Head of IT Risk at Discovery Limited

Reporting to

Head of Risk

Level

Senior Manager

Department

Group Risk Management

About Group Risk Management

The Group Risk Management (GRM) Function is a centralised risk management function independent of day-to-day management. Its primary responsibilities include:

• assisting the Group to identify, assess, monitor, manage and mitigate its material risks, and promote a sound risk culture; and
• Assisting the Discovery Limited Board and senior management to develop and maintain the Group’s risk management system, including promptly informing the Discovery Limited Board of any circumstance that may have an adverse material effect on the risk management system of the Group.

GRM works closely with Internal Audit, Compliance and Discovery actuaries.

Key Purpose of the role

The candidate will report to the Head of Risk. The successful candidate will be required to but not limited, take full accountability for the development and implementation of a complete end-to-end IT risk management programme including project risk management for Discovery Group on par with best practice.

Areas of responsibility may include but not limited to

Risk Strategy, Policies and Implementation

• Develop, implement, maintain risk strategies, risk policies for the Group, ensure alignment between group standards, that of subsidiaries and partnerships in the Group.
• Provide Management and the Board with a framework for IT risk management;
• Embed policies and train all required staff accordingly.
• Co-ordinate and manage the policy attestation and assurance requirements for risk policies within portfolio and report the results to management and the Board.
• Establish, monitor, improve the risk governance structure and reporting requirements of the Group wide and at various levels within Discovery

• Ensure that all business units, companies within the Group have an established risk appetite, risk tolerances and key risk indicators for relevant risk classes as well as principal risks

• Develop, implement and maintain standardised templates for IT risk activities across the three lines of defence.
• Develop, implement and maintain risk toolkits as well as process flows for IT risk activities. Across the Group which include inter alia strategic risk process, RCSA, PCSA, Deep Dives, project risks, emerging risks, incident management, escalation and reporting, KRI monitoring, mitigation development and monitoring etc.
• Develop, implement and maintain risk criteria keeping these current to the changes in the Discovery risk environment. These include inter alia risk matrices, impact, likelihood and controls criteria, risk aggregation and weighting, risk incident, escalation and reporting criteria
• Overlook the uniformity of IT risk processes across the Group and correct deviations thereof.
• Recommend a protocol of IT risk management oversight of SA and international companies in the Group
• Recommend the risk culture positioning and drive initiatives towards an ideal risk culture
• Provide training and support to GRM risk officers and first line officers in terms of their roles relating to the IT risk portfolio
• Implement a group wide training and awareness programme relating to the IT risk portfolio

• Implement and maintain a risk management (IT) system that caters for the full requirements of the Group
• Implement and maintain a full knowledge database to give effect to risk intelligence and ensure that risk reporting at various levels are automated and generates value added information for decision making

Combined Assurance

• Implement the combined assurance strategy and framework for the group on par with best practice relating to the IT risk portfolio

• Provide a basis for identifying any areas of potential assurance gaps and duplication of resources within the combined assurance framework
• Develop and implement the tools and templates required for Management and assurance reporting

• Identify all assurance providers and recipients of assurance relating to the IT risk portfolio

• Develop and obtain approval for the annual combined assurance plans, assess adequacy, recommend corrective solutions for gaps and duplications within the plan
• Monitor and report on progress against the combined assurance plan as well as the framework
• Conduct bi-annual assessments for the audit and/or risk committee on the results of combined assurance
• Develop a structure to give effect to combined assurance and maintain relationships with the key assurance providers.

ERM Maturity

• Implement a continuous improvement programme such that Discovery is assessed at best practice maturity for risk management

• Conduct best practice research, recommend and implement solutions to improve the effectiveness of risk management practices across the group relating to the IT risk portfolio

• Play a trusted advisor role to Management and the Executives with regard to leading IT risk practices and consulting activities
• Perform any activities as required in respect of discovery’s participation in industry forums and as required by the Head of Risk
• Contribute to keeping the team abreast of changes in the environment, best practice and risks affecting the business units and the Group

• Conduct an annual self-assessment of the ERM programme relating to the IT risk portfolio.

