Specialist-Risk Management

Job Purpose •

Run the IT Risk management framework for the Bank in the capacity of first line of defense • Play a critical role in identifying, assessing and support in mitigating technology risk • Support in review, updation, approval and publication of ITPP on a periodic basis & management of process automation projects • Collaborate with stakeholders to integrate risk management principles into processes • Develop and foster a culture of risk awareness across the organization

Job Responsibilities:

A. Risk Management- First Line Of Defense-

• Providing guidance in the development, implementation, and communication of risk related policies and standards • Collaborating with IT Verticals in identifying technology risk issues and ensuring conformance with applicable standards and processes • Partner across 2nd line of defense to support consistency of processes, assessments, action plans and elevations • Risk governance which includes definition of risk indicators/ performance indicators/ other risk metrics, provisioning for risk acceptance documentation and other information in order to provide a holistic picture of Information Technology Risk posture • Benchmarking of IT controls with global risk & control frameworks such as COBIT, ISO, COSO etc and closure of gaps identified • IT process maturity assessment based on the benchmarking exercise • Assist with the Technology Risk reporting operations, including scheduling key monthly meetings, monitoring key milestones, escalation of past due activities, problem triage and

management, and archiving key monthly artifacts for audit purposes. • Develop on-going technology risk reporting, monitoring key trends and defining metrics to regularly measure control effectiveness • Providing timely updates to address any Information Technology risk issues • Promoting technology risk and operational risk awareness • Staying current in technology specific risk management techniques, industry best practices and regulatory requirements as well as specific areas of Information Technology Risk

B. Risk & Control Self Assessment (RCSA):

• Drive the RCSA program for IT Policies and procedures/ Applications • Work with IT verticals and ITDRM for the design and implementation of Risk and Control Self Assessment (RCSA) program for the IT unit of the Bank for IT policies and procedures • Conduct RCSA awareness workshop for the process/sub-process owners to familiarize them about the framework requirements, expected benefits, training to identify risk and controls, testing methodology, documentation, sustenance process, roles and responsibilities. • Risk identification and assessment of severity, impact and likelihood of occurrence • Control identification/ classification/design & implementation • Metrics identification, measurement and reporting • Test of design and operating effectiveness of controls and Residual risk assessment • Work with Process owners to develop the Risk Treatment Plan (RTP) • Governance over implementation of RTP • Annual review and revision of RCSA content to ensure relevance and usefulness. Ensuring alignment of RCSA with IT Policy & Procedure • Periodic testing of Risks and controls as a part of continuous risk assessment strategy • Identification of new/ emerging risks and changes in controls and updation of RCSA on a continuous basis • Support the ongoing development of the Banks overall operational risk framework including defining formal policies and procedures and ensure conformance with it for technology risk • Liaison with IT Functional and Technical teams to identify the critical applications for control testing and create a framework for self assessment of controls • Liaise with second line of defense for conduct of RCSA for IT unit • Create and maintain IT Risk Register & monitor residual risk and risk treatment plan implementation

(C ) Risk reporting :

• Drive the implementation of Technology Risk framework for the Bank. • Identify, monitor, maintain and continuously improve the control stack for technology risk including documentation of KRIs to ensure relevance and completeness • Quarterly assessment of Key Risk Indicators forming part of the ICAAP Framework to determine if the residual risk is within the thresholds approved by senior management and ensuring root cause analysis and necessary corrective/ preventive action is carried out on a timely basis • Reporting of Key Risk Indicators along with root cause and remediation for breaches, if any to the Risk Governance committees • Follow up with IT verticals to ensure that the committed mitigation action has been implemented and reporting of delays, if any, to management • Conduct Problem review meetings with IT verticals and TMAC- Quality on a weekly basis to arrive at root cause and remediation plan and demonstrate visible results in terms of reduction of High Risk KRIs • Tracking of open KRIs and action items from risk committee meetings • Automation of Risk reporting including Key Risk Indicators and dashboards

D) Other responsibilities :

• Review the IT Policy and Process at an agreed frequency along with the Process owners. Work with concerned stakeholders for ITPP related to new/ emerging technology. • Maintain a comprehensive ITPP repository with version history and trail of changes. • Track and report Key Performance Indicators for ITPPs at regular intervals and track remediation for threshold breaches, if any. • Conduct benchmarking of ITPP with globally adopted risk and control frameworks such as COSO, COBIT, ISO etc and perform gap and maturity assessment. Work with process teams for closure of identified gaps • Frontend all the audits (internal & external) and respond to the audit requirements pertaining to the IT processes. • Manage and Govern the IT application inventor Maintaining and enhancing guidance documents, execution templates, report designs, etc. providing guidance and direction w.r.t such frameworks which have been approved for adoption • Work with L&D team to identify training needs of IT employees, launch appropriate training programs for dissemination of ITPP knowledge and ensuring adherence to ITPP. • Work closely with Quality team on various Quality initiatives through a systematic PDCA continuous improvement model • Performing other duties as assigne

Educational Qualifications Key Skills:

• Graduation in Information Technology/ Risk Management/ related discipline

• Relevant certifications in Technology Governance, Risk & Compliance frameworks such as CISA, COBIT, ITIL etc. preferred

Key Skills:

• Strong understanding of IT systems, cloud infrastructure and emerging technologies • Proficiency in risk management tools and techniques • Excellent communication skills • Analytical and problem solving abilities • Proactive and detail oriented • Team collaboration and stakeholder management abilities • Adaptability in a rapidly evolving IT landscape

Experience Required:

• Minimum experience in years : 11 + yrs in IT risk management
• Exposure to banking preferable
• Proven experience with IT governance frameworks, regulatory compliance and risk assessment tools