The IT Resilience and Continuity Officer within the Company RISK ORC ICT Organization in CIB Americas is responsible for managing the day-to-day execution and coordination of 2LoD oversight of IT Infrastructure Management and IT Service Management Risks and contribute to the ongoing enhancements and integration of Business and IT Continuity Risks. The individual will maintain this oversight within a defined process ensuring that the bank's technology infrastructure, applications and critical business services meet regulatory and internally established control framework with specific focus on IT Resilience and Continuity risks.
This role is a critical component within the CIB Americas RISK ORC ICT organization in ensuring the Entity’s ability to prevent disruptions to its vital business and IT services from occurring, continue to maintain critical services if a disruption or incident does occur and return to normalcy, when disruption or crisis is eliminated. This applies to Cyber, Technology, Third Parties, Physical infrastructure and People.
The responsibilities shall include planning, integrating, testing and governing activities to ensure that the CIB Americas can:
- Contribute to the identification and recommendations to mitigate business and system disruption risks before they occur
- Maintain oversight for and respond to disruptive events (realized risks) in a manner that demonstrates 2LoD oversight of IT Infrastructure Risks (Network, Data Centre, Storage, Backup etc.) and IT Service Management risks (Incident Management, Problem Management, Change Management, Capacity Management etc.)
- Monitor and maintain 2LoD command and control during business and IT disruptions and crises, across a variety of resilience scenarios
- Recover and restore mission-critical services and operations following an incident within the agreed risk appetite levels set by management
through the management and execution of key day-to-day responsibilities:
- Contribute to the overall enhancement in Operational Resilience of CIB Americas and IHC in coordination and consultation with RISK ORC ICT and RISK ORC leadership
- Provide 2LoD oversight through appropriate risk anticipation, assessments and check & challenge of IT Resilience focusing on IT Infrastructure and IT Service Management risks (including in evolving domains such as Enterprise Cloud)
- Collaborate with 1LoD and 2LoD specialists to reduce Cloud risks:
- Perform architectural and deployment reviews to minimize single points of failures and catastrophic IT incidents
- Engage on known or emerging security and IT risks for Cloud services by initiating or influencing the development of new platform / security architectures and compliance with architectural principles and objectives
- Application of DevSecOps architecture and solutions for design for securing compute services, patch management, data security, network security, regulations and compliance requirements.
- Contribute to the check & challenge of the overall resilience readiness for CIB Americas and focus on the alignment and integration of IT Continuity risks within the overall Business Continuity Risks for the bank
- Participate in IT risk and architecture working groups and collaborate with key stakeholders in RISK ORC and RISK ORC ICT to independently identify, assess, mitigate report and escalate material ICT risks as appropriate.
- Technically challenge the comprehensiveness of testing arrangements in line with regulatory as well as internal policy requirements
- Actively contribute to the development of 2LoD policies, standards and procedures and contribute to the review and challenge of 1LoD policies, standards and procedures related to the assigned disciplines.
- Perform regular and ongoing monitoring of incidents and produce high quality analysis fit for management consumption.
- Assist with developing independent Risk opinion on local or regional incidents and to highlight key control deficiencies
- Perform thematic reviews and deep dives on specific programs and projects aimed at improving the IT platform stability and resilience of CIB Americas
- Work with cross-functional leadership teams in RISK ORC and RISK ORC ICT and contribute to 2LoD oversight during IT and business disruptions and crises - Provide subject matter expertise during response to local or regional crisis events
- Contribute to 2LoD engagement and response, including in assisting enhanced reporting to management or to regulators
- Assist in providing active advisory, partnership, challenge or approval to applicable risk owners to ensure appropriate prioritization and resolution of regulatory or IG findings and related actions
- Contribute to the planning and development of 2LoD independent crisis management exercises, doing independent research on IT and Cyber threats and recommending suitable storyline, scenarios and designing injects, working alongside several other contributors in the process
- Contribute to the overall design, development and specification of new/redesigned projects, processes, systems, information, risk controls, testing regimes, documentation and supporting materials.
- Manage key stakeholders that will allow in the efficient execution of own responsibilities - establish and maintain ongoing collaborative relationships within CIB Americas and IHC 2LoD and 1LoD partners.
- Collaborate with other 2LOD functions and teams across the Americas and Group on common priorities/projects (e.g. IHC-level processes, Group-level initiatives)
- Initiate timely escalations to the Head(s) of RISK ORC ICT and RISK ORC, as well as Chief Risk Officer(s) where appropriate
Minimum Required Qualifications
- Practitioner experience (10 years minimum) in IT Infrastructure and Service Management Risks (IT Resilience) and Continuity Risks
- 7 years leading risk assessment or related risk management activities – both leading, but as well as, acting as individual contributor
- At least last 2-3 years focus on enterprise wide Cloud reference and model architectures and solutions architecture for cloud
- Bachelor’s degree (Information Technology preferred)
- Extensive knowledge of technology and banking products in an operating environment
- Knowledge of existing and evolving regulatory environment on applicable Technology Risk and Business Continuity regulatory requirements in financial services sector.
- Strong connect within the industry, able to collaborate on market-wide incidents
- Practical experience with Operational Risk Management practices (e.g. RCSAs, Risk Scenarios)
- Strong data analytical skills on Excel
Key Competencies and Behaviors
- Track record of performance in highly matrixed organization
- Excellent ability to understand how and why processes and solutions are designed to deliver specific outcomes
- Excellent written and verbal communication skills including the ability to write executive-level communication as well as more detailed, technical reports and risk opinions
- Proven ability to think outside of the box, challenge status quo and adapt quickly to evolving requirements
- Good team player, Strong stakeholder management, relationship building, influencing, facilitating and presenting skills.
- Ability to work collaboratively by building consensus and influencing decision making to foster forward progress with projects and initiatives.
- Excellent organizational skills, coupled with ability to be versatile and flexible
- Sound judgment, high levels of demonstrated analytical and critical thinking
- Demonstrated ability to work independently and within a team
- Demonstrate a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate
- Adapt personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done
- Take accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well
- Being rigorous and thorough – especially when logging and tracking issues through to conclusion
- Proven ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management
- Demonstrate a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business
- CISSP, CISA, COBIT, ITIL, MBCI
- Cloud certifications (AWS, Google, Microsoft)
- Other Risk Management certifications and accreditations an asset
- French, Spanish or Portuguese language an asset
- Developing Macros, Visual Basic scripting, Working knowledge of tools such as PowerBI