Head, GT-TSS Risk & Control Assurance MY

Job Purpose *
To manage the GT-TSS Risk & Control Assurance to execute the Bank’s ORM Framework/Policy as well as Compliance Policies in line with the IT Policies and Procedures. This includes to build, facilitate and drive execution of the Framework/Policy by the first line of defense across Group Technology to achieve sound risk management practices and reporting. To deliver planned changes to the Framework/Policy as required, ensure senior stakeholders engage to the change and new policies are embedded in the first line of defence. To ensure accurate and timely submission of Technology Governance, Risk & Compliance reporting.

The role includes to drive a program of awareness throughout the division ensuring that staff are aware of and use the ORM framework/policy and tools, and inculcate a risk aware community across CIMB Group Technology. The job includes managing and coordinating a team of RC Specialist (Risk Control Specialist) and DCORO (Designated Compliance & Operational Risk Officer) and Control Environment Testing (CET) testers that are embedded within the various departments within Group Technology to ensure a coordinated and aligned Risk and compliance program across GT to ensure IT risks are effectively managed across the division.

The incumbent has to be a specialist who implement strategies and techniques to minimize a company's losses in the fields of risk and controls.

Key Responsibilities *
Manage and work closely with a team of RCS (Risk Control Specialist) via direct report & DCORO (Designated Compliance & Risk Officers) via dual functional reporting to effectively carry out the duties of maintaining an effective Risk & Control Assurance program within Group Technology. This includes:

o    Drive strong Operational Risk Management practices
1.    Managing compliance with IT Governance related legislation, regulatory policies, procedures and standards.
2.    Review and updating of the operating procedures and work instruction to ensure that the documentation matches the current process being performed.
3.    Identifying areas of IT risk and ensure proper controls are in place across Group Technology. This will be the use of various ORM methodology and tools made available in the form of Risk & Control Self Assessments, Key Risk Indicator (KRI) monitoring, Loss Event reporting, Control Issue Management and compliance gap analysis.
o    Promote and maintain regulatory compliance
1.    Build and execute the compliance risk framework within the Division/ Department in a robust and discipline manner so as to achieve sound compliance risk management practices and reporting. 
2.    Support and lead the Division/Department in relation to proactive identification and management of compliance risk.
3.    Proactively identify areas with ineffective controls and work with the relevant stakeholders to enhance overall control environment to mitigate compliance risks.
o    Champion the Risk Culture
1.    Coordinate and manage training of IT staff in the areas of risk management, and regulatory compliance to improve overall understanding and effectiveness of IT risks programs within Group Technology.
2.    Assess RCO & DCORO gaps in skillsets continuously enhanced to meet the rapidly evolving risk and regulatory landscape facing IT within a Financial Institution
3.    Facilitate strong partnerships across various stakeholder groups, determine best methods of communication and establish escalation model
4.    To ensure an alignment of tasks between the 3 lines of defense to minimize overlap or gaps arising during execution of role and responsibilities
5.    Compile and analyse risk data for themes and trends; raise awareness of emerging risks in the industry and recommend mitigation measures

Specifically, the roles include the following:

