IT Risk Management Officer

The IT Risk Management Officer (2nd Line of Defense) provides independent risk oversight, challenge, and governance across the Bank's technology environment. The role designs and maintains the IT Risk Management Framework, ensures risks are identified, assessed, monitored, and reported, and confirms that the first line owns and manages IT risks effectively. The Officer partners with Technology, Cybersecurity/IS, Operations, and Business Units to maintain the Bank's risk appetite, strengthen controls, and meet applicable regulatory expectations (e.g., BSP regulations on IT risk and cybersecurity), while enabling safe and resilient digital growth.  This position provides oversight, challenge, guidance, and governance. It does not own or operate first‑line IT controls or perform day‑to‑day IT/security operations.

Job Description:

1. Governance & Frameworks

1.1. Own the IT Risk Management Policy, standards, and methodology (aligned with enterprise risk, operational risk, and industry frameworks such as ISO 27001/27005, NIST CSF) and facilitate periodic reviews/Board approvals.

1.2. Maintain the IT risk taxonomy, risk appetite statements, thresholds, and Key Risk Indicators (KRIs) for technology and cyber risk.

1.3. Establish and run 2LOD governance routines (e.g., IT Risk Committee, Third‑Party Risk Committee) and contribute to Board/Board Risk Oversight Committee (BROC) materials.

2. Risk Identification, RCSA & Assessment

2.1. Lead and challenge first-line risk and control self‑assessments (RCSA) for IT, including infrastructure, applications, cloud, data, and cybersecurity processes.

2.2. Facilitate technology risk assessments for new/changed products, systems, and initiatives (including cloud, AI/ML use, APIs), ensuring proper risk sign‑offs and segregation of duties.

2.3. Maintain the risk register for IT risk events, causes, and impacts; ensure risk treatment plans are defined, funded, and tracked.

3. Monitoring, KRIs & Reporting

3.1. Define and maintain KRIs (e.g., patch latency, critical vulnerabilities, privileged access exceptions, backup success, DR test results, vendor SLA breaches) with thresholds and escalation paths.

3.2. Produce independent 2LOD reporting: monthly IT/Cyber Risk Dashboard, loss event summaries, issue status, and limit/threshold breaches; submit timely to senior management and the Board.

3.3. Independently challenge first‑line metrics and narratives; require remediation where trends are deteriorating or breaching risk appetite.

4.  Policies, Standards & Control Testing (2LOD)

4.1. Review and challenge first-line IT/cybersecurity policies, procedures, and standards for adequacy and consistency with regulatory requirements and risk appetite.

4.2. Plan and execute thematic control effectiveness reviews as 2LOD (non‑internal audit), focusing on design adequacy and outcome testing; agree action plans with owners.

4.3. Track and validate closure of issues arising from risk reviews, internal audit, external audit, and regulators.

5.  Technology Change, Projects & Model/AI Use

5.1. Provide risk challenges for IT projects and change management (e.g., SDLC/DevSecOps, release management, configuration, and change approvals).

5.2. Review risk assessments for technology vendors/tools (including open‑source components) and emerging tech (e.g., cloud services, generative AI); ensure appropriate guardrails and monitoring.

5.3. Coordinate with Model Risk/Compliance for risk review of models/advanced analytics used in technology operations (e.g., anomaly detection, access analytics).

6.  Third‑Party & Cloud Risk Management

6.1. Operate the 2LOD framework for third‑party technology risk: criticality classification, due diligence, contract risk clauses, ongoing monitoring, and exit strategies.

6.2. Ensure cloud risk governance (shared responsibility, data residency, resilience, logging/monitoring) and periodic assurance of CSP controls.

6.3. Oversee remediation of vendor findings and enforce service level/penalty regimes when warranted.

7.  Cybersecurity & Incident Oversight (2LOD)

7.1. Independently review and challenge first-line cyber risk posture, vulnerability management, threat intelligence use, and incident response readiness.

7.2. Ensure notifiable incidents are escalated and reported per regulatory timelines and internal playbooks; confirm root‑cause analysis and corrective/preventive actions.

7.3. Oversee data protection risk in coordination with Compliance/Privacy and first-line IS teams.

8.  Resilience, BCP/DR & Operational Risk Linkages

8.1.  Oversee IT resilience posture: backup/restore, DR strategy and testing, RTO/RPO alignment, single points of failure, capacity/performance risks.

8.2. Review first‑line Problem/Incident/Change/Availability Management trends and systemic issues; ensure sustainable fixes.

8.3. Coordinate with Enterprise/Operational Risk for loss event capture, scenario analysis, capital modeling inputs (where applicable), and insurance considerations.

9.  Regulatory Engagement & Audit Coordination

9.1. Monitor and interpret applicable regulations and advisories (e.g., BSP IT risk and cybersecurity requirements) and ensure timely compliance and gap remediation.

9.2. Prepare/coordinate submissions, self‑assessments, and responses to regulatory examinations and internal/external audits.

9.3. Maintain evidence repositories supporting regulatory compliance and management attestations.

10. Training, Culture & Advisory

10.1. Deliver targeted awareness sessions for senior management and business/IT staff on risk appetite, emerging risks, and lessons learned from incidents.

10.2. Provide constructive advisory to the first line without taking on operational ownership; reinforce 3 Lines of Defense roles and accountability.

11. Tools, Data & Automation

11.1. Define 2LOD data requirements and ensure data quality across risk dashboards and inventories (assets, applications, vendors, controls, vulnerabilities, findings).

11.2. Evaluate and deploy GRC tooling and analytics/automation to improve risk monitoring and testing efficiency.

12. People, Ethics & Continuous Improvement

12.1. Uphold the Bank's Code of Conduct and confidentiality requirements.

12.2. Continuously improve the IT Risk program through benchmarking and post‑implementation reviews.

Qualifications:

Bachelor's degree in Information Technology, Computer Science, Engineering, or a related field.

Certifications (at least one)

• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)

Experience:

1. Minimum of 3 to 5 years of experience in IT risk management, IT audit, or a related field within the banking or financial services industry.

2. Experience covers:

3. IT risk assessment and analysis

4. IT governance and controls
5. Cybersecurity and information security management
6. Business continuity and disaster recovery planning
7. Knowledge of banking operations and processes

Knowledge and Skills:

1. In-depth knowledge of BSP regulations, particularly those related to IT risk management, cybersecurity, and operational risk, such as BSP Circular No. 808 (Guidelines on Information Technology Risk Management) and other relevant circulars.
2. Familiarity with international standards and frameworks like COBIT (Control Objectives for Information and Related Technologies), ISO/IEC Information Security Management), and the ITIL (Information Technology Infrastructure Library)
3. Strong analytical and problem-solving skills to identify, assess, and mitigate IT risks.
4. Excellent communication and interpersonal skills to effectively collaborate with various stakeholders, including business units, IT departments, and senior management.
5. The ability to translate technical risks into business-friendly language and present findings and recommendations clearly and concisely.