Tech Risk Control Office Metrics, Findings & Exceptions Director

Do you want your voice heard and your actions to count?

Discover your opportunity with Mitsubishi UFJ Financial Group (MUFG), one of the world’s leading financial groups. Across the globe, we’re 120,000 colleagues, striving to make a difference for every client, organization, and community we serve. We stand for our values, building long-term relationships, serving society, and fostering shared and sustainable growth for a better world.

With a vision to be the world’s most trusted financial group, it’s part of our culture to put people first, listen to new and diverse ideas and collaborate toward greater innovation, speed and agility. This means investing in talent, technologies, and tools that empower you to own your career.

Join MUFG, where being inspired is expected and making a meaningful impact is rewarded.

The selected colleague will work at an MUFG office or client sites four days per week and work remotely one day. A member of our recruitment team will provide more details.

This role is a key member of Technology first line risk and controls team aligned to Technology Governance and Oversight function. This individual leads various governance and oversight activities supporting the Enterprise, Operational and Information Risk Management frameworks with other team members to partner with technology teams to drive effective risk and control management.  The main areas of focus for this role are Risk Metrics, Issues/Findings management and Exceptions governance.  The Technology teams are responsible for assessing technology risk and control environment, identifying improvement opportunities, reporting and monitoring key risk metrics and providing governance with respect to all risk and control matters.

In this role you will focus on internal and external compliance requirements, activities, and deliverables to ensure that Technology meets regulatory and audit milestones. Responsibilities include engaging with regulators and/or leaders from other functions, including audit and compliance, and collaborating with colleagues to prepare or review content prior to submission and manage follow-up actions; establishing processes, templates, and stakeholder matrices for activities; creating roadmaps aligned to recurring and ad hoc milestones; ensuring stakeholders execute appropriately and meet milestones on time; tracking, escalating, and/or remediating risks and issues; and developing and executing executive-level reporting.

RESPONSIBILITIES

• Direct risk metrics governance and oversight activities across Entities.  Includes adequacy of scope and coverage, monitoring adherence to Risk Management Frameworks and reporting to risk and control forums and Committees.

• Lead Information Risk Appetite Statement metrics to expand metric scope and coverage over information risks.  Collaborate with senior leaders across lines of defense on approach, align on objectives and deliverables.

• Support management to develop and generate various metrics reports for senior management and Board level Committees that informs on risk appetite, trends and items that warrant remediation (breaches) and/or escalation.

• Ensure appropriate ownership and collaboration of Metrics, Exceptions and Findings processes with FLoD executives and key stakeholders (eg, ORM, IRM, ERM)

• Direct technology findings and exception management governance routines and enhance routines through automation and reporting. 

• Provide transparency on status of open findings and exceptions, drive closure of exceptions and findings and accountability.

• Work with Business Unit Risk Managers (BURMs) teams to challenge potential issues/Findings/Exceptions and participate in issue development once they are recognized and agreed as issues or exceptions/findings as applicable.

• Engage with key stakeholders, management, BURMs, Second Line of Defense (SLoD), and TLoD to ensure risks are understood across all Lines of Defense (LoDs) and risk treatment is properly identified

• Direct the maintenance and development of internal documentation.

• Provide periodic training to key stakeholders.

• Implement data quality and/or quality assurance (QA) routines to ensure quality of data and adherence to Risk Frameworks.

• Timely and accurately respond to Regulatory, Audit and Second Line of Defense exams or review challenge activities.

• Recruit, develop and retain key talent, ensuring that the resources dedicated to risk management are effective in carrying out required functions.

QUALIFICATIONS

• Bachelor’s degree in technology, engineering, risk management, computer science, information systems, or equivalent field.

• Preferred: degree from a competitive school, demonstrating a strong academic and extracurricular track record

• Preferred: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC)

• Other preferred certificates: risk management, information security, and/or technology certifications desired, but not required. (Certified in Governance of Enterprise Information Technology (CGEIT), Cybersecurity Fundamentals (CSX), Certified Information Systems Security Professional (CISSP), Information Technology Infrastructure Library (ITIL), Control Objectives for Information and Related Technology (COBIT), etc.)

• 10+ years of experience in IT risk and controls

• 10+ years of experience working at a major financial institution on audit and/or risk management initiatives/programs, including management responsibility

• Experience with risk metrics definition and reporting/scorecard development utilizing key risk metrics tools (IBM Open Pages, Tableau, structured query language (SQL), Access etc.)

