…)
• Identifying controls to mitigate the risks (new controls or update of the controls)
• The organization of Function/Métier/Region IT risk committee at least twice a year (according to the procedure RISK0339EN);
o Provide support for various APAC IT Risk committees (APAC IT Risk/OPC, Technology Risk Committee, etc.) including logistic support, write the minutes, follow identified actions
o Consolidating and preparing the APAC contributions for various Internal Control and Permanent control committees
o To produce the Regional IT Risk profile report covering IT recommendations, IT historical incidents and controls results.
• The proper collection and analysis of IT historical incidents, the validation of Métier/Region IT incidents input into the dedicated Group system, based on CIB standardised criteria, the contribution to the definition and follow-up of associated action plans in addition to regular reporting ;
• The contribution to the quantification of Métier/Region/IT potential incidents (for AMA entities);
• IT Control
• The deployment and reporting (at minimum the major ones) of IT controls (OPC and operational, standard and/or specific) identified to mitigate the risks ;
• The bi-annual production of the ICT Permanent control report based on provided templates and signed by the CIO/CTO of the perimeter (business/region)
• Identify specific controls for region and/or specific entity within the region to meet Regulatory requirements, IT business units requirements and analysis of controls results
o Verifying all the level 1 control results (self-declarative) are signed off by respective IT Business Units
o Reporting control results for APAC (consolidated view) and IT Business Units to measure residual risk level on IT processes
o Verifying action plans related to controls results are identified and followed by relevant IT Business Unit and APAC CIOs or CTO or CISO or Local head of IT when applicable
• Continuously improving the control framework to provide assurance that the internal controls meet best practices and regulatory requirements as appropriate
o Procedures
o The role of procedures correspondent (cf. Level 2 procedure RISK0329EN).
o Ensuring the deployment of procedures/processes, where applicable, defined at the regional level.
o Assisting the APAC IT Business Units to identify the procedure needs and ensuring that IT procedures/processes for IT activities are formalized , compliant with Group/CIB requirements, stored and updated on regular basis by each APAC IT Business Unit
• IT Recommendation
• The overall follow-up and reporting (figures, alerts, etc.) of IT recommendations implementation in his/her scope (IG/Regulator/external/Permanent Control actions/Independent consultant) in order to meet the Group objectives;
• Follow-up of APAC IT recommendations and findings (IG/Audit/regulator) stock in accordance with the Group/CIB objectives
o Evaluating the confident level for closure with the relevant IT Business units
o Identifying potential overdue recommendations and identifying the issues with IT Business units and alerting the management
• Continuous improvement
• Identify controls (Level 1 and 2) for APAC and/or specific entity with APAC IT Business Unit based on the, requirements from IT teams, Regulatory requirements, analysis of controls results
• Formalize / Design the new IT controls for APAC and organize the validation session with IT Business units
• Ensure the consistency with the CIB global controls, Global Business Unit controls, APAC controls and remove duplications
• Improving the current risk and control reports/dashboard
• Continuously improving the technology risk management framework to provide assurance that the internal controls and risk management meet best practices and regulatory requirements as appropriate
CUSTOMER/SUPPLIER RELATIONS:
Internal:
• CIB divisions : Business and Information Security
• Internal Audit / Inspection General
• APAC ORC, APAC OPCs
• APAC Anti-Fraud
• Global IT OPCs, Global ORC
• Local OPCs, Local ORC
• Regional CIOs, CTO and CISO
External
• External auditors & Regulators

Technical and Behavioral Competencies required

Essential Technical Knowledge/Skills:

• A solid background in operational risk management and control framework
• Knowledge of IT practices :project management ,security, continuity and production
• Excellent analytical skills and reporting capabilities (KPIs, dashboards, metrics, assessment …)
• A practical understanding of a large bank's organization and systems
• Familiar with process analysis and improvement, drafting of workflows and procedures

Qualifications and Experience:

• At least 5 years of experience in an IT Risk, Control and Audit environment. Prior experience in IT Security Risk management would be advantageous
• At least 5 years of experience in IT environment
• Recommended certification: CISA , CISSP

Other Value-Added Competencies:

• Attention to detail
• Ability to manage several initiatives/projects and keep these on-track simultaneously
• Ability to effectively manage your own time and the priorities
• Interpersonal skills, ability to consolidate action plans and report progress status
• Pragmatic, 'Can do' attitude & Proactive approach with a strong ability to work on own initiative
• Capable of adapting to a new environment and to work under pressure towards tight deadlines
• Excellent oral and written communication
• Good interpersonal skills
• Big picture awareness