Director, CSS Risk & Control, CAAT

Job Description

• To lead and support cyber security risk and control activities across the Bank. This will entail working on the assignment to assess key risk, key controls, identification of control gaps with remediation to address the risk, regulatory requirements and internal policies/standards.
• Provide timely and accurate reporting to appropriate committees, most specifically the CSS Risk Forum and TDR NFRC.
• Ensure appropriate oversight and facilitate resolution of high impact risk and issues.
• Tracking and reporting of risk assessments and their outputs to ensure oversight and escalation mechanisms are in place to provide MI on obligations.
• Work with the CSS Service Lines to identify emerging risks and ensure they are appropriately addressed and subjected to formal governance.
• Manage and drive continuous improvement of the CSS internal risk profile reporting, issue management processes and supporting tools.
• To act as lead and take responsibility for overseeing the delivery of high-quality assignment in an efficient and effective manner, within the given budget and timelines and in line with defined standards
• To provide clear guidance, supervision and support to team members through technical/ product knowledge and expertise for their assignment relating to the individual s area of responsibility
• To provide good technical input and challenge on assignment to steer team member in producing high quality output which address the risk
• To oversee, track and validate all remediation completion to address the risk
• To lead continuous monitoring of assigned focus areas, and to build and maintain engagement with domain management and internal stakeholders
• To provide insightful risk posture of assigned focus area(s) through thematic and accurate risk profile and reporting including corelating relevant controls and associated risks/controls gaps (regulatory, internal and external audit issues, and self-identified gaps).
• Deliver risk focused, timely and re-performable deep dive reviews following TDR Control methodology.
• Design and maintain internal cloud security processes that allow CSS to dynamically monitor risk and controls.
• Maintain all ORTF based CSS controls and corresponding CSTs, KCIs and KRIs.
• Support the delivery of the overall COO TDR Conduct Risk Management plan.
• Provide timely and accurate risk & control MI to the respective risk forums.
• Drive compliance with the Bank s risk framework and policies (e.g. ERMF, ORTF and ICS RTF).
• Support the design, build, and implementation of effective processes and controls to effectively mitigate ICS risks.
• Support the CSS Function to be First to Know its risks & issues, and to deliver on its commitments.
• Support stakeholders in defining remediation actions to address identified control weaknesses and issues.
• Act as the key confidant to the CSS Process Owner(s) responsible for developing, prioritizing and implementing controls
• Maintain accurate and timely data within EORP and any other agreed repositories for risk & control data and issues.
• Track issue remediation, check and challenge delivery status and escalate delays.
• Validate that remediation activities completed by CSS address the risk in the issues.

Strategy

• Growing trust with clients and regulators by supporting the CSS Function to be First to Know its risks & issues, and to deliver on its commitments; and
• • The provision of timely, expert advice and assurance;
  • Partnerships with other functions to provide professional advice and assurance]
  • Build effective relationships with leaders to facilitate:

• Work closely with the TDR key strategic initiatives to provide delivery assurance and assessments of key deliverables.

People and Talent

• Provide strong leadership, management and coaching over colleague(s).
• Provide proactive self-orienting and self-motivating leadership, and work with limited direction.
• Build the right mix of SME and risk & control skills.
• Responsible for identifying risk related knowledge gaps across CSS and facilitate the provision of appropriate training to address these gaps.

Risk Management

• Support liaison with Group Internal Audit and any third party or regulatory inspections.
• Adopt an anticipatory approach to risk assessment through stakeholder engagement and monitoring of the external environment.
• Work with other control assurance teams to drive efficiency, effectiveness and reduce duplication.
• Support CSS Process owners in the execution of their accountabilities related to:
  • Identification and management of the end to end processes as defined by the Process Universe and associated risks for the activities carried out.
  • Implementing the RCSA to monitor the effectiveness of the controls and standards governing the end to end process.
  • Being accountable to the Group Process Universe Owner, framework and policy owners and implementing the control requirements applicable to the process.
  • Escalating significant risks and issues to the Process Universe Owners, relevant Risk Framework Owners or Policy Owners.
• Perform review of the control self-assessment outcomes, monthly control testing results and adequacy of the related remediation actions.
• Provide thought leadership on control design, assessment, testing processes and drive continuous improvement in ORFT and ICS RTF.
• Execute deep dive reviews and consistent, efficient and meaningful CSTs / KCI tests for CSS processes.
• Provide robust challenge and escalation to senior management to ensure activities achieve risk reduction.
• Manage and drive continuous improvement of the CSS control environment through proactive risk management.
• Lead and execute assessments against controls that underpin an organisation s Cyber/Information Security Management System including, but not limited to, the following domains:
  • DevSecOps;
  • Cyber Security Consulting/Assessment;
  • Cloud and Container Security;
  • Application and Infrastructure Vulnerability and Security Configuration;
  • Secure Code Review;
  • Penetration Testing;

Regulatory & Business Conduct

• Display exemplary conduct and live by the Group s Values and Code of Conduct.
• Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across Standard Chartered Bank.
• Lead the Controls service team to achieve the outcomes set out in the Bank s Conduct Principles : The Right Environment.
• Effectively and collaboratively identify, escalate and resolve conduct and compliance matters.
• Provide timely and accurate risk & control information to support regulatory meetings and RFIs.

Key Stakeholders

• Global Head Operations - Trust, Data and Resilience
• Global Head Cyber Security Services
• Service Heads Cyber Security Services
• Trust, Data & Resilience MT
• Cyber Security Services MT
• Group Operational Risk
• Group CISRO
• Group Internal Audit T&I and Operations and Cyber

Other Responsibilities

• Perform other responsibilities as assigned by line manager.

Ideal Candidate

• Bachelor / Honours Degree in Information Technology, Computer Science, Cyber Security or other technology related qualifications or 10+ years of experience in cyber/IT security, technology audit or governance, which must include some element of experience in a risk and control or governance team.

Preferred:

• Background in the information and cyber security domain within international financial services organisations.
• Up to date with key regulation/developments in Information and Cyber Security Management Framework (including Technology Risk Management), Data, Privacy and Automation
• Professional Qualifications (i.e. CCSP, CCSK, CISSP, CISA, CRISC)
• Risk & control, assurance or audit experience
• Ability to challenge the status quo
• Demonstrates ability to work with limited direction and multi-task without loss of quality.
• Confident and courageous to raise/escalate issues in a pro-active, professional and timely manner

,

Keyskills :
code reviewsecurity riskservice linesinternal auditcyber securityexternal auditcloud securitycontrol testingtechnology riskoperational riskissue managementsecurity servicesdomain managementcorporate liaison