Oro IT Risk Officer

**Position Purpose** - Purpose: The below requirement is for ORO-IT Officer role and part of the Risk ORM, ORO-IT team and will be responsible for assisting with the management and execution of the bank?s IT risk management function within the 2nd Line of Defense. - Scope: Group/Global **Responsibilities** **Direct Responsibilities** - Conduct ICT risk assessments across Company in accordance with Group RISK ORM ICT standards and policies - Independently perform and contribute to independent risk assessment testing activities, carried out by the global teams as mentioned below: Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion. - ICT GCP (Generic Control Plan) testing ? Perform Generic controls testing to determine the performance and operational effectiveness of controls and develop detailed reports documenting the gaps identified and recommendations for improvement. - Maturity Assessments ? Conduct technical and process based analysis of maturity of ICT controls across Company Group entities. - Partner with Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions. - Contribute to the industrialization of RISK ORM, ORO-IT services by development of methodologies / tools for the achievement of assignments. - Work in collaboration with other stakeholders from business and other RISK ORM teams to contribute towards influencing the ICT risk culture and reporting the risk status to the Company Board and senior management. **Contributing Responsibilities** - Perform technical and process based ICT risk assessments in partnerships with regional / global stakeholders. - Support the oversight, check & challenge and reporting on the performance and operating effectiveness of ICT / IT controls across Company entities, with a focus on high risk areas and critical business operations - Contribute to the industrialization of ORO-IT services by development of methodologies / tools for the achievement of assignments. - Regularly and proactively monitor global events / incidents to determine new emerging risks areas and propose improvements to the risk assessment approach / processes. - Establish and maintain relationships with RISK ORM, RISK ORM ORO-IT and Company entity stakeholders. - Build and establish networks and relations with other key internal stakeholders (i.e. Global Security Operations, HR, Facilities, Legal, and Internal Communications). - Support the development and implementation process for validating effectiveness of the ICT controlsRisk Management Environment: - Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, and Quantified Measurement & Comparative Analysis. - Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices. - Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options. **Technical & Behavioral Competencies** **Essential** - Demonstrated passion towards uncovering control weaknesses in processes and technology. - Results-oriented and strong teammate with excellent analytical, problem solving skills. Outstanding presentation, written and verbal communication skills. - Knowledge of compliance standards like CIS, NIST and GDPR. With high level knowledge of secure development practices and standards such as OWASP. - Proficiency in concepts related to network infrastructures, information system security including emerging threats and attacks methodologies, in particular: Network security, network equipment configuration, network protocols, network standards, supervision, "Conceptual Skills," "Decision Making," "Informing Others," functional and technical expertise, reliability, information security policy. - Recognized skills for the integration of different security or data protection technologies within a coherent architecture to effectively cover the risks of the company. - Good technical understanding of security technologies, including intrusio