DescriptionJoin a role that's central to our technological resilience, offering a unique opportunity to shape the firm's tech risk strategy and enhance industry compliance.
As a Tech Risk & Controls Director in the Cyber and Tech Controls line of business, you will play a pivotal role in shaping and implementing the firm's technology risk management strategy. Leveraging your advanced knowledge and expertise in technology-risk disciplines, you will identify, oversee, and mitigate compliance and operational risks in line with the firm's standards. You will collaborate with various stakeholders, including Product Owners, Business Control Managers, and regulators, to develop and maintain a comprehensive view of the technology risk posture and its impact on the business. Your ability to make calculated decisions, manage globally dispersed teams, and drive strategic projects will be crucial in ensuring the firm's adherence to regulatory obligations and industry best practices.
Head of CTC Product Governance, you will manage an organization responsible for risk and compliance oversight for the Cybersecurity Technology & Controls (CTC) product lines focused on ensuring all operational implementations and measures are managed to the firm's risk and compliance requirements and can withstand Compliance, Conduct, and Operational Risk (CCOR), Audit, and regulatory scrutiny. Duties of the CTC Product Governance team entail partnering with the product lines and centralized operational activities to ensure an accurate articulation of risk, appropriate prioritization of controls in accordance with the firm’s Assurance Risk Pillar requirements and risk posture, effective assessment and treatment of controls, timely remediation of findings, and complete responses to Audit, Supervisory, and Regulatory requests for information. In this role, you will lead compliance with the firm’s technology risk management framework. While doing so, you will maintain alignment with our control obligations and line of business expectations and priorities. You will be responsible for having a deep understanding of the business, its underlying processes and the technology control environment across several categories such as risk and Identification and Assessment, control design and evaluation, issue management and control governance and reporting.
Job responsibilities
- Perform ongoing monitoring of the technology risk and control environment and identify technology risks which could manifest in the business and technology processes (Risk Impact Rating (Inherent Risk))
- Assess risk to determine whether there are material concerns (Risk Status) and understand issues or concerns that may impact the Residual Risk and provide supporting commentary for control committee reporting and judgmental conclusion for the line of business operational risk assessment
- Perform control-related activities: Assist with designing process controls, including how to measure its effectiveness; provide control implementation support and control validation; and perform control evaluation and review results with the control evaluation team and agree on the control effectiveness rating
- Oversee Issue and Action Plan administration: Perform end-to-end oversight and leadership, ensuring the root cause and key themes/trends of issues are identified; develop Action Plans designed to address issues broadly; validate the execution of Action Plans
- Perform controls assessment prior to issue closure, understand the full inventory of risk acceptances, and attend Issue Management Review Boards within your organizational responsibility
- Oversee the Risk & Control Forum: Support technology updates to the line of business Control Committees; analyze metrics to inform on health and technology of the risk and control environment; identify existing or emerging technology risks; and contribute content for line of business Operational Risk assessment and Operational Risk Appetite
- Support legal entity risk and control assessments and regulatory topic assessments: Escalate breaches/issues based on key reporting indicators, and implement a process to identify, report and resolve data quality errors
- Develop and implement technology risk management strategies, policies, and processes to identify, assess, and mitigate risks, and drive strategic projects and initiatives to enhance the firm's technology risk management capabilities, in line with industry best practices and the firm's standards and regulatory requirements
- Identify and escalate emerging and upstream technology risk through execution of the Firm’s management framework tools, including risk event management, reporting, and action plan tracking, and provide expert counsel to stakeholders and constituents regarding their security obligations, facilitating acceptable outcomes
- Establish and maintain strong relationships with internal and external stakeholders, including key cross-functional team leads, regulators, and auditors, to ensure compliance with legal, regulatory, and industry standards
- Manage reporting and governance of overall controls, policies, issue management, and measurements, etc., providing insight to senior leaders into effectiveness of controls and inform governance work
Required qualifications, capabilities, and skills
- 7+ years of experience or equivalent expertise in technology risk management, information security, or a related field, with a focus on managing risk identification, assessment, and mitigation
- Demonstrated expertise in risk management frameworks, industry standards, and regulatory requirements relevant to the financial industry
- Advanced knowledge and experience leading data security, risk assessment & reporting, and control evaluation, design, and governance, with a track record of implementing effective risk mitigation strategies
- Possession of a risk mindset to understand the business and related technology risks and regulations
- Comfortable with making subjective, but informed, decisions with the ability to work autonomously to affect change - flexible, adaptable to shifting priorities; manage competing priorities to achieve the most effective result; able to work in a fast-paced, results oriented environment
- Demonstrated successful oversight of vulnerability management actions and experience working in a matrix management model utilizing virtual teams. Experience working both independently and in a team-oriented, collaborative environment is essential
- Proven ability to lead large teams, manage cross-functional projects, influence executive-level strategic decision-making, and effectively translate technology insights to business strategy in communications with senior executives
- Possess excellent communication skills, both verbal and written, for all levels of the organization
- Cultivation of strong influencing skills, comfortable executing against recommendations and plans by overcoming barriers and resistance. Possess the ability to forge strong relationships and build a wide network throughout the firm
- Ability to hire, manage and motivate a team in executing to reduce financial loss, regulatory exposure, and reputational risk
- Possess the experience to establish control governance and reporting to identify meaningful metrics to inform on the health of operational risk and control environment; escalate control gaps and weaknesses based on key reporting indicators; and manage control committees and forums
Preferred qualifications, capabilities, and skills
- Ability to partner with the line of business to implement solutions, as well as understand potential benefits, applicability of automation, and machine learning for the line of business
- Experience to understand themes and root cause for better problem solving and share lessons learned broadly across the firm to help identify risks proactively in other parts of the firm
- Experience working with or in Fortune’s top 100 global companies and successful in leading global risk management organizations, control assessments and remediation oversight