Strategic and Operational Planning

• Co-ordinate the preparation of the annual, 3 year rolling risk management plans, training and development plans for timely approval by the Risk and Compliance Committee ensuring combined assurance and strategic objectives alignment
• Prepare presentations to discuss the plans across all business units in the Group as well as for the Head of Risk
• Track progress against the plan per business unit and for the group as a whole

Strategic and special Projects/reviews

• Conduct all strategic risk reviews as identified through own analysis and as required by the Head of Risk and CRO in collaboration with the GRM risk officers
• Co-ordinate and participate in group wide assessments as directed by the Head of Risk
• Prepare presentations, risk information and investigations as required by the Exco, Board, Head of Risk or CRO
• Attend various meeting and steercoms.

Stakeholder Relationships and Reporting

• Develop and maintain a trusted advisor type relationship with senior and executive management of each business unit in the portfolio
• Build capacity within the appointed first line roles by providing guidance, training, support and challenge of risk outputs from the first line
• Attendance of CIO Forums, Information Security steercoms, project steercoms, Management forums, etc.
• Following up with Risk champions and first line risk officers on monthly progress
• Reporting of IT Risk for the various audiences. This could include the following: Reporting to operational areas for them to understand their accountability for the risks, reporting to the relevant Boards, CIO’s, senior management, Risk and Compliance Committees to ensure they understand the most pertinent risks to their areas

• Prepare final reports and presentations required for Group reporting at various levels which will include but is not limited to:

• Enterprise risk report, weekly Incident Report, shareholders reports, BU risk reports and dashboards
• Regulatory reports such as ORSA, sustainability and integrated reports
• Group wide risk reports and ad hoc reporting requirements
• Develop a mechanism for communication to broader staff and various audiences to keep them informed of risk trends and relevant information

Competencies and Attributes

• Lead and manage allocated staff. The staff complement at present consists of 4 IT Risk Specialists, Ensuring all staff development and performance is on par with expectations and that staff outputs meet minimum standards
• Resolve challenges, conflicts experienced by staff, develop amicable solutions to resolve conflicts and provide clear and timely feedback to staff on performance areas
• Demonstrate value add on risk activities to business needs and objectives
• Develop and maintain a trusted advisor type relationship with management of each business unit in the portfolio. Management level being senior and executive.

• Monitor maximum usage of the IT risk system throughout the risk team as well as the required business users
• Assist the Head of Risk on any risk activity requested on an ad hoc basis
• Required to take the initiative and follow his/her own direction, with the ability to make quick, clear choices that may range from tough choices or considered risks.
• Upholds ethics, values and demonstrates integrity.
• Shows respect for the views and contributions of others
• Demonstrates a willingness to share information.
• Strong negotiating and influencing skills.
• Excellent communication skills. The candidate should speak fluently, excellent written skills that is structured in a logically manner.
• Demonstrates an understanding of different organisational departments and functions.
• Ability to analyse, assess various data, break them into component parts, patterns and relationships.
• Sets high standards for quality and quantity.
• Works in a systematic, methodical and orderly manner.
• Adapts to changing circumstances.
• Handles criticism constrictively and learns from it.
• Advanced Microsoft
• Advanced knowledge of ERM processes and programme development, risk policy
• Development and combined assurance
• Working knowledge of an IT risk system is advantageous
• Experience in the insurance industry is advantageous
• Relevant legislative knowledge

Education And Experience

• Minimum Bachelor of Commerce Degree in Finance or Risk
• Relevant risk and/or internal audit certifications and memberships
• 8+ years’ experience in IT risk management, IT audit and cybersecurity with a professional services background in financial services.
• Demonstrated experience in facilitating and managing IT and cybersecurity risk assessments across IT environments, projects, and third parties.
• Strong understanding and application of IT risk and cybersecurity frameworks such as ISO 27001/2, NIST and COBIT.
• Strong understanding of IT and software development concepts.
• Demonstrated ability in leadership and strategy and able to work independently and in multi-disciplinary teams, managing priorities to meet competing deadlines.
• Proven analytical problem-solving skills with excellent interpersonal, verbal and written communication skills.


•  

EMPLOYMENT EQUITY

The Company’s approved Employment Equity Plan and Targets will be considered as part of the recruitment process. As an Equal Opportunities employer, we actively encourage and welcome people with various disabilities to apply.