Technology Risk:
The first role of the job holder is to effectively manage Technology risk in the second line of defense. The Manager shall oversee all Technology related rules, regulations, issuances, and standards and ensure that CIMB Bank Vietnam is compliant. The incumbent shall assess and manage threats/risk, IT & Cyber Security Risk, Technology Resilience, 3rd Party Risk and Assurance, Reporting & Analytics.
The incumbent shall work closely with the related business units (especially the IT and Digital Development team), Group Technology Risk and local regulators where applicable as part of the incumbent’s accountability to assist the Head of Risk in managing CIMB Bank Vietnam’s Technology risk.
Business Continuity Planning:
The second role is to manage Business Continuity Management and Sustainability under the guidance of the Head of Risk.
Key Responsibilities:
The Key Responsibilities of the Technology Risk Role are as follows:
Common roles and responsibility
- Manage the Technology Risk Management Framework (TRMF) and Policy (TRMP) to align with the changing regulatory landscape and identified areas for control improvements
- Define and manage the TRAS and KRIs to drive actions to meet the approved thresholds and manage associated risks
- Execute the ORM validation requirements for RCSA, CET, LED, CIMs, KRIs for technology related maters
- Assess/validate the Product Approval submissions involving technology implementations and changes prior to notifying regulators
- Review Technology Risk assessments related to Project Implementations
- Drive awareness of technology risks & adoption of the TRMF, TRMP, Technology Risk Appetite Statement (TRAS), & Key Risk Indicators (KRI)
IT & Cyber Security Risk
- Second line of defense oversight on effectiveness of controls to manage IT & Cyber Security Risks across the organization
- Identify emerging risks & threats, engaging with IT Security and observation of external events
- Lead & orchestrate annual Red Teaming and Cyber Drills
- Progressively elevate Cyber Risk Maturity posture of the organization
Technology Resilience
- Second line of defense oversight on effectiveness of controls to manage Technology Resiliency Risks
- Review/Endorse External Independent Assessment reports on Resiliency
- Review operational thresholds for improvement and standardization opportunities
- Perform deep-dive assessments where necessary, driven events
Third Party Risk
- Conduct assurance on 3rd Party IT Due Diligence for onboarding and periodic reviews and engage with GTRM SMEs where required
- Monitor events related to 3rd Parties in the public domain and trigger ad-hoc assessments, where necessary, in collaboration with Group Outsourcing Governance (GOG) and Service Owners
- Engage 3rd Party Governance policy owner for P&P improvements
Assurance, Reporting & Analytics
- Lead the development of annual Independent Risk Assessment through the identification of risk themes and reporting
- Lead the collation of group data and preparation of monthly TRAS & KRI performance metrics & insights for Technology Risk reports
- Coordinate the ORM validation activities within GTRM and any ad-hoc demands
The Key Responsibilities of the Business Continuity Management are as follows:
- Process Resiliency: Deliver process resiliency by enhancing business function recovery capability in a timely manner following a disruptive incident.
- System Resiliency: Deliver IT systems/ applications commitments (SLA/ Availability, Recovery Time Objective, DR capacity) to System Owner and business stakeholders.
- Location Resiliency: Enhance capability to recover business functions following a disruptive incident of work locations.
- Manage the Business Continuity Management Policy & Procedure to align with Group’ s P&P and the changing regulatory landscape and identified areas for control improvements
Job Specification
- Relevant degree or equivalent from a recognized University.
- Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), or Certified Information Systems Security Professional (CISSP) are preferred.
- ITIL, ISO27001, and COBIT Certification are preferred.
- Science & Statistics are an advantage
- With at least 10 years of working experience in a technology risk function, preferably at the managerial level.
- With significant experience gained in the banking sector and preferably focus in information security, data privacy, risk management, legal, audit, operations, etc.
- Experience with Operational Risk framework, Business Continuity Management is a bonus