The Technology Risk and Controls Framework Manager is a Vice President role within CTC’s Technology Risk and Control (TRC) organisation. Reporting into the firmwide technology Chief Controls Manager, TRC leads the definition and execution of our technology Governance, Risk & Compliance (GRC) discipline, which provides the framework for managing the firm’s corporate Information Risk Management program.
This role, which requires a combination of in-depth expertise and highly effective organizational skills, is critical to the overall success of the Information Risk Management program. The candidate must be a highly motivated individual with strong leadership and influencing skills. They will be able to leverage their experience to advance the firm’s framework for managing technology risks and controls, which aligns technology policy with cybersecurity & technology control solutions and (based on metrics and quantitative assessment) appropriately informs the firm’s Operational Risk Management reporting. Note that although the framework is established and operational, the space is dynamic, rapidly evolving, and is subject to continuous reassessment and changing priorities.
The position will work closely with various partners across the firm, including but not limited to colleagues in CTC, Enterprise Technology product & engineering, Information Risk Managers and Technologists in our Businesses and Corporate Functions, Operational Risk Management & Compliance, Audit, as well as regional partners across the globe. The ability to work effectively with a diverse set of stakeholders is essential. The role requires creativity, critical thinking, strong communication and influencing skills, and the ability to work across a large and complex organization that features prominently in both U.S. critical infrastructure and the global financial ecosystem.
Responsibilities
Working within the CTC-TRC Frameworks Team, in partnership with stakeholders from across Global Technology, you will lead the ongoing program to accurately represent and maintain the firm’s complex technology operations within the Corporate Operational Risk Environment (CORE) system. This includes: Defining the Risk Identification framework, and executing it with other Risk Identification partners to ensure identified technology risks are reflected into CORE, which provide the firm’s risk management functions ability to report, monitor and mitigate emerging risks. Consulting with technology owners in Product, Engineering and Operations to appropriately model their processes, sub-processes, risks and controls for assessment. Ensuring technology risk and controls reference data (e.g., risk scenarios, policies, standards, procedures, etc.) is available and aligned for use in CORE, such that assessments are consistent and can be justifiably informed by the performance data gathered from the technology estate (i.e., metrics & measures). Consulting with business-aligned information risk managers to ensure technology assessments are aligned and inform business operational risk assessments in a meaningful, actionable manner. Collaborating closely with Operational Risk Management and Business Controls Management to ensure that technology risk and control taxonomies are optimised, with supporting systems able to interoperate. Driving and leading change initiatives across the Firm’s Risk Organisation (both Technology and Business) to improve the understanding of technology risk. As the CORE system is used to manage and report the firm’s Operational Risk (including information, technology & cybersecurity risk), it is referenced by a majority of the independent assessments, audits and regulatory exams that the firm’s technology is continuously subject to. As a result, there are a significant number of partners from across Global Technology and beyond interested in the content of CORE. Effective communications, influencing and stakeholder management are key aspects of this role, including with senior and executive management.Skills / Qualifications
Proven experience in the technology risk & controls and information risk management fields (e.g., identification of technology risks & effective mitigants, technology risk & controls assessments, associated governance & reporting, etc.) Knowledge of compliance, conduct, and operational risk management frameworks and processes Experience in using common technology controls industry best practice (e.g., from NIST, ISO, ISACA, etc.) frameworks Experience in identifying use cases and business logic for continuous controls monitoring, and partnering with product and engineering teams to develop and implement Good working knowledge of technology-relevant financial services regulation (e.g., FFIEC handbooks, etc.) Good working knowledge of common & current information technology implementations (additional weight given for familiarity with Public and Private Cloud Implementation) Inquisitive nature and comfort challenging current practices; proven track record of driving ideas forward and influencing Adept at developing relationships with senior business executives; reputation for partnering across organization lines to mitigate risks Strong organizational, project management, and multi-tasking skills with demonstrated ability to manage expectations and deliver results. Use of work management platform such as JIRA to ensure operational discipline. Demonstrated written and oral communication skills and excellent analytical and problem-solving skills Experience in identifying and using data from large data sets to support enterprise scale initiatives via analytics (such as AI/ML techniques, Alteryx, Tableau) Ability to collaborate with high-performing teams and diverse stakeholders to accomplish common goals, including experience working with geographically distributed and culturally diverse colleagues High level of professionalism, self-motivation, and sense of urgency Ability to be flexible, follow tight deadlines, and to operate under pressure when required