Head of IT Risk Control

Main Responsibilities:

• Assist Group COO and Group Head of ITD in maintaining/exercising oversight functions on key risks, controls and enhancement initiatives, to ensure proper governance and control are in place and in line with the control strategy and objectives set out by the ITD;
• Play an active role in identifying compliance and internal control issues within the ITD;
• Conduct and Review control self-assessment on governance, risk management and compliance to identify, assess, monitor and mitigate risks, and ensure associated controls within the Division are in place and sufficiently robust;
• Closely work with business and operation units in conducting periodic assurance checks or quality assurance reviews on control activities over ITD;
• To conduct end-to-end process review for control enhancements and perform oversight of the implementation of remedial actions;
• Act as a gatekeeper role to exercise oversight on new business initiatives, products, activities, processes and system (e.g. new product approval activities and major processes revision arising) and the implementation of mitigation measures in accordance with risk management and compliance framework;
• Cooperation with second-line risk and control units (i.e. AFD, GCD and ORD) to implement compliance, risk and control enhancements;
• Ensure ITD controls align with the Technology Risk Appetite Statement and internal control requirements;
• Implement adequate control measures, and ensure key control measures are carried out and complied with relevant policies and regulatory requirements, and mitigate emerging risks;
• Conduct risk monitoring duties and escalate incidents and risk events to risk management/ compliance units and senior management in a timely manner, and monitor the issue resolution to ensure timely actions are taken;
• Implement and maintain risk and control tools to analyze and mitigate the risk and control issues within ITD;
• Report any events and observations over internal controls, risk and compliance issue within ITD to risk and control units, and provide updates to the Operational Risk & Internal Control Committee in regard to the risk and control environment within the ITD; and
• Promote positive control culture and awareness within ITD.

Incumbent Requirements:

• At least 20 years of relevant experience in banking IT field; with over 10 years in control implementation of information technology area and 10 years or above in managerial role;
• University graduate in Computer Science / Information Technology or equivalent;
• One or more certificates listed below:
  - ISC2 Certified Information Security Professional (CISSP)
  - ISACA Certified Information System Auditor (CISA)
  - ISACA Certified Information Security Manager (CISM)
  - ISC2 Certified Cloud Security Professional (CCSP)
• Solid experience in regulators’ requirement on technology risk management including the Supervisory Policy Manual of HKMA, Personal Data Privacy Ordinance, PCI Data Security Standard, SFC guidelines and Customer Security Controls Framework of SWIFT;
• Professional qualification such as Certified Banker (CB), or ECF on Cybersecurity is preferred;
• Strong communication skill, both in Chinese and English;
• Able to drive changes and strong execution ability;
• Mature and able to work independently under pressure.