Job Summary

•     The Operational, Technology and Cyber Risk (OTCR) department within the Risk function, is the second line-of-defence (2LoD) and provides independent challenge, guidance, and oversight of first line-of-defence (1LoD) risk management. 
•     OTCR is led by the Global Head, Operational, Technology and Cyber Risk, who has delegated authority from the Group Chief Risk Officer. OTCR comprises OTCR Business / Function Coverage Leads and OTCR SMEs who support the Global Head, OTCR. 
•     OTCR sets the methodology managing Information and Cyber Security (ICS) and Technology Risks across the Group. Risk Management authorities for ICS and Technology Risks are executed in line with the Bank’s risk management activities i.e., Risk Acceptance and Treatment Plan Escalation, Approval and Closure Authorities. 
•     This OTCR T&O Country Coverage Lead spans two roles; OTCR ICS & Tech Risk SME and Technology and Operations (T&O) Coverage. It is a permanent role, requiring strong business acumen, deep knowledge and experience in the ICS and Technology risk field. 
For the OTCR T&O Coverage role, the person will be responsible for:
•    Review, challenge and (where relevant) approval on core ICS and Technology Risk matters that are not aligned to a specific business or function.
•    ICS and Technology Risk management and stakeholder engagement / escalation.
•    Approvals / veto on risk decisions within ICS and Technology Risk.
•    End-to-end oversight of risk performance for ICS controls and core Technology.
•    Interfacing with 1LoD (i.e. Principle Point of Contact) for ICS and core Technology.
For the OTCR ICS and Tech Risk SME role, the person will help, guide, and support informed decision making and risk management with specialist knowledge and expertise. The role will be delivered through consultation, stakeholder engagement and SME insights. It does not involve approval responsibilities.
The successful candidate will have a strong understanding of operating in a second line capacity in ICS and Technology risk. They should be able to respond flexibly and collaboratively to evolving business, regulatory and threat requirements. 
•    The role reports directly to the Head, OTCR, International, Policy & Regulatory Management.
•    The role will provide oversight and challenge of ICS and Technology risk management as a risk partner to country leadership as defined in the Bank’s ICS and Operational & Technology Risk Type Frameworks and under delegation from the Group OTCR. 

•    The primary purpose of this position to ensure that the management of ICS and Technology Risk is operating effectively and efficiently and to provide assurance that the risks are appropriately managed. 
•    In addition, given the rapidly evolving ICS and Technology regulatory environment, the successful candidate will have a strong acumen for working with regulators and understanding relevant policies with an ability to articulate new requirements to be included in the ICS and Technology risk management process.
•    Work closely with the rest of OTCR to address ICS and Technology Risk and support its integration into the Bank's overall Enterprise Risk Management.
The role will be expected to focus on the following key risk activities:
Regulatory Engagement
•    Regulatory obligations to be implemented at a local/country-level may emanate from both Extraterritorial Regulation (ETRs) and local regulatory authorities. The Country RFO is the Country Operational, Technology and Cyber Risk Head, (Country OTCR Head).
•    ICS and Tech Risk SME role is responsible for presenting and providing opinions on ICS and Technology risk to regulators.
•    T&O Coverage is consulted on risk opinions for ICS & Tech risk, to be shared with the regulator.
Managing Regulatory Change
•    ICS and Tech Risk SME role is responsible/ accountable for:
•    Horizon scanning for regulatory change events from key non-financial regulatory authorities.
•    Assess regulatory information, preliminary assign and disseminate to appropriate stakeholders to perform gap analysis and implementation.
•    Interpret proposed regulation to determine obligations and materiality.
•    Map to applicable Risk Owners, geographies, businesses, and functions.
•    Assess proposed regulatory obligations against Policy.
•    Draft materiality and impact assessment.
•    Interpret final regulation to determine obligations.
•    Monitor progress of implementation of entire regulation and oversight / monitoring of regulatory compliance.

•    Oversight of Legal, Regulatory& Mandatory (LRM) submissions to ensure timely submission to the regulator.
•    Proactive consultation and engagement prior to definition of regulations.
•    Ensuring required variations to Group Policy/Standard requirements are appropriately documented in a Local Addendum or dispensation, in consultation with 1LoD as appropriate, in a timely manner.
T&O Coverage role is:
•    Consulted on:
•    Assessment of regulatory information, assignment, and dissemination to appropriate stakeholders.
•    Interpretation of proposed regulation to determine obligations and materiality.
•    Mapping to applicable Risk Owners, geographies, businesses, and functions.
•    Assessment of proposed regulatory obligations against Standards.
•    Draft materiality and impact assessment.
•    Interpreted final regulation to determine obligations.
•    Responsible for assessment of proposed regulatory obligations against policy and review and challenge of 1LOD implementation of controls. In addition, ensuring required variations to Group Policy/Standard requirements are appropriately documented in a Local Addendum or dispensation, in consultation with 1LoD as appropriate, in a timely manner.
    Policy Management, Framework & Policy Governance
•    ICS and Tech Risk SME role is responsible/ accountable for:
•    Input into policy development process.
•    Consolidate change pipeline and conduct socialization (e.g. need for change).
•    Roll out and develop and execute communications, training, and if required, implementation plan on material Risk Type Framework and Policy changes.
•    Produce Local Addenda (CA) and upload it onto GovPoint.
•    The T&O Coverage role is responsible for approval of local version of policies and consulted on implementation of Local Addendum to Group Policy, only if there are additional requirements to the Group Policy.

•    The ICS & Tech SME role is responsible/ accountable for corporate plan assessment, summary, and challenge for Risk Type (i.e. ICS).
Risk Appetite
•    ICS & Tech SME and T&O Coverage roles may be consulted on escalation of breaches.
Risk & Control Self Assessments
•    T&O Coverage role is responsible / accountable for:
•    Completeness, accuracy and timeliness of risk identification and assessments
•    Accuracy of inherent risk assessments in countries
•    Completeness and accuracy of control design and operation
•    Accuracy of residual risk assessments in countries 
•    Ongoing monitoring of risk and control performance
•    Approval of outputs from RCSA exercise 
•    Escalation of elevated residual risk/material variance from Group
•    ICS and Tech Risk SME role is responsible / accountable for creation of thematic and aggregate view of risks and issues from RCSA output (where required).
    Risks & Events
•    T&O Coverage role is responsible / accountable for:
•    Completeness, timeliness and accuracy of risk or event identification / recording
•    Root cause and control failure analysis (inc. completeness of risk registers)
•    Effectiveness and timeliness of remediation and response for risk or events
•    Escalation / reporting to management, board, and regulators (where relevant)
•    Action / risk capture (i.e. pertaining to event occurred)
•    Risk Acceptance of Elevated Risks
•    Oversight of information in M7 (i.e. 2LOD input)
•    ICS and