• Experience developing and communicating key messages to senior managers and regulators

• Strong planning and organizing skills and the ability to multitask across a varied workload

• Advance level of proficiency using Microsoft Excel to organize and analyze data, produce management reporting and dashboards, and prototype strategic solutions is critical

• Preferred: knowledge in technology areas including, but not limited to: access management, network security, enterprise architecture, release management and incident response

• experience in a project management role

• Deep understanding of financial institution processes, products, and risk 

• Prior supervisory and/or management role with a focus on talent development

• Strong understanding of governance and oversight best practices, ideally with experience implementing and/or managing governance processes

• Experience with enforcement agencies oversight activities (regulatory examinations, matters requiring attention (MRAs), consent orders, etc.) within global systemically important financial institutions' information technology and information security environments

• Understanding of information security risk assessment/testing methodologies evaluating the adequacy and efficiency of internal controls; and identifying issues resulting from internal and/or external compliance examinations

• Ability to manage multiple priorities concurrently, prioritize, and efficiently complete responsibilities while maintaining the highest quality

• Ability to lead work streams with sometimes limited oversight/information from inception to completion

• Ability to identify obstacles and work in conjunction with others to identify options/solutions

• Ability to constructively work both independently and in collaborative environments involving all levels of management and employees

• Ability to deliver results within a complex environment; develop and drive best practices 

• Excel at developing and communicating key messages to senior managers and regulators

• Strong leadership, people management, and influencing skills; proven strength in relationship development and leading through influence across multiple stakeholders  

• Outstanding communication skills; able to foster close and collaborative productive working relationships across the organization

• Strong work ethic, ability to make decisions and work under tight deadlines; achievement-oriented and takes initiative

• Understanding of risk metric requirements and reporting to various forums and Committees

• Understanding of the regulatory environment and regulations related to technology  risk, and Office of the Comptroller of the Currency (OCC) and Federal Reserve Board (FRB) expectations

• Experience with problem solving in a team environment by thinking outside of the box, providing innovative solutions with and without technology

• Experience designing and implementing risk related management, governance, and frameworks

• Experience with managing resources effectively to execute required functions

• Prior supervisory and or management role with a focus on talent development

• Preferred: Knowledge in technology areas including, but not limited to: access management, network security, enterprise architecture, release management and incident response

• Preferred: experience in a project management role

• Experience with risk metrics definition and reporting/scorecard development, utilizing key risk metrics tools (IBM Open Pages, Tableau, structured query language (SQL), Access etc.)

• Knowledge of information technology risk and process frameworks, including Committee of Sponsoring Organizations of the Treadway Commission (COSO), COBIT, National Institute of Standards and Technology (NIST), Cybersecurity Horizontal Reviews, and ITIL

• Knowledge of corporate and investment banking, commerical lending, capital markets, trade services, and payment operations, etc.

• Familiarity with U.S. regulatory, compliance, and governance

• Understanding of risk management, including experience executing risk assessments, testing and evaluating processes and controls and evaluating results

• Strong project management skills; includes an ability to independently drive work, and pragmatically solve problems

• Knowledge of critical domestic and international banking regulations (Reg W, Basel II, Federal Financial Institutions Examination Council (FFIEC), General Data Protection Regulation (GDPR), etc.) and experience with enforcement agencies oversight activities (regulatory examinations, matters requiring attention (MRAs), consent orders, etc.) within global systemically important financial institutions' information technology and information security environments

• Experience with executing technology and/or information security risk assessment/testing methodologies evaluating the adequacy and efficiency of internal controls; and identifying issues resulting from internal and/or external compliance examinations

• Experience with automating and/or the ability to conceptualize automated control solutions is highly desired 

• Strong planning and organizing skills; ability to multitask and deal with varied workload

The typical base pay range for this role is between $165K - $211K depending on job-related knowledge, skills, experience and location. This role may also be eligible for certain discretionary performance-based bonus and/or incentive compensation. Additionally, our Total Rewards program provides colleagues with a competitive benefits package (in accordance with the eligibility requirements and respective terms of each) that includes comprehensive health and wellness benefits, retirement plans, educational assistance and training programs, income replacement for qualified employees with disabilities, paid maternity and parental bonding leave, and paid vacation, sick days, and holidays. For more information on our Total Rewards package, please click the link below.

MUFG Benefits Summary

We will consider for employment all qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local laws (including (i) the San Francisco Fair Chance Ordinance, (ii) the City of Los Angeles’ Fair Chance Initiative for Hiring Ordinance, (iii) the Los Angeles County Fair Chance Ordinance, and (iv) the California Fair Chance Act) to the extent that (a) an applicant is not subject to a statutory disqualification pursuant to Section 3(a)(39) of the Securities and Exchange Act of 1934 or Section 8a(2) or 8a(3) of the Commodity Exchange Act, and (b) they do not conflict with the background screening requirements of the Financial Industry Regulatory Authority (FINRA) and the National Futures Association (NFA). The major responsibilities listed above are the material job duties of this role for which the Company reasonably believes that criminal history may have a direct, adverse and negative relationship potentially resulting in the withdrawal of conditional offer of employment, if any.

The above statements are intended to describe the general nature and level of work being performed. They are not intended to be construed as an exhaustive list of all responsibilities duties and skills required of personnel so classified.

We are proud to be an Equal Opportunity Employer and committed to leveraging the diverse backgrounds, perspectives and experience of our workforce to create opportunities for our colleagues and our business. We do not discriminate on the basis of race, color, national origin, religion, gender expression, gender identity, sex, age, ancestry, marital status, protected veteran and military status, disability, medical condition, sexual orientation, genetic information, or any other status of an individual or that individual’s associates or relatives that is protected under applicable federal, state, or local law.