Principal Analyst, Governance , Risk & Compliance Tech

KEY ACCOUNTABILITIES:

GRC Operations
• Maintain visibility of the GRC activities across the unit and ensure implementation of proper tracking & reporting mechanisms.
• Ensure tracking and completion of GT BIA/BCP related requirements as per the GBCM timelines.
• Ensure tracking, monitoring, and reporting of the GT related periodic UAE regulatory requests & reporting.
• Oversee GT Risk Remediation program and ensure implementation of proper governance mechanisms.
• Ensure timely completion of IT Risk Operations activities.
• Oversee management of Data Leakage Prevention (DLP) notifications and improvement initiatives to optimize monitoring policies.
• Act as a point of contact for GIA for Tech GRC audit activities.
• Act as a point of contact for internal/external auditors and regulators for all IT Governance and Risk related items
• Ensure implementation of proper tracking mechanism for Operational Risk Incidents to ensure compliance with GORM policies.
• Ensure all the GRC systems used by 3 lines of defense are in sync and oversee periodic reconciliation activities.
• Ensure proper governance of GIA issues and other key risk items to ensure timely remediation.
• Ensure identification and implementation of automation initiatives to improve overall GRC operations.
• Support & contribute to implement initiatives to improve ways of working with 2nd line & 3rd line functions.
• Ensure timely and accurate MIS is available for GRC related activities.

. Technology Risk Management Framework:
• Establish IT risk management framework to identify, analyse, mitigate, manage, monitor, and communicate IT risks.
• Ensure adherence to Group Security policies and standards for effective implementation of security controls within GIT.
• Contribute towards maintenance of standard technology risk and control library.
• Implement the cyber risk assessment model and analysis approaches.
• Understand how cyber risk fits into overall Technology Risk Management and ensure integration.
• Identify, agree and manage various assurance initiatives and internal reviews across GIT

Technology Risk Identification & Assessments:
• Ensure timely identification and assessment of IT risks throughout software development / acquisition lifecycle.
• Ensure IT risks are managed as per the agreed IT risk appetite, tolerance levels and in accordance with remediation plans and target dates defined in alignment with Group Policies.
• Support and help technology teams on various risk and control assessments activities.
• Participate in Project & Change reviews to ensure appropriate treatment of technology risks.
• Work with technology teams to ensure implementation of comprehensive solutions to protect organization information assets.
• Manage periodic risk assessment activities to identify vulnerabilities, threats and control effectiveness.
• Periodically identify the risks that might compromise cyber security.
• Analyse the severity of each risk by assessing likelihood and impact. Agree with stakeholders on the residual risk ratings and potential risk exposure.
• Qualify/quantify exposures and vulnerabilities on a big-picture scale to create a thorough understanding of the risk environment.

Technology Risk Treatment & Review:
• Oversee development of risk treatment strategies to maintain the bank’s risk posture at the desired level.
• Engage with various IT teams to review risk profile, risk treatment strategies and action plans.
• Ensure proper implementation of risk treatment options such as mitigation, transfer, acceptance etc. and help IT teams in closure of risks/issues.
• Regularly review current risk measures and ensure implementation of adaptive approach to manage evolving cyber risks.

Technology Risk Monitoring & Reporting:
• Identify and define Key Risk Indicators (KRI) to monitor high risk areas.
• Deliver periodic risk profile reports and KRI reports to senior management.
• Review Major incident Reports and ensure proper risk/control measures are identified to prevent incident reoccurrence.
• Manage Technology risk committee meetings and ensure closure of action items.

Cloud Management
• Ensure due diligence of cloud service providers and oversee ongoing cloud service providers security assessments.
• Evaluate cloud solutions and determine risk of technology architecture, implementation, and suitability for the organization.
• Ensure cloud service providers contracts are compliant to Group policies/processes and relevant controls are considered in the contract with cloud service providers.
• Assess the risk implications of digital innovation and its impact on technology risk profile of the bank. Provide recommendations to optimize the risks and ensure technology policy and process alignment.
• Support and maintain risk assessment capabilities to review and assess digital business models end to end.
• Work with business and technology teams to better understand digital business risk and facilitate a balance between the need to protect the organization and the need to optimize customer experience.
• Conduct in-depth technical security reviews, risk assessments, and architecture reviews for Cloud based technologies and solutions to ensure alignment with information security policies and technology guidelines.
• Provide risk management guidance and advice to technology teams on cloud technologies and digital solutions.

DevOps/DevSecOps/Agile Practices
• Provide inputs to development and maintenance of policies, frameworks, methods and standards for the DevOps and agile practices.
• Work with technology teams to embed automated controls across delivery pipeline. Collaborate with service teams to ensure CI/CD pipeline delivers faster time-to-market for the product and positive customer experience.
• Monitor and support integration and standardization of related development methodologies across Technology service lines.
• Facilitate the “shift to the left” approach of moving a task to an earlier stage in the development cycle to ensure the risk and security standards are met from the beginning
• Advocate adaptation of continuous feedback loop mechanisms and ensure team members are regularly prompted to improve the development and maintenance of the solutions.
• Coach agile teams in the methodology and ensure training is provided to employees on the agile practices.
• Evaluate possible bottlenecks of running the application in production and suggest service improvement plans.
• Ensure compliance and security best practices are incorporated throughout the development process.

QUALIFICATIONS & EXPERIENCE:
Knowledge & Experience:
• 10 or more years of working experience in IT Security, Risk and Governance practices.
• 3+ years of experience working in leadership role IT Security, Risk and Governance.
• Knowledge and expertise in virtualization and cloud computing environments (different cloud models and types).
• Hands on experience in using various Cloud Security best practices such as Cloud Security Alliance (CSA) guidelines and National Institute of Standards and Technology (NIST) guidelines.
• Demonstrated experience in conducting technical risk assessments for various Cloud platforms.
• Good understanding of process models and industry standards relating to IT Security, Risk and Governance.
• Good understanding of security and risk management in financial institutions.
• Excellent knowledge of all aspects of technology: infrastructure; operations, security, development, change/transformation, support, innovation, vendor management etc., and banking related processes especially risk management. Should have demonstrable experience of working in many of these domains.
• Strong analytical capabilities and knowledge of related tools and processes. Proven ability to handle volume detail and summarize effectively.
• Good understanding of banking related environments – especially around high availability, data confidentiality, security etc.
• Evidence of influencing senior stakeholders and dealing with external auditors and regulators.
• Excellent interpersonal skills and good oral and written communication skills.
• Achievement of industry recognized certifications such as CISSP, CRISC, CCSP, CCSK, CISA etc.
• Achievement of AWS and Azure cloud certifications is preferable.

Skills:
• Relationship management
• Influencing skills
• Big picture thinker with attention to details
• Strong change and communication skills
• Strong analysis skills
• Strong interpersonal skills
• Resource (time and people) management skills