Manager: IT Risks & Controls at University of the Western Cape/Universiteit van Wes-Kaapland

Role Clarification & Key Performance Areas

The University of the Western Cape (UWC) seeks to appoint an experienced Information & Technology Risk Manager in its Information and Communication Services (ICS) Department.

The University has set itself exciting and challenging goals in its Institutional Operating Plan (IOP), which rely heavily on ICT's to deliver integrated solutions that enable and support its Academic and Research programs, and its Administrative and Professional Services departments.

This permanent position, will report to the Deputy Director: ICT GRC and will play a pivotal role in maturing the University's IT Risk Management functional domain and capabilities in the areas of: IT Risk Identification; IT Risk Assessment; IT Risk Response & Mitigation; IT Risk and Control Monitoring & Reporting.

This is a demanding but very stimulating role, which requires an experienced individual with the appropriate breadth and depth of business and technical skills and competencies.

We invite you to join our team in a very exciting time in the University's history.

Key Performance Areas:
IT Risk Identification

• Identify and classify potential threats and vulnerabilities to the University's people, information, processes and technology to enable IT risk analysis,
• Develop a comprehensive set of IT risk scenarios, and identify accountable stakeholders, based on available information to determine the potential impact to business objectives and operations,
• Maintain the IT risk register to help ensure that identified IT risk scenarios are accounted for and incorporated into the institutional risk profile,
• Identify risk appetite and tolerance defined by senior leadership and key stakeholders to ensure alignment with business objectives,

IT Risk Assessment

• Analyse risk scenarios based on institutional criteria (e.g. business processes, technology etc.) to determine the likelihood and impact of an identified risk,
• Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation,
• Review the results of risk and control analysis to assess any gaps between current and desired states of the IT risk environment,
• Ensure that risk ownership is assigned at the appropriate level to establish clear lines of accountability,
• Communicate the results of risk assessments to senior management and appropriate stakeholders to enable risk-based decision making.

IT Risk Response & Mitigation

• Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions.
• Assist risk owners, where needed, with the development of risk action plans
• Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level.
• Maintain the IT Risk and Control Matrix.
• Assist control owners in developing control procedures and documentation to enable efficient and effective control execution.
• Validate that risk responses have been executed according to the risk action - plans.
• Collaborate in the development of a risk awareness program to promote a risk­ aware culture and facilitate risk training.

IT Risk and Control Monitoring & Reporting

• Define and establish key risk indicators (KRls) and thresholds based on available data, to enable monitoring of changes in risk.
• Monitor and analyse key risk indicators (KRls) to identify changes or trends in the IT risk profile.
• Facilitate the identification and monitoring of metrics and key performance indicators (KPls) to enable the measurement of risk control performance across relevant IT domains (e.g. data management; SDLC; project & program management; IT service continuity & disaster recovery; IT operations management).
• Report on the performance of, changes to, or trends in the overall IT risk profile and control environment to management and relevant stakeholders to enable decision making. 

IT audit Co-ordinate engagements 

• The Manager: IT Risk & Controls position is the coordinator and point of contact for audits to ensure that the IT audit process is efficient from the planning of the audit fieldwork and request for evidence collection, through to the tracking, trending and reporting of all IT audit items to relevant stakeholders and committees to enable decision making.
• This role requires the successful candidate to work closely with internal and external auditors, institutional senior stakeholders and external parties to consult and advise on audit scope, remediation and strategic items related to the IT audit and control environment.

Minimum Requirements

Minimum Requirements: Qualification, Skills and Experience
Below are the essential requirements for interested candidates to be short-listed:

• A Bachelor's degree in Information Systems, or an equivalent NQF-7 accredited qualification,
• An accredited, internationally recognised IT Risk Management certification,
• IT Service Management experience - incident and problem management,
• 3 - 5 Years' experience in an enterprise IT environment,
• A minimum of 3 years' relevant IT Risk Management and/or IT audit experience in an enterprise environment,
• Proficiency in legal, regulatory, standards, governance and other compliance requirements pertaining to IT Risk Management and a higher education environment (e.g. COBIT, ISO2700x, ISO31000,           COSO, NIST, CIS, POPIA, GDPR etc.),
• Good experiential knowledge and understanding of an enterprise business systems architecture (including data centre; server environment; storage network; databases; operating systems; applications; WAN & LAN networks),
• Advanced proficiency in MS Office (MS Word, Excel, Power Point),
• Excellent English Communication skills (verbal and written),
• Excellent report-writing skills,
• Strong facilitation and inter-personal skills,
• Strong business acumen.

Preferred Requirements: Qualification, Skills and Experience

• Below are the preferred requirements that would be advantageous to candidates, but are not essential:
• The international CRISC (Certified in Risk and Information Systems Control) certification,
• An accredited certification in Problem Management (e.g. Kepner Tregoe or related ITIL intermediate course),
• COBIT-5 certification in IT Governance,
• Experience in developing and maintaining IT Risk management policies, processes and procedures aligned to recognised industry leading practice,
• Good understanding of threats and vulnerabilities relating to: data management; the software development lifecycle (SDLC); project & program management; IT service continuity and disaster recovery; IT operations. Proficiency in business process review tools and techniques.
• Proficiency in capability assessment models and improvement techniques and strategies. Good understanding of information security concepts and principles.
• Experience working in the Higher Education sector would be advantageous.

Required Competencies:

• Diagnostic information gathering,
• Analytical thinking and problem-solving skills,
• Demonstrated ability to work unsupervised to meet deadlines and to deliver results,
• Excellent planning, co-ordination and time management skills,
• Effective teamwork and the ability to collaborate and build strong relationships with diverse stakeholder groups,
• Good business acumen and understanding of business requirements on ICT,
• Thoroughness and attention to quality and detail,
• Ability to influence, establish focus, and to lead and motivate teams to achieve common goals,
• Excellent customer & service orientation,
• Strong personal credibility.