AVP, Operational Risk – Information Security

Job Description:

Role Title: AVP, Operational Risk – Information Security & Organizational Resiliency (L11)

Company Overview: Synchrony (NYSE: SYF) is a premier consumer financial services company delivering one of the industry's most complete digitally enabled product suites. Our experience, expertise and scale encompass a broad spectrum of industries including digital, health and wellness, retail, telecommunications, home, auto, outdoors, pet and more.

• We have recently been ranked #2 among India's Best Companies to Work for by Great Place to Work. We were among the Top 50 India's Best Workplaces in Building a Culture of Innovation by All by GPTW and Top 25 among Best Workplaces in BFSI by GPTW. We have also been recognized by AmbitionBox Employee Choice Awards among the Top 20 Mid-Sized Companies, ranked #3 among Top Rated Companies for Women, and Top-Rated Financial Services Companies.

• We offer Flexibility and Choice for all employees and provide best-in-class employee benefits and programs that cater to work-life integration and overall well-being.

• We provide career advancement and upskilling opportunities, focusing on Advancing Diverse Talent to take up leadership roles.

Organizational Overview: Synchrony's Risk Team provides independent oversight of Synchrony's risk-taking activities to ensure safety and soundness, meet regulatory and legal requirements, and manage risks to the risk-appetite of the Board. Risk is responsible for independently assessing, quantifying, and overseeing risks & providing effective challenge. Risk serves as Synchrony's Second Line of Defense.   

Overall, Risk Team oversees and manages the Risk Program to support the business in anticipating and addressing risks, issues and challenges. Results are consistent with the respective strategic uses and complying with related overall risk, risk testing policies, standards, procedures as well as regulations. Our Risk organization consists of 4 pillars: Compliance, Credit & Financial Risk, Enterprise Risk and Operational Risk. Each of the pillars play a vital role in managing Risk and supports the business in anticipating and addressing risks, issues, and challenges.
 

Role Summary/Purpose:

We are seeking a technically strong, professional with a financial services background to join our Second Line of Defense (2LoD) Operational Risk team. This is an Information Security role with a primary focus on organizational resilience covering business continuity/disaster recovery (BC/DR), cyber resilience, and technology resilience. The analyst will partner with First Line of Defense (1LoD) teams in Information Security, BC/DR, and Third-Party Risk to identify, assess, monitor, and report resilience-related risks; review control effectiveness; support metrics development; and contribute to governance routines. This position reports to the VP, Operational Risk – IS & Resilience Oversight Leader.

Key Responsibilities:

• Risk Appetite and Governance: Monitor and report exceptions against Risk Appetite Statements for Information Security and Organizational Resilience; prepare materials for the Technology Risk Sub-Committee and other governance routines; maintain organized documentation of oversight activities.

• Resilience Identification and Assessment: Assist with independent assessments of resilience capabilities across protection, detection, response, recovery, and continuity; provide effective challenge during risk assessments, due diligence, strategy implementations, and significant change events (e.g., cloud migrations); document gaps in 1LoD resilience and operational risk practices against internal standards and industry frameworks.

• Tabletop Exercises and BC/DR Testing: Monitor, observe, and independently assess tabletop exercises and BC/DR tests; challenge scenarios, assumptions, test design, execution, and reported outcomes; document findings; validate remediation plans and track closure.

• Risk Mitigation and Issues Management: Review 1LoD deliverables (policies, standards, resilience plans, risk registers, remediation plans); help track and validate remediation; support disciplined issues management, including escalation when needed; partner with 1LoD on control and resilience design while maintaining an independent 2LoD perspective.

• Risk Monitoring and Metrics: Review and challenge KRIs/KPIs with thresholds and triggers for monitoring resilience posture, emerging threats, and control health; coordinate ongoing monitoring and risk testing plans with cross-functional risk teams; provide 2LoD commentary on identified risks, gaps, and remediation progress.

