Operational Risk Officer

Position Purpose

RISK Operational Risk Management (RISK ORM), created early 2021 to oversee operational risks within the mandate of the RISK function, is organised, under the responsibility of the Group Chief Operational Risk Officer (Group CORO), around 3 Poles: RISK ORM Framework, RISK ORM Technology & Transversal Risks and RISK ORM Network.

Under the authority of the Poles Manager, RISK ORM Network is made up of all the Operational Risk Officers (OROs) acting as the second line of defence (LoD2) within the Groups operational entities (Poles, Business Lines, Functions, Transversal Activities).

In this context, the Common Outsourcing Controls Execution Platform (COCEP), whose missions are presented below, reports hierarchically to the Group Head of ICT Controls Testing. He/She:

• Contributes to protect the Bank by securing the oversight of the completeness and quality of the outsourcing register (360 RiskOp Arrangement module) to guarantee an accurate oversight of outsourcing arrangements and their characteristics,
• Assures the accuracy and data quality of regulatory reporting (e.g., CASPER) and notifications (e.g., IMAS),
• Ensures the homogeneity, the robustness and effectiveness of the outsourcing controls executed by the LoD1 by implementing LoD2 controls execution platform across Poles and Functions,
• Facilitate and pilot outsourcing operational risk management framework.

Key success of the COCEP relies on building trusted partnerships with stakeholders and particularly with the RISK ORM Framework, TPRM and Network community and globally all entities of the Group.

Responsibilities

Direct Responsibilities

The COCEP Outsourcing Risk Officer contributes to identify and reduce risks on activities delegated to third-party service providers and thus improves the efficiency of the overall activities for the Bank.

Key missions of role - Outsourcing Risk (COCEP)

• Oversee the process of the outsourcing register data quality of regulatory reporting:
• Define the process to remediate data quality anomalies for CASPER regulatory reporting,
• Perform cross-business consistency analysis to identify inconsistencies or incorrect qualifications in the register,
• Identify any inconsistencies between the outsourcing register critical outsourcing arrangements data and IMAS portal,
• Build a process to ensure consistency between the outsourcing register and the exit strategy standard documentation (e.g., alignment between the exit plan and the outcome of assessment of the service providers substitutability, the substitutability modality, and the time-of-service providers substitutability).
• ? Verify the compliance of outsourcing regulatory documentation:
• Build a process and perform the verification, with the related OROs, of the alignment between the draft record in IMAS portal and the content of the notification template submitted at the Validation Committee.
• Build a process and perform the verification, with the related OROs, that the exit strategy documentation is available and compliant with the Group format.
• ? Execute LoD2 controls on outsourcing GCL (RISK0418):
• Define a process to industrialise the LoD2 control reviews on outsourcing.
• Perform the defined LoD2 controls plan, share the results with the related OROs and ensure that the related potential permanent control actions plans are recorded in 360 RiskOp.
• ? Facilitate and pilot outsourcing operational risk management framework:
• Define a process to industrialise the periodic report analysing the outsourcing operational risk management including the data quality indicators improvements and the LoD2 controls results analysis.
• Monitor indicators results, and cascade as appropriate to ORO Poles and Functions.
• Define and produce operational reporting (link with RISK ORM COE ISPL reporting stream).
• The COCEP Outsourcing Risk Officer reports to the Group Head of ICT Controls Testing, and locally to the Head of COCEP, India CoE. He/she actively collaborates with RISK ORM Framework and Technology & Transversal risks teams and works with the operational risk officers (ORO), outsourcing coordinators, operational permanent controllers (OPC), and subject matter experts (SME).
• Scope covered and organisation. The scope applies to all entities for which RISK ORM acts as a second line of defence. In addition to the elements of this document, the outsourcing framework, generic control libraries (GCL) and the operational role of the OROs, are notably described in the procedures, Second line of defences roles and responsibilities on the operational risk management framework (RISK0401), LoD2 control activities on the LoD1 control framework (RISK 0414), Group Policy pertaining to Outsourcing Risk Management Framework (RISK0417), Generic Control Library relating to outsourcing risks (RISK0418) and ORO Role and Responsibilities in the outsourcing process (ORM0005).
• Lastly, the legal and regulatory requirements of third-party risk management are notably, EBA guidelines on Outsourcing Arrangements, EU DORA, UK PS7/21, UK SS2/21, Solvency II, US FDIC-OCC guidance on third party relationship risk management.

Contributing Responsibilities

• Collaboration at the India CoE level with Head of India CoE, including but not limited to the CoE level reporting requirements
• Effectively contribute to the CoE, RISK India Hub and ISPL on Group mandates, Objectives and priorities
• Help and contribute to build the CoE a positive place to work Technical & Behavioral Competencies
• To meet the requirements of this position, the COCEP Outsourcing Risk Officer will be expected to have a good fluency in risk analysis and monitoring, acquired through professional experience in a team in charge of operational processes or executing operational risk activities in the first or second line of defence.
• Moreover, general knowledge of LoD2 control management, third-party risk management, analysis and monitoring will be sought given the importance of technology in Group's business processes.
• We expect the COCEP Outsourcing Risk Officer to have good relationship skills to efficiently work in a group / a team / a community, qualities of communication he is able to bring to his/her interlocutors to decision-making and relay key messages, the ability to mobilise his/her direct and indirect network, and a good sense of responsibility and commitment.
• Last, a good analytical skills, a solid critical mind, the capacity to synthesize / simplify, to communicate orally and in writing, to animate meetings and committees, to challenge the existing and propose solutions (change management), to be pragmatic in analysis and action, to work in collaborative mode in a changing environment with respect of the deadlines, to be rigorous, will allow the newcomers in the COCEP team to take on his/her new appointment in the best conditions.

Skills Preferred

• Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements.
• Is self-aware, anticipates problems, adapts and meets them head on.
• Strong stakeholder management, relationship building, influencing, facilitating and presenting skills.
• Is solutions focused measures their output on whether issues, problems or challenges are resolved as a criteria for success.

Conduct :

• Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.

Specific Qualifications (if required)

University Degree(technical) and/or certification on Risk management

Skills Referential

Behavioural Skills : (Please select up to 4 skills)

Attention to detail/rigor

Ability to deliver/Results driven

Ability to synthesize /simplify

Ability to collaborate/teamwork

Transversal Skills: (Please select up to 5 skills)

Ability to anticipate business / strategic evolution

Ability to set up relevant performance indicators

Analytical Ability

Ability to develop and adapt a processAbility to develop and leverage networks

Education Level: BachelorDegree or equivalent

Experience Level : Atleast 3 years

Professional qualifications/trainings relevant to technology and/or outsourcing risk,Risk management,Information security,Operational risk,cloud security