IT Risk Manager

Overview

The IT Risk Manager plays a critical role in managing the organization's technology risk exposure, ensuring a resilient and secure IT environment. This position leads the development and execution of risk management strategies, including third-party risk oversight, major incident management, and enterprise business continuity planning. The role serves as a central point of contact for identifying, evaluating, and mitigating IT and cyber risks that could impact operations, compliance, or reputation. The IT Risk Manager collaborates with stakeholders across IT, legal, procurement, and business units to maintain a strong control posture and ensure preparedness for disruptions.

Responsibilities

• Develop and implement the IT Risk Management Framework, aligned with enterprise risk and international standards (ISO 27005, NIST RMF, COSO).
• Identify, assess, and prioritize technology and cyber risks across infrastructure, applications, and services.
• Maintain the IT risk register and facilitate regular risk reviews, treatment plans, and reporting to senior leadership.
• Coordinate risk assessments for new projects, technologies, and change initiatives.

Third-Party Risk Management (TPRM)

• Lead the development and execution of the third-party IT risk management program, from vendor selection and onboarding to ongoing monitoring and offboarding.
• Conduct due diligence and risk assessments on third-party vendors with access to sensitive data or critical systems.
• Ensure third-party contracts include appropriate security and resilience clauses.
• Monitor third-party security posture and performance, ensuring compliance with established policies and standards.
• Manage third-party security incidents and breaches, coordinating response and remediation efforts.
• Develop and maintain an enterprise-wide Major Incident Management Plan to ensure swift and effective response to IT and operational incidents.
• Lead incident response activities, including identifying, assessing, and managing incidents to minimize business impact.
• Establish an Incident Response Team (IRT) and facilitate regular incident response simulations and drills.
• Facilitate coordination with the Chief Information Security Officer to ensure effective collaboration among IT, cybersecurity, and business stakeholders in resolving incidents and providing timely updates to leadership.
• Perform root cause analyses (RCA) post-incident, document findings, and recommend process improvements to prevent recurrence.
• Define and monitor incident management key performance indicators (KPIs) such as response times and resolution rates.

Business Continuity Management

• Design and implement the organization's Disaster Recovery Plans (DRP) to ensure resilience of critical systems and processes.
• Conduct Business Impact Analysis (BIA) to identify critical business functions, dependencies, and recovery time objectives (RTOs).
• Develop and maintain contingency plans for various disruption scenarios, including IT outages, cybersecurity events, and natural disasters.
• Lead BCP and DRP testing activities, including tabletop exercises and full-scale simulations.
• Collaborate with business units to identify continuity requirements, ensure stakeholder buy-in, and align plans with organizational priorities.
• Oversee vendor dependencies and third-party risk management as it relates to continuity and recovery planning.

Stakeholder Engagement & Communication

• Communicate IT risk posture, incident status, and business continuity readiness to various stakeholders, including executive leadership, business unit heads, and technical teams.
• Serve as the key point of contact for incident escalation, recovery efforts, and crisis communication.
• Provide leadership during crisis situations, ensuring clear communication and decision-making to minimize operational disruption.

Who Are You?

1. Bachelor's degree in Information Technology, Risk Management, or a related field.
2. 8+ years of progressive experience in Incident Management, Business Continuity, Disaster Recovery, or IT Operations, with at least 3-5 years in a leadership or managerial capacity.
3. Demonstrated experience covering the full spectrum of IT risk, including operational risk, cybersecurity risk, and third-party risk.
4. Excellent analytical, critical thinking, and problem-solving skills, with the ability to translate complex technical issues into business risks.
5. Exceptional communication, presentation, and interpersonal skills, with the ability to influence and collaborate effectively with diverse stakeholders at all levels.

Relevant Certifications (one or more highly desirable)

• CRISC - Highly relevant for IT risk management.
• CISM - Covers information security governance, risk management, and incident management.
• CISA - Focuses on auditing, control, and assurance of information systems.
• CBCP / MBCP from DRI International - Specific to business continuity.
• CBCI / FBCI from BCI - Specific to business continuity.
• CTPRP from Shared Assessments - Specific to third-party risk management.
• CISSP - Broad cybersecurity knowledge.
• ITIL 4 Practitioner: Incident Management (or similar ITIL certifications) - Relevant for incident management processes.

#J-18808-Ljbffr

---