IT Risk

Role Description:
The role is focused on leading the identification and reporting of first-line technical risks including, but not limited to: IT, cybersecurity,fraud, trust & safety and any regulatory compliance risks impacting our technology. This role requires engaging with various first-line stakeholders to track and monitor appropriate risk responses, and reporting on our IT controls framework.

The IT Risk & Compliance Officer is responsible for partnering with risk owners throughout the Tech business function and other business units to design and maintain governance processes, operating models and set up GRC tooling that reflects our risk appetite and to maintain the quality of our processes. The role requires to work closely with stakeholders from multiple departments and to have a strong big picture focus, but be able to zoom in and out of the details to ensure full process understanding.

Responsibilities and skills required for the IT Risk Officer role in Risk Governance focus on upkeep of internal controls spanning the technology landscape, aligning with the organization's risk appetite and ensuring process quality within operational risk governance processes such as maintaining cyber risk register, security exceptions, audit issue remediation status. Daily activities involve working with engineering teams on audit issue resolution, validating remediation plans, and conducting re-testing and peer reviews.

The IT Risk & Compliance Officer role requires solid stakeholder management skills, and to be comfortable with challenging risk owners to come up with robust, scalable solutions which mitigate key risks while enabling successful business operations.

**Key Responsibilities.**:
Responsibility

Tasks and responsibilities within Risk Governance Capability Area:

- Build and manage controls framework based on NIST CSF, SOX, PCI-DSS
- Collaborate with control owners to deliberate and get alignment on control requirements.
- Work with senior stakeholders across various departments and business units to seek their alignment on the approach and methodology for NIST CSF based Cyber Maturity assessment lifecycle.
- Manage end to end Assessment lifecycle stages like framework certification, Kickoff, Pre-assessment chores for internal and external assessment methodologies, managing reporting end to end, both at control owner level and executive level.
- Be the single point of contact for Vendor management required for managing external assessments.
- Triage and track Issues from Observations coming from Security Assurance and Threat assessments to closure as part of Observation and Issue Management(OBSIM) process
- Track and monitor risks from Security Assurance and Operational Audit findings raised by GIA and report to Leadership.
- Liaise with other risk and audit teams (Risk and Controls, Internal Audit, external auditors, Business continuity teams, IT Disaster recovery and Service continuity team etc.) as needed
- Provide inhouse consulting as SME to strategic programs
- Stay flexible to meet the dynamic business needs, while maintaining robust solutions that strengthen the control environment
- Be able to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time.

**Communication.**:
Stakeholder

Type

Available options:
Cooperation

Persuasion

Information

Frequency

Available options:
Continuous (daily or a number of times a day)

Frequent (about once a week)

Occasionally (once or twice a month or less)

Tech business function and other business units

Cooperation

Partner with risk owners by providing guidance and support in designing and implementing appropriate controls to strengthen the control environment, mitigate the company risks and support the business in achieving objectives.

Identify control gaps, based on identified risks.

Facilitate and participate in cross functional groups to implement or enhance controls in cross functional processes.

Support risk owners in standardizing & improving process and controls documentation

Support business functions and units in ongoing compliance with SOX, PCI, GDPR and other control areas.

Conduct risk assessments and document the outcome and action plans.

Continuous

Compliance, Monitoring and Assurance

Information

Inform of new IT control implementations for tracking and reporting.

Frequent

Risk Governance & Projects

Information

Report the outcome of assessments for risk monitoring and reporting.

Frequent

Subject Matters Experts (SME’s) e.g. Security, Fraud, Privacy, Legal, etc.

Cooperation

Obtain guidance and support for the implementation of IT controls in different regulatory domains.

Frequent

Internal & External audit

Cooperation

Support Internal and External audit engagements to ensure that remediation plans are implemented on a timely basis for any deficiencies found.

Support SOX and PCI audit cycles.

Frequent

**Knowledge and skills.**:
Level of Education

Avai