BCM & IT Risk Manager

BCM & IT Risk Manager ensures stability and resilience of the bank’s digital infrastructure, acting as 2LoD to prevent outages, manage IT risk, and maintain business continuity during technical disruptions.

BCM & IT Risk Manager

Job Summary:

The BCM & IT Risk Manager is responsible for the stability and "survivability" of the bank's digital infrastructure. This role acts as a critical Second Line of Defense (2LoD), ensuring that IT system changes do not cause operational outages and that the bank can maintain business continuity through technical disruptions.

Key Responsibilities:

1. IT Change Oversight & Stability
   • Independent Review: Serve as the mandatory risk-approval point for all significant IT system changes. Review change logs and deployment plans to prevent "self-inflicted" outages caused by poor configuration or untested patches.
   • Incident Root Cause Analysis: Partner with IT to perform deep-dive on system failures (e.g., system-related Operational Risk Events). Identify systemic defects in software or hardware to prevent recurrence.
   • ICT Risk Assessments: Conduct comprehensive risk assessments on new technologies, cloud migrations, and software upgrades before they go live.
2. Business Continuity Management (BCM)
   • Framework Architecture: Build and maintain the Group’s Business Continuity Plans (BCP) and Disaster Recovery (DR) protocols.
   • Testing & Validation: Design and lead "Severe but Plausible" scenario tests (e.g., total cloud outage, data corruption). Ensure that recovery time objectives (RTOs) align with Board-approved Impact Tolerances.
   • Business Impact Analysis (BIA): Regularly update the mapping of people, processes, and technology required to deliver the bank's most critical services.
3. Third-Party & Cloud Oversight
   • Vendor Resilience: Liaise with the Business Relationship Officer for the risk lifecycle for critical third-party partners and ensure that these partners provide verified, tested recovery plans.
   • Exit Strategy Governance: Discuss with the Business Relationship Officer on "Exit Strategies" for critical third-party providers to ensure the bank can transition data or services in the event of vendor failure or contract termination.
   • SLA Monitoring: Review vendor Service Level Agreements (SLAs) from a risk perspective to ensure they meet the bank’s resilience requirements.
4. Reporting & Compliance
   • KRI Tracking: Develop and monitor Key Risk Indicators (KRIs) related to system uptime, cyber-hygiene, and BCP readiness.
   • Regulatory Liaison: Ensure IT risk and continuity protocols comply with Central Bank guidelines and international standards (e.g., ISO 22301, ISO 27001).

Qualifications & Experience

1. Education
   • Bachelor’s degree in IT, Computer Science, or Risk Management.
   • CISA, CRISC, or CBCP highly preferred.
2. Experience
   • 7+ years in IT Risk, Business Continuity, or IT Audit
   • Preferably within a financial institution.
3. Technical Competencies
   • Deep knowledge of IT Risk Management frameworks (e.g., COBIT, NIST) and Business Continuity/Disaster Recovery international standards (e.g., ISO 22301).
   • Strong understanding of Cloud Governance and the risk management lifecycle for critical third-party service providers.
   • Competency in IT Security principles and IT Audit methodologies to independently validate the effectiveness of First Line (1LoD) controls.
   • Experience in reviewing system change logs, deployment plans, and patch management protocols.
   • Ability to interpret and apply Regulatory guidelines and international standards (e.g., ISO 27001) regarding ICT risk and operational resilience.
   • Root Cause analysis and Impact assessment
4. Behavioural Competencies
   • Attention to detail
   • Sound judgment
   • Strong written communication
   • Time management
   • Willingness to challenge