Required Skills/Knowledge:

• Bachelor's degree in a STEM field (e.g., Computer Science, Information Technology, Engineering, Information Systems) with 5+ years of experience in IT, Information Security, Technology Audit, or Technology Risk or in lieu of a degree 7+ years of experience in IT, Information Security, Technology Audit, or Technology Risk.

• Financial services industry experience with exposure to three lines of defense concepts and U.S. regulatory expectations.

• Experience supporting BC/DR, resiliency testing, or technology control assessments.

• Strong technical foundation in IT/Information Security (e.g., networks, applications, identity and access management, data protection, cloud security, security operations concepts) with an emphasis on resilience.

• Working knowledge of public/private cloud and service models (IaaS, PaaS, SaaS) and shared responsibility.

• Analytical problem-solving skills with attention to detail; ability to produce clear documentation and reports and manage multiple priorities.

• Effective communication skills for engaging technical and non-technical stakeholders and providing professional, evidence-based challenge.

Desired Skills/Knowledge:

• Familiarity with U.S. financial services regulators and guidance (e.g., OCC, FRB, FDIC) related to operational and information security risk.

• Exposure to third-party risk management, change risk, and public cloud adoption (AWS, Azure, Google Cloud).

• Experience with KRIs/KPIs, dashboards, and risk reporting; basic skills in PowerQuery, PowerBI, or SQL.

• Familiarity with common industry frameworks/standards such as NIST CSF, NIST SP 800-53, NIST SP Contingency Planning), NIST SP Vol. 2 (Cyber Resilience), ISO/IEC 27001/27002, ISO Business Continuity Management), ISO/IEC ICT Readiness for Business Continuity), PCI DSS, FFIEC IT Examination Handbook (Information Security and Business Continuity/BCM), FSSCC CRI Profile, and operational resilience regulations (e.g., UK PRA/FCA Operational Resilience, EU DORA, Basel Committee Principles for Operational Resilience).

• Certifications (e.g., Security+, CCSK, AWS/Azure/Google Cloud fundamentals), technology resilience certifications/training (e.g., ISO 22301 Lead Implementer/Lead Auditor, DRI International ABCP/CBCP, BCI CBCI/MBCI, EC-Council EDRP, Mile2 CDRE), or progress toward CISSP, CISM, CISA, or CRISC.

• Awareness of risks associated with AI/LLM technologies and cloud-native architectures.

• Strong influencing skills, results orientation, and a proactive approach to learning and continuous improvement.

Eligibility Criteria:

• Bachelor's degree in a STEM field (e.g., Computer Science, Information Technology, Engineering, Information Systems) with 5+ years of experience in IT, Information Security, Technology Audit, or Technology Risk or in lieu of a degree 7+ years of experience in IT, Information Security, Technology Audit, or Technology Risk.

• Financial services industry experience with exposure to three lines of defense concepts and U.S. regulatory expectations.

• Experience supporting BC/DR, resiliency testing, or technology control assessments.

Work Timings: This role qualifies for Enhanced Flexibility and Choice offered in Synchrony India and will require the incumbent to be available between 06:00 AM Eastern Time – 11:30 AM Eastern Time (timings are anchored to US Eastern hours and will adjust twice a year locally). This window is for meetings with India and US teams. The remaining hours will be flexible for the employee to choose. Exceptions may apply periodically due to business needs. Please discuss this with the hiring manager for more details. 

For Internal Applicants:

• Understand the criteria or mandatory skills required for the role, before applying

• Inform your manager and HRM before applying for any role on Workday

• Ensure that your professional profile is updated (fields such as education, prior experience, other skills) and it is mandatory to upload your updated resume (Word or PDF format)

• Must not be any corrective action plan (Formal/Final Formal)

• L9+ Employees who have completed 18 months in the organization and 12 months in their current role and level are only eligible.

• Employees at L9+ can only apply for this opportunity.
  
  Grade/Level : 11

Job Family Group: