Risk Manager – Information Security Risk (15248217/002) London, England
To operate at a global / regional or country level as required to manage the overall relationship between ISR and the GB / GF / (Non-IT), providing ISR representation on key committees and assisting the GB / GF / (Non-IT) to remain within their risk appetite.
Role
- Liaising with Global/Regional/Country Heads of the GB/GF(s), the Global/Regional/Country BRCM(s) and BIROs to provide updates on information risk and follow up on risk mitigation
- Assisting the GB / GF / (Non-IT) in defining their information risk appetite
- Maintaining on-going visibility of GB / GF / (Non-IT) key initiatives and helping to prioritise ISR oversight according to risk
- Increasing the understanding of information risks within the GB / GF / (Non-IT) by explaining these in plain/business terms and helping them to ensure that these are kept within their risk appetite by recommending mitigating actions
- Maintaining oversight of Information Risks in the GB / GF / (Non-IT) by reviewing RCAs, MSIIs, Internal Audit findings, BRCM reviews and any other ISR related KRIs to establish risk themes and provide advice on remediation
- Provide risk opinion and guidance to the GB / GF / (Non-IT) on dispensation requests.
- Manage and maintain close oversight on all ISR related incidents with a view to provide assurance that risks and impacts have been handled effectively
- Supporting the GB / GF / (Non-IT) in the RCA process and the use of the ISR Risk and Control Library to ensure relevant information security risks and controls are included in the RCA.
- Liaising with all Function Heads within ISR
- Documented risk appetite for the GB / GF / HTS (Non-IT)
- All IS risks and controls documented and included in the RCA
- Catalogue of key initiatives maintained with current status
- Effectiveness: To work with all areas of ISR locally and globally to develop an engagement framework that allows ISR as a global function itself to:
- Reduce duplication of effort and ensure best use of scarce ISR resource
- To have single / globally aligned frameworks
- To have single / globally aligned risk model
- To drive efficiency and practical implementation of global process
- To standardise and globalise were feasible and manageable without losing coverage for regional or local processes
Control: Establish processes to ensure compliance with all internal and external regulations
Experience
- Have expert and extensive Information Security Risk and Operational Risk knowledge to face off appropriately to the different risk managers in the Group and also external parties. Understanding of the Risk characteristics of key products and channels
- Be able to implement a vision and strategy for risk capability across the global functions and communicate to key stakeholders including those at C-level and get their buy-in
- Have significant gravitas that will be obvious to all parts of HSBC, which will enable face off to senior SR managers and GB / GF stakeholders in order to win their confidence and help influence their decisions
- Knowledge of all major areas of a Global Bank that can span retail, commercial or investment banking products and processes
- Have excellent communication skills to be able to build relationships with key internal & external stakeholders and be able to implement strategy and vision
- A change agent who is not afraid to change the status quo in order to drive Group strategy
- Experience in dealing with complex matters by adopting a pragmatic approach, identifying core requirements from both a security and a business perspective and translating them into simplified activities that address the problem
- Transformation and change programmes experience
- Experience in Information Security Risk management processes
- Professional related security qualifications preferable such as CISM and CRISC
Role
- Liaising with Global/Regional/Country Heads of the GB/GF(s), the Global/Regional/Country BRCM(s) and BIROs to provide updates on information risk and follow up on risk mitigation
- Assisting the GB / GF / (Non-IT) in defining their information risk appetite
- Maintaining on-going visibility of GB / GF / (Non-IT) key initiatives and helping to prioritise ISR oversight according to risk
- Increasing the understanding of information risks within the GB / GF / (Non-IT) by explaining these in plain/business terms and helping them to ensure that these are kept within their risk appetite by recommending mitigating actions
- Maintaining oversight of Information Risks in the GB / GF / (Non-IT) by reviewing RCAs, MSIIs, Internal Audit findings, BRCM reviews and any other ISR related KRIs to establish risk themes and provide advice on remediation
- Provide risk opinion and guidance to the GB / GF / (Non-IT) on dispensation requests.
- Manage and maintain close oversight on all ISR related incidents with a view to provide assurance that risks and impacts have been handled effectively
- Supporting the GB / GF / (Non-IT) in the RCA process and the use of the ISR Risk and Control Library to ensure relevant information security risks and controls are included in the RCA.
- Liaising with all Function Heads within ISR
- Documented risk appetite for the GB / GF / HTS (Non-IT)
- All IS risks and controls documented and included in the RCA
- Catalogue of key initiatives maintained with current status
- Effectiveness: To work with all areas of ISR locally and globally to develop an engagement framework that allows ISR as a global function itself to:
- Reduce duplication of effort and ensure best use of scarce ISR resource
- To have single / globally aligned frameworks
- To have single / globally aligned risk model
- To drive efficiency and practical implementation of global process
- To standardise and globalise were feasible and manageable without losing coverage for regional or local processes
Control: Establish processes to ensure compliance with all internal and external regulations
Experience
- Have expert and extensive Information Security Risk and Operational Risk knowledge to face off appropriately to the different risk managers in the Group and also external parties. Understanding of the Risk characteristics of key products and channels
- Be able to implement a vision and strategy for risk capability across the global functions and communicate to key stakeholders including those at C-level and get their buy-in
- Have significant gravitas that will be obvious to all parts of HSBC, which will enable face off to senior SR managers and GB / GF stakeholders in order to win their confidence and help influence their decisions
- Knowledge of all major areas of a Global Bank that can span retail, commercial or investment banking products and processes
- Have excellent communication skills to be able to build relationships with key internal & external stakeholders and be able to implement strategy and vision
- A change agent who is not afraid to change the status quo in order to drive Group strategy
- Experience in dealing with complex matters by adopting a pragmatic approach, identifying core requirements from both a security and a business perspective and translating them into simplified activities that address the problem
- Transformation and change programmes experience
- Experience in Information Security Risk management processes
- Professional related security qualifications preferable such as CISM and CRISC