This Second Line of Defence IT Risk Manager plays a crucial role in ensuring the organisation's IT systems and infrastructure are resilient and secure, aligned with regulatory expectations and industry best practices. This role provides independent oversight and challenge to the first line of defence (IT and other business units) regarding IT risk management, ensuring the effectiveness of controls and the accuracy of reporting. This individual will be a key contributor to the organisation’s overall risk posture, particularly regarding the effective management of ICT and information security risk.
Qualifications
* Extensive experience in operational resilience, information security, IT audit, or IT risk management within a financial institution. This should include a proven track record of success in shaping and implementing risk management strategies.
* Strong understanding of UK, EU, and international resilience regulations and standards, including NIS2, DORA, FCA, and PRA guidelines.
* Proven ability to collaborate with senior management, providing independent challenge and advice on IT risk management.
* Excellent communication, presentation, and report writing skills. The ability to communicate complex technical information to both technical and non-technical audiences is essential.
* Strong analytical and problem-solving skills. The ability to identify and assess risks, develop mitigation strategies, and provide actionable recommendations is crucial.
* Experience with risk management frameworks and methodologies (e.g., COSO, NIST).
* Professional qualifications such as CISM, CRISC, or similar are desirable.
Desirable Skills and Experience:
* Experience working in a regulated financial services environment.
* Experience with cloud computing and related security risks.
* Experience with data security and privacy regulations (e.g., GDPR).
This position is based in Dunton, Essex and it is expected the successful candidate will be able to attend the Dunton Campus for typically 2 to 3 days a week and remain flexible on the days they are required to attend the office according to business requirements.
Note: Banking and Compliance training including fair treatment of customers is mandatory for all FCE employees. Necessary training will be given to any successful candidates that require it.
The Company is committed to diversity and equality of opportunity for all and is opposed to any form of less favourable treatment or harassment on the grounds of race, religion or belief, sex, marriage and civil partnership, pregnancy and maternity, age, sexual orientation, gender reassignment or disability.
If you are concerned about applying due to disability, please contact us; we’re an inclusive team and would like to discuss what adjustments we can make to support your application.
Responsibilities
* ICT Risk Management Framework:Own and maintain FCE’s ICT Risk Management Framework (RMF), ensuring alignment between it and the information security framework.
* Risk Monitoring and Reporting:Lead the monitoring and reporting of information security and ICT risk information to the Board and Executive Committee. This includes developing key risk metrics, generating comprehensive reports, and presenting findings to senior management.
* Regulatory Compliance:Ensure compliance with relevant UK and EU regulations and standards (e.g., NIS2, DORA, FCA, PRA) and international standards (e.g., ISO 27001, ISO 22301). This includes advising on regulatory requirements and ensuring that the organization’s IT systems and processes meet these standards.
* Second Line Oversight:Provide independent second-line oversight and challenge to the first line of defence on all aspects of ICT risk management, including:
o IT Service Continuity:Oversee the development and maintenance of IT service continuity plans, ensuring that critical systems can recover swiftly from disruptions.
o Third-Party Risk Management:Review and assess risks associated with third-party IT service providers, ensuring appropriate due diligence and controls are in place.
o Incident Management:Provide oversight for incident response, ensuring that incidents are managed effectively and lessons learned are implemented.
o Resilience Testing:Oversee the design and execution of comprehensive resilience testing, including penetration testing, load testing, vulnerability assessments, disaster recovery exercises, and business continuity drills.
o Intra-group ICT Service Provision:Lead oversight of the provision of ICT services within the group, assessing the risks and ensuring appropriate controls are in place.
* Risk Assessment:Conduct regular second-line risk assessments, focusing on critical IT services, third-party dependencies, and business-critical operations. Utilise a range of risk assessment methodologies to identify, assess, and report on potential risks.
* Stakeholder Management:Engage with internal and external stakeholders, including senior management, regulators, and third-party providers, to ensure resilience objectives are well understood and executed. This will involve effective communication and collaboration with a wide range of stakeholders.
#J-18808-Ljbffr