Irm Risk Advisor-upstream

**The Role**:
Ensures risks to information assets are identified and understood, that appropriate controls to mitigate risks are identified and that these controls are implemented to sustain compliance of the organisation or business unit and its associated customers, users, suppliers or partners with the controls framework and related policies, standards and processes. Ensures that the required development opportunities in the control framework and related policies, standards and process are identified and addressed.

**Proposition**

The IRM (Information Risk Management) role is to ensure that Shell addresses Information Risks in an effective and efficient manner, commensurate with Shell risk appetite. Within IRM, the Risk Advisory team provides advisory and assurance to key projects and new technologies supporting PTUPIG capability.

**Where you fit in**

The PTUPIG risk advisory team is part of the IRM Risk Advisory team, which covers advisory and assurance support for new projects, new technologies as well as the advice and assurance for operational services and capabilities, in an ever-changing environment with technical as well as regulatory requirements, in a fast-changing business dynamic.

The overall team’s aim is to balance risk vs costs, and provide expert advice supporting secure, reliable and compliant services, with specific focus on the business portfolio needs for the common, centrally supported, functions in the combined IT line of business for PTUPIG.

The Role requires a clear understanding of Shell’s strategic intent for Market Standard and develop new capabilities within the team and also be able to provide needed advisory to LOD1 (IT Engineering, ITSO, ITM and other stakeholders).

The purpose of this position is to:
oBe a “trusted advisor” providing risk advisory on IT projects and new technologies associated with Enterprise platforms and capabilities.

oDefine security policies, processes, guidelines related to new technologies, solutions, standards and regulations and advise on implementation requirements.

oReview and provide assurance on risk identification and mitigations.

oImprove and contribute to risk and control requirements and associated policies and guidance.

oProvide guidance and training in risk management processes to various stakeholders (Business, operations/LoD1, PM’s etc.

Accountabilities of the role includes:
oProvide assurance on control objectives and requirements and associated policies and guidance.

oFacilitates risk assessment process.

oProvides SME support to risk response and risk acceptance in line with framework boundaries.

oReview and advise on information security risks of vendor offerings - New/leveraging existing (SAAS / PAAS/IAAS) services including integration with Shell environment.

oTranslate Technical, legal and Regulatory Compliance obligations into a cohesive collection of Security Controls. Provide respective stakeholders with the IRM requirements and its implementation methodologies.

oWork with Project Managers, Business Analysts, Architecture and Support Team to ensure Shell IRM standards are being followed.

oEnsure all the risks are documented, classified and addressed with appropriate action as per the IRM standards.

oDrive education and awareness of Information security related issues and risks to Business/Business IT Teams.

oActively participate in reviewing and improving the Information Security Controls implemented in the organization.

The dimension of the role includes:
oWorking on Enterprise-wide, critical, projects for ITSO organization.

oWorks closely with LOD1 teams on risk assessment advisory and assurance.

oSME covering security, risk as well as compliance aspects supporting Project Delivery staff/Business / Business IT teams.

oSupport in risk assurance and audits as risk SME.

Key Hard Skills Required:
oAt minimum 6+ years in IRM function, preferably aligned with control framework best practices and risk management.

oUnderstand security standards, frameworks and regulations like ISO 27001, NIST, PCI etc.

oAbility to challenge/question the responses provided for the finding’s treatment plan provided by the business.

oUnderstand the technology risk landscape and interpret the findings into a business understandable language.

oUnderstanding of specific governance and overall processes of the Shell Group.

oGood understanding and experiences with Audit (both internal and external) and Risk management.

oThe ability to network globally across Group businesses, as well as with external groups.

oAdvocate one IRM community.

Key Soft Skills Required:
oDisplay excellent communicating and stakeholder management skills.

oBe Pro-active and self-motivated.

oDisplay Analytical and problem-solving skills.
**Disclaimer