BNP Paribas Overview
BNPParibas has a presence in 75 countries with more than 185,000 employees,including 145,000 in Europe. It ranks highly in its two core activities : RetailBanking & Services and Corporate & Institutional Banking.
AtBNP Paribas, we work continuously on behalf of our clients, helping them torealize their projects around the world. You can be an important part of this,helping us to serve our clients both in mature and emerging markets, providingthem with financial solutions across a diverse range of expertise, products andservices.
Our origins lie in Europe, but nearly a quarter of our employees nowwork in our multi-award-winning Asia Pacific offices and we are a committedplayer in all markets.
Strongrisk management, combined with the stability that comes from being part of oneof the largest banking groups in the world, underpin our success.
Joining us,you’ll become an integral part of a dynamic team that spans nationalities,cultures and backgrounds, drawing together people from around the globe andreflecting our commitment to international placements.
Department Overview :
TheInformation and Communications Technology Risk department is part of the GroupRisk Functions within BNP Paribas. It is a part of the 2nd line of defenceunder the Bank’s Chief Cyber & Technology Risk Officer.
The department has responsibility foridentification of key technology risks to the Bank and influencing business andtechnology partners to take sound risk management decisions.
This is achieved by delivering : - Application & Infrastructure RiskAssessments working with the Business and Technology teams to identify securityissues in existing and new systems, and agree corresponding actions to mitigateor accept risks.
Tracking issues and agreed actions to completion. - HorizontalRisk Assessments Assessing technology risks in relation to a particular themeor technology across the organisation.
Examples could be assessments of thefirewall change process, applications processing >
$5m per day, applicationshosted in the cloud, etc. - Vertical Risk Assessments - Assessing risks to aproduct, service, technology or infrastructure.
For instance we may complete avertical assessment on our remote working solution (including Infrastructure,applications, data, threats etc) or our Internet connectivity.
Partnership tothe Business and Technology teams in helping them understand their technologyrisk profile and influencing their risk management decisions.
Key Responsibilities :
Responsiblefor the development and implementation of a regional-wide ICT risk assessment program.Successful candidate will have proven track record of developing andimplementing risk management programs in global organizations, with robustknowledge of technology, risks, architectures and related tools.
Prior ICT riskexperience (IT, Cyber, Vendor etc.) & exposure to the Financial Servicesindustry is a must. Experience with GRC tools and other risk managementinformation systems is preferred.
Individual will develop and communicate the risk assessment engagement models toensure that ICT risk considerations are accounted for in all the bank’soperations.
This is a start-up role that will help create the function, drive program andwill lead team of 5-7 in time. There is a need to consolidate some of the otherexisting Operational, IT & Cyber risk functions from other groups into thisone and roll out across enterprise, so an influencer and trust builder who cansell a value prop is important.
Negotiation and Conflict Management skills anabsolute must. Bank is undergoing a significant tech and opsreorg / transformation including outsourcing functions, streamlining andrefactoring applications.
Will lead this effort form an independent riskassessment of these projects and will present findings to board and execcommittees.
Excellent presentation & executive presence skills necessary.Experience interacting with regulatory agencies is required.
Governance and Oversight :
Establish IT & Cyber Risk Management Program for the bank within thethree lines of defense model in alignment with the Group Risk ManagementFramework.
Drive effective implementation and communication of Operational riskmanagement policies and guidelines.
Create and execute appropriate staffing model for program, hire resources,including the use of matrix resources from other business unit facing riskmanagers as appropriate
Provide direction, support and oversight with respect to management ofsecurity and technology risks of core systems and applications.
Establish and oversee the Operational risk management infrastructure andensure practices are consistent with regulatory expectations and industry soundpractices.
Provide IT & Cyber risk management consulting to the business, technicaland operations groups.
Establish appropriate risk management governance committees, arrange agendasand chair meetings as appropriate.
Establish GRM’s oversight model for the IT and Operations Transformationprojects including the review of major outsourcing partners.
Risk Management Environment :
Identification & assessment : Ensure that the identification and assessment of operational risks areeffectively done across the organization by correlating input from AuditFindings, Internal Loss Data Collection & Analysis, External DataCollection & Analysis, Risk Control Self Assessments, Business ProcessMapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement &Comparative Analysis.
Monitoring & Reporting : Implementa process to regularly monitoring operational risk profiles and materialexposure to losses and provide appropriate reporting mechanisms to the board,senior management and the business lines.
Data capture and operational riskreporting should be continuously enhanced and provide a feedback loop toenhance risk management policies, procedures and practices.
Control & Mitigation improvethe effectiveness of the Internal Controls programme by reviewing the controlenvironment, risk assessment process, control activities, information andcommunication and monitoring activities.
Assess operational risk responsestrategies. Validate risk transfer options.
Business Resiliency and Continuity :
Oversee and drive the business resiliency andcontinuity plans to ensure the ability of the bank to operation on an ongoingbasis and limit the losses in the event of severe business disruption.
Coordinate with the third and first lines frequent tests to these plans toensure coverage and adequacy
Risk Disclosure :
Provide updates on regulatory and financialdisclosure while complying with external and regulatory communicationsstandards and disclosing the operational risk management framework of the bankin a manner that complies with the formal disclosure policy approved by theboard of directors.
Defines approach for determining what operationalrisk disclosure are made and the internal controls over the disclosure process.
Implement a process to assess the appropriateness of the disclosure, includingthe verification and the frequency.
Skills & Experience Required :
10+ Information Security experience specifically in risk assessment, third party and technology assessments.
Team-player focus on the success of the whole team. Working well both with others, as well as individually;
Good stakeholder management skills;
Interest or experience in a Technology Risk, Information Security or an IT Audit role;
Good listening and analytical skills being able to come to a thoughtful and business focused conclusion quickly;
Ability to co-operate and work well with others adopting an approachable style Important as we work closely with a large and diverse set of suppliers and customers;
Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits;
Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate / inform departmental management as appropriate;
Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done;
Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well;
Being rigorous and thorough especially when logging and tracking issues through to conclusion;
Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management;
Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business;
Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
A professional qualification relevant to Information Security (such as a university degree, CISSP, CISM or CRISC);
A good understanding of large-scale technology infrastructure;
Excellent understanding of emerging technologies : SDN, CLOUD, IoTs etc
Thorough understanding of the ISO 2700X series of standards and guidelines; and
Experience of formal document creation, such as the creation of presentations, reports or procedures. Presenting documentation in a professional and well-structured format;
Strong MS Office skills (core applications).
The following will be of advantage : - Knowledge or practical experience of one or more of the following products :
o Archer Technologies SmartSuite Framework
o Tufin Operations Management
Other professional qualifications / memberships, relevant to Information Security (Institute of Information Security professionals, CISA or QICA).
Be a role model, supporting and fostering a culture of good conduct
Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.
For managers only Take responsibility for your team’s conduct and conduct risks.
Please note that all applicants must disclose whether that they possess the right to work in the U.K. as per the Immigration, Asylum, and Nationality Act of 2006.