Group Head of Cyber, IT and Fraud Risk Management

  • Competitive
  • Manama, Capital Governorate, Bahrain
  • Permanent, Full time
  • Arab Banking Corporation
  • 23 Mar 19

The management of IT Risk has been gaining importance rapidly over the last couple of years. The number and the sophistication of “cyberattacks” have gone up dramatically. There is a growing concern of not only of regulators, governments (anti-crime units) but also of the general public that banks should improve their defences against unauthorized access to client accounts and to confidential information (including client data). Against this backdrop ABC has decided to strengthen its governance for the management of IT risks across the whole group.

An important element hereby is the formal establishment of a 2nd line IT Risk management function, manned by specialists.

Information technology is bound to keep on changing rapidly.  The same can be expected of cybercrime. 

The job holder will have to keep up with the latest technologies and the latest threats and vulnerabilities. He will have to ensure that the frameworks for the management of IT risks are updated and provide effective protection against the latest threats.

Principal Responsibilities, Accountabilities and Deliverables of Role:

Leadership

  • Lead the continuous development and implementation of the framework for the management of IT risk across ABC Group. IT Risk includes risks in the Information Security/Cyber and Business Continuity domains.
  • Lead the process for establishment and approval of an appropriate risk tolerance framework for IT risks
  • Oversee the development and implementation of the Fraud Risk Management policies, standards and frameworks.

Key responsibilities, accountabilities and deliverable

1. IT Risk management strategy:

  • Definition and recommendation of an annual IT risk strategy dovetailing with the approved business strategy to the appropriate Risk Committee,
  • Direct the submission of actionable (consolidated) risk reports to the appropriate stakeholders (Board Risk Committees, Risk Committees, Senior Management, etc.) for on-going monitoring of strategy and key and IT risk exposures.

2. Development of IT Risk policies

Lead the development of the key components of the framework for the management of IT risk, including but not limited to:

  • Risk and control self-assessment systems (bottom-up, top-down, local/ group-wide);
  • Incidents and loss events database;
  • Key risk indicators;
  • Group-wide control standards;
  • Standard and “ad hoc” IT risk reports;
  • Appropriate MIS.
  • Lead the enhancement of risk reporting in coordination with system vendors and unit risk management.
  • Direct the development of the methodology for measuring IT Risk
  • Participate in the development of best practices for management of IT risk both at the HO level and at the Unit level to ensure that ABC group’s risk management processes are aligned to the developing industry practices

3. Implementation of framework for management of IT risk across ABC group

  • Oversee the management of IT risk across ABC Group through various monitoring tools e.g. RCSAs, KRIs, control standards, reporting of incidents, etc.
  • Review and approve individual units’ IT risk management policies & procedures to ensure compliance with group standards and policies;
  • •Ensure that the frameworks for management of IT risks are aligned to the framework for Information Security (Cyber) and Business Continuity Management (including Disaster Recovery)
  • Lead the group-wide development and implementation of the frameworks for the management of IT risk in line with the framework for the management of operational risk and in line with the regulatory requirements (CBB and Basel Committee). Coordinate with local Unit risk management to ensure that local regulatory requirements are being complied with.

4. IT risk management

  • Direct & lead the development of appropriate risk profiles of individual business units and a corporate profile for the company to identify areas of significant IT risks, and recommend actions if any for control, mitigation or transfer of these risks. 
  • Provide day-to-day direction, guidance, training and support to Unit IT Risk Departments on implementation of the framework and its on-going management.
  • Carry out ad hoc requests from senior management. 
  • Participate in the development of new products and change management projects (including projects to introduce new technologies) to ensure that the inherent IT risks are assessed and mitigated prior to launch/implementation.

5. Implementation of a Governance Risk and Compliance Tool

  • Oversee the implementation of a Governance Risk and Compliance Tool
  • Set requirements, agree development with the vendor, plan delivery• Provide training
  • Responsible for overall budget and planning (across the three Control functions ORM, Internal Audit and Compliance)

6. Business Continuity Management (and Disaster Recovery)

  • Develop the framework and methodology for Crisis Management, Business Continuity Management and Disaster Recovery Management
  • Assist the first line with the implementation of the framework and methodology
  • Provide assurance during tests to ensure test objectives are reported accurately 

7. Fraud Risk Management

Direct the development of a framework and methodology for the management of Fraud Risk through the Group Head of Fraud Risk Management

Culture and Behaviour

  • Raise awareness for IT risk – Training
  • Conduct necessary training and provide guidance to the risk managers in the Head Office, Branches, and Subsidiaries on all aspects of the management of IT risk management policies, procedures and framework including implementation, on-going maintenance and reporting.

 

Job Requirements:

Knowledge

  • Extensive knowledge of the IT Risk, IT Audit, IT Security (incl. Cyber), Fraud Risk and/or Business Continuity
  • Practical working experience with IT risk & control frameworks;
  • Demonstrable understanding of the regulatory compliance environment in different countries where ABC group operates;
  • Broad knowledge of operational risk disciplines, IT Risk, Information Security, Business Continuity and Disaster Recovery;
  • Relevant knowledge of industry process, control and risk frameworks, e.g. ITIL, CObIT, ISO 27001/2, COSO, NIST;
  • Strong practical experience with IT Risk Assessment frameworks, tools and methodologies as applied to business processes, business applications, technology infrastructure and third parties
  • Practical knowledge of Operational Risk tooling e.g. Governance, Risk and Compliance applications (including reporting aspects)

 

Education / Certifications

  • Master degree from a reputable university
  • Post Graduate Degree in Information Technology
  • Formal academic credentials related to IT Risk (IT, Information (Cyber) Security, Risk Management, Business Continuity);
  • Appropriate qualifications (CISSP, CISM, CISA, CISSP, CRISC or equivalent).

 

Experience

At least 15 years of relevant work experience, with a minimum of 7 years in Cyber and IT Risk Management