Head 2nd Line Risk: IT and Data at Old Mutual

Job Description

• This role is a Line 2 IT and Data Risk role within the wider GRCA team. This role is responsible for the Line 2 Risk oversight for IT and data risks across Old Mutual Insure (OMI) and Old Mutual Alternative Risk Transfer Insure(OMARTi).
• Areas of focus include Security/ Cybersecurity, Strategic Programs, IT Control Environment, Core systems and processes, AI, Digital & Data, Resilience and Cloud.
• Engagement with the Office of the Chief Information Security Officer (CISO) and other key IT Stakeholders is required to ensure alignment and tracking of progress across key IT and data risks.
• Collaboration with the Enterprise Risk Management and Compliance teams is crucial, and while a working knowledge of key business processes such as underwriting and claims is not essential, it will be an advantage. A strong understanding of regulations and risk management practices related to IT and data in the Financial Services environment is also required.
• This role provides independent second line oversight, challenge and reporting and does not own or operate IT systems, controls or incident response activities.

Responsibilities will include the following:

Risk Management

• Drives the communication of risk management requirements and standards and actively promotes embedding of a strong risk culture.
• Supports the IT and data teams to identify, measure, monitor, manage and report on material risks within their functional area of responsibility.
• Can support management to identify suitable mitigating actions to address key IT and data risks.
• Supports management with the policy adoption, roll out and compliance.
• Provides objective oversight, monitors, and reports on the maintenance of prescribed minimum IT and data risk standards, methodologies, processes, and data requirements, and initiates appropriate corrective action as may be required.
• Defines, monitors and escalates IT, cyber and data risk appetite metrics and tolerance thresholds, including the identification and reporting of positions that are out of appetite to management and Risk Committees.
• Provides independent second line oversight of material IT, cyber and data incidents, including review of root cause analysis, control adequacy and remediation actions, while remaining independent of first line incident response and system operations.
• Provides second line oversight of technology and data related third party and outsourcing risks, including cloud service providers, material vendors and critical service dependencies.
• Supports oversight of operational resilience for critical IT and data services, including consideration of severe but plausible disruption scenarios and associated risk exposures.
• Maintains a forward-looking view of emerging and systemic IT and data risks, including developments in technology, AI, cyber threat landscapes and regulatory expectations.
• Provides oversight of data quality, integrity and availability risks, including risks impacting decision making, regulatory reporting and customer outcomes.

Reporting

• Provide input into the CRO, Executive and Board committees on key IT and data risks.
• Provide reporting and insights at forums such as management committees and IT executive committees.
• Support reporting processes across the broader GRCA/ Risk team.
• Ensures IT and data risk reporting provides clear, useful insight on current risk profile, trends, emerging risks and alignment to risk appetite.

​​​​​​​Stakeholder Management

• Collaborates strongly with IT Management/ Executive teams to ensure risks are managed appropriately.
• Provides support to the Line 1 risk owners, controls owners, risk indicator owners, management action owners, and risk coordinators, so they are enabled to fulfil their risk management responsibilities.
• Will be required to fulfil a Center of Excellence (CoE) role and “Support to Risk Partner” role. Strong collaboration is required with all.
• Risk CoEs and other Assurance providers.
• Provides input into risk profile reviews in collaboration with other Risk CoEs and assurance providers.
• Acts as a trusted risk advisor to senior technology stakeholders while maintaining appropriate constructive challenge and independence.

​​​​​​​Team Effectiveness

• Provides strategic direction to the team.
• Balances own priorities with directing and motivating others.
• Creates a climate for optimal performance.
• Guides and directs staff to achieve operational excellence standards.
• Manages performance of staff.
• Plans and assigns work over periods of 1-2 years.

​​​​​​​Key Experience, Knowledge and Qualifications required:

• Degree and/ or post-graduate qualification in risk management/ internal audit or equivalent.
• Relevant IT qualifications/certifications in Risk Management and Cloud, or similar.
• Experience on large programs and enterprise-wide changes.
• At least 10 years' experience in risk management, internal audit, operations, or similar fields, with a focus on management of IT and data risks.
• Experience in working across a value chain is essential.
• Experience in managing IT and data risk in a Financial Services environment.
• Solid Planning, Integration and Execution skills.
• Strong stakeholder management skills across all levels.
• Strong leadership skills, including coaching and mentoring.
• Excellent written and verbal communication skills, especially presentation skills.
• Solid integration and analysis skills.