Executive Information and Technology Risk at Sanlam Group

Key Responsibilities

Information and Technology (IT) risk strategy and framework development and deployment

• Support the development of Information and Technology Policies and Standards that are fit for purpose to the CIB business, including frameworks, programs, risk taxonomies, and tool kits.
• Responsible for cascading and embedding Group-wide Operational Risk, Information and Technology Risk Policies and Frameworks into all CIB IT business units globally.
• Advise on best practices leveraging expertise and industry insights, including analysis of IT risk data from various sources (e.g. external events, control deficiencies, risk register) to identify and measure levels of information and technology risk, concentration, trends and patterns.
• Advise on continuous monitoring and control test methods, and recommend technology metrics in support of the Technology Risk Appetite Statement for the CIB business
• Provide quality assurance on root cause assessment on material internal incidents as well as external event reviews, including issue management, oversight and escalation
• Promote/drive corporate-wide IT risk awareness, culture and influence within CIB, including rollout of business unit IT risk training programs

Assess and Optimise the IT risk profile in the CIB Business

• Promote/coordinate execution of IT risk and control self-assessments (RCSA) and Application Risk Assessment (ACA) programs, and ensure that the scope, discipline and culture in surfacing the key risks (infrastructure, applications, third parties, cyber security, resilience etc…) that the business faces in its operations is robust
• Provide independent quality assurance (QA) over RCSAs and ACAs to ensure that risks/controls assessments are adequate.
• Partner with the Business, IT Security, Technology and Operational Risk teams, and other related parties to ensure that action plans, policy and procedural changes for risk acceptance, avoidance, transfer and/or mitigation are appropriately considered to address vulnerabilities identified from risk assessments.
• Evaluate potential business impact of IT risk concentrations on the CIB business and its clients, and facilitate the development of programmatic resolutions to reduce such risk concentrations.
• Engage with global and business line strategic programs, new products/changes/projects, to understand and assess related IT risks at the outset and drive the integration of effective proactive risk management approaches throughout the program lifecycle.
• Monitor the evolving risk position of new technologies (robotics, AI, Cloud initiatives, block chain, etc), for each of the technology areas in focus, tracking the individual risk logs and resolution plans, to minimize potential losses and other impacts.
• Enable the adoption of enhanced Business Process Management and Lean Six Sigma methods to drive continuous improvement in business value streams; identify process/quality gaps; drive out waste; and improve customer satisfaction.
• Direct the formulation of stress test plans and risk scenarios for your designated business unit, evaluate results, and frame contingency plans in partnership with key business stakeholders. Leverage AMA tools to achieve strategic integration of risk measurement into business planning and decision making.
• Manage processes for collecting accurate and complete internal loss data from business areas, including direct analysis and data mining initiatives that identify, validate, and manage emerging risk exposures. Assist in the early identification of risk trends by establishing and monitoring key performance and risk indicators.
• Contribute to the development of a risk and control culture in the business through knowledge sharing and creating awareness, including best practices for minimizing information and technology risk losses.

Effective IT risk monitoring and impact/loss prevention

• Monitor appropriateness of IT incident reporting and perform ongoing analysis of Operational Risk impact and losses, near miss and external events to inform risks assessments and better scenario and resilience planning and exercises.
• Assist with the Investigation of material Operational Risk incidents/events; and the determination of appropriate consideration of remedial measures, and lessons learned.
• Enable the development, review, monitoring and analysis of IT key risk indicators. Ensure KRI thresholds are relevant, and breaches are adequately addressed (e.g. escalation and resolution), in collaboration other control functions (e.g. Audit and Compliance).
• Develop and/or contribute towards executive level reporting, metrics, scorecards and dashboards to support risk-informed business decisions, and recommend strategies that effectively help maintain risks within the agreed appetite and impact on the bank’s clients and stakeholders
• Identify and monitor risk trends across the business and guide detailed analysis of recurring issues and assessment of root causes. Influence and monitor progress of action plans arising from risk assessments, information and technology risk monitoring, internal and external audits and regulatory inspections.
• Independently identify and assess emerging, evolving and previously unidentified technology risks impacting CIB Technology Stack. Participate in complex risk reviews and, where appropriate, conduct due diligence reviews, in order to provide assurance that information and technology risks within the business are being managed effectively.
• Engage with cyber teams to gain full understanding of cybersecurity and control environment, and provide visibility to the effectiveness of cyber defence strategies and tools in place
• Responsible for the management, and where appropriate, Chair designated business or CIB-wide Operational Risk Committees/Forums.

Leadership Competencies

Influencing Others 

• Effectively and strategically influences across the organisation, based on previously established credibility and respect, as well as understanding the organisational dynamics, politics and interpersonal context.

Purposeful Collaboration 

• Understands and leverages the dependencies across the organisation and the impact of own actions on the rest of the organisation to create organisation alignment for decision-making and delivery of quality outcomes.

Leading Courageously 

• Believing in on self, own judgement, skills and experience, and using this self-confidence to challenge others for the benefit of Standard Bank.

Technical Competencies

Risk Identification 

• The ability to facilitate a formal acceptance process of reviewing and accepting residual risk, depending on the outcomes of risk identification and measurement. Candidate should have in-depth, detailed knowledge of Technology Risk Management, Operations and Information Security practices. with a proven track record in technology development, engineering or technical architecture with financial services and corporate banking products

Risk Measurement 

• The ability to define and analyse risk identification information in a quantitative and/or qualitative way. Working knowledge and interest in current and emerging technologies (robotics, AI, Cloud Computing, Blockchain etc), including technology transition programs, and technology innovation governance frameworks

Risk Response Strategy 

• The ability to facilitate the creation and adoption of an appropriate risk response strategy and to assign ownership for the risk response.
• Knowledge of Cybersecurity organization practices, operations, risk management processes, principles, architectural requirements, engineering and threats and vulnerabilities, including incident response methodologies

Evaluation of Internal Controls 

• The ability to analyse process controls for effectiveness from a design and implementation perspective.

Qualifications

• Commercial or Technical Degree (CRISC / CISA /CISM / CISSP)
• Post-graduate qualification in Risk Management
• Masters Level qualification in Law, Business Administration or Risk Management

Experience

Business Management

• Information and/or Technology Risk Management/
• Chief Operations, Information or Technology Officer
• 10+ Years

Risk/Internal Audit

• IT/Information Security Audit
• 3-4 Years

Operations/Technology

• Information & Technology Risk Management
• 3-4 Years