A.    Drive strong Operational Risk Management practices
Identify Potential Risk 
1)    Incumbent needs to consider a wide variety of risks to support decision making. These considerations include strategic, operational, and institutional risks.
2)    The risks that are included in any particular assessment (sometimes called the assessment’s scope) are largely determined by the decision the assessment is designed to inform.
3)    Unusual, Unlikely, and Emerging Risks - Prior to conducting a risk assessment, it is important to make a concerted effort to identify risks beyond those usually considered. For example, risks that are newly developing, even if they are poorly understood.
4)    Risks that are highly unlikely but have high consequences should also be identified and incorporated into the assessment. This can even include identifying the risk of the unknown as a possible risk.
5)    Identify and analyze significant legislative and regulatory initiatives [including new or revised requirements] and their impact on Group Technology, IT needs and business operations. 
6)    Working with respective GT IT policies and procedures owner to ensure alignment and compliance to related legislation and regulatory guidelines. 
Assess and Analyze Risk 
7)    Perform risk assessment, which involves analyzing risks as well as identifying, describing and estimating the risks affecting the IT operations in Group Technology and ensure proper controls are in place.
8)    Incumbent need to  assess the identified risks and analyze the outputs of the assessment by executing the following:-
•    Determining a methodology;
•    Gathering data;
•    Executing the methodology;
•    Validating and verifying the data; and
•    Analyzing the outputs.
9)    Participate in assessment [including analysis] of audit issues to mitigate IT risks in these areas and assist in implementing audit recommendations, identify areas of concerns and suggest action items.
Decide Upon and Implement Risk Management Strategies 
10)    Review and analyze IT process in a specified unit and determine the areas for improvements
11)    Incumbent needs to make decisions about best options among a number of alternatives in an uncertain environment.
•    The key moment in the execution of any risk management process is when a decision maker chooses among alternatives for managing risks, and makes the decision to implement the selected course of action.
•    This can include making an affirmative decision to implement a new alternative, as well as the decision to maintain the status quo.
Evaluate and Monitor 
12)    The evaluation and monitoring of performance is important, to determine whether the implemented risk management options achieved the stated goals and objectives. Evaluation should be conducted in a way that is commensurate with both the level of risk and the scope of the mission. Thereafter, incumbent to do the following:-
•    Provide advice on related legislation, regulatory and policies, procedures and standards affecting Group Technology, upon evaluation of risks. 
•    Coordinate with Group Technology Regional to ensure ability to have regional Technology Risk oversight and ensure consistent risk, control and compliance practices at Group Technology functions within the region.

B.    Promote and maintain regulatory compliance
1)    To support the RCU Head in being the first point of contact in providing support and advice to the senior management and staff within the Division/Department for all compliance advisory matter. The RCU Head should resolve queries which are within their knowledge and expertise and promptly escalate the issues which are unfamiliar and/or require specialist advice/ knowledge to Group Compliance. 
2)    To execute all the policies and procedures owned by Group Compliance in a robust and disciplined manner so as to achieve sound compliance risk management practices and reporting within the Division/ Department. This includes ensuring that divisional/ departmental policy, procedures and standard operating procedures are well drafted to ensure the polices and procedures are well operationalised by the Division/ Department. 
3)    To support the RCU Head in proactively identifying, managing and monitoring the existing, new or emerging compliance risk using the appropriate compliance risk tools (e.g. RCSA, regulatory gap analysis, CET). This includes recommending appropriate action owners within the Division/Department to the Head of Division for any new processes/ controls to be established for addressing the identified risk. 
4)    To support the RCU Head in reviewing and ensuring the factual accuracy of any correspondences, responses or presentations from the Division/Department to regulators, including any periodic reporting to regulators. This includes to review and challenge for ensuring the below:-
•    Facts in the correspondences, responses or presentations are correct;
•    The applicable regulatory requirements quoted in the correspondences, responses or presentations are correct and are complied with;
•    The regulatory expectations/commitments and regulatory deadlines are properly tracked for ensuring compliance;
•    All the documents for submission to regulator are complete and in order. 
5)    To support the RCU Head in reviewing the business/products proposals, policies and procedures for ensuring all regulatory requirements are complied with. This also includes ensuring the subsequent fulfillment of conditions imposed on the business/product proposals, policies and procedures by the governing senior management committees, board committees, board and/or the regulator. 
6)    To support RCU Head in the initial setting up and subsequent refresher of RCSA for ensuring all the material compliance risks; including the new and emerging risks, are reflected in the RCSA. The RCS has to ensure the RCSA is timely updated for the overall completeness and comprehensiveness. 
7)    To support RCU Head in ensuring the proper reporting and timely escalation of regulatory breaches and/or compliance controls issues. This includes:-
•    To ensure LED and CIM is properly raised by DCORO;
•    To ensure there is adequate assessment of impact (both financial and non-financial), adequate preventive and corrective measures and timely escalation;
•    To properly track the closure of action plans being identified for the regulatory breaches and/or compliance control issues.
8)    To perform the regulatory gap analysis in a timely and comprehensive manner for the new and/or updated legal and regulatory requirements and ensure adequate processes and/ or controls are in place for regulatory compliance.
9)    To act as the main liaison in relation to all compliance related matters within the Division/Department and with 2nd LOD. 
10)    To plan and/or execute the thematic review identified by RCU Head. To work with the relevant stakeholders within the Division/Department to enhance the overall control environment to mitigate the compliance risk and/or regulatory breaches. 
11)    To support RCU Head for the preparation of the compliance training materials and to conduct the training to the relevant staffs.

C.    Champion the Risk Culture
1)    Establish a reverence for strong risk management by applying knowledge and understanding of business products, services and processes
2)    Facilitate strong partnerships across various stakeholder groups, determine best methods of communication and establish escalation model
3)    To ensure an alignment of tasks between the 3 lines of defense to minimise overlap or gaps arising during execution of role and responsibilities
4)    Assist the RCU Head in his/her duties to raise awareness and improve on the capabilities of operational risk and compliance, within the Department
5)    Ensures that every business and support unit within the Department has appropriate RCS, DCORO and QA testers and the appointment is properly executed via GHR
6)    Track and maintain an updated list of the RCU team members (onboarding and offboarding) within the Department
7)    Facilitate all relevant training within the Department and cascade relevant risk information or program updates to the RCU team including DCOROs and QA testers and respective business heads
8)    Provide guidance as needed to support RCU team in their role
9)    Establish a reverence for strong risk management by applying knowledge and understanding of business products, services and processes
10)    Facilitate strong partnerships across various stakeholder groups, determine best methods of communication and establish escalation model
11)    To ensure an alignment of tasks between the 3 lines of defense to minimize overlap or gaps arising during execution of role and responsibilities
12)    Compile and analyse risk data for themes and trends; raise awareness of emerging risks in the industry and recommend mitigation measures
13)    Facilitate all relevant training within the Division/Department and cascade relevant risk information or program updates to DCORO and relevant staff (including control testers)
14)    Provide guidance as needed to support DCORO and control testers in their role

D.    Employee Engagement and Development
1)    Monitor performance against the relevant RCU team and QA testers KPIs; including soliciting and incorporating performance feedback from Head of Group ORM and Head of Group Compliance
2)    Develop direct and indirect subordinates to ensuring each has a well thought through and executable action plan to help them achieve their development goals and needs
3)    Provide timely feedback to staff and complete appraisal processes in line with CIMB process
4)    Comply with HR performance processes and meet internal KPIs
5)    Attract, develop and retain talent

Any other responsibilities/tasks as assigned by the Management from time to time.

Job Specification 
Qualifications 
(Basic Degree/Diploma etc)        A Bachelor’s Degree  in Information Technology, Computer Science or equivalent.

Job Specification *
Qualifications 
(Basic Degree/Diploma etc)    A Bachelor’s Degree  in Information Technology, Computer Science or equivalent.
Professional Qualification and/or Regulatory, Licensing requirements      •    It will be a huge advantage if have professional qualifications: -
o    CISA, 
o    CRISC,
o    CISM,
o    CISSP,
o    CSX.
Relevant Work Experience     •    Extensive experience with large-scale environment including skills and in depth understanding of IT and business applications and system.
•    Extensive risk management and governance experience (minimum 10 years) which includes definition and implementation of IT and  IT risk management  related policies and procedures
•    Good knowledge and grasp of banking practices and products at a higher level and awareness of the BNM policies/guidelines and other regulatory framework
•    Good command of Risk disciplines
•    Excellent in communication and technical writing skill in English
•    Strong analytical and dispute resolution skills. Ability to make independent decisions with strong sense of empowerment and leadership skills to command the respect of a cross functional teams.
•    Ability to work under pressure and tight deadlines
•    Results oriented and possess excellent analytical, facilitation and strategic planning skills.
Required Competencies and Skills *
Competencies/Skills 
(Essential to succeed in this job)
    a.    Highly result oriented and able to work independently.
b.    Ability to build relationships and interact effectively with internal and external parties.
c.    Good analytical, written and oral communication skills.
d.    Ability to work with different cultures in an increasingly global environment as regional role.
e.    Demonstrated managerial, leadership and facilitation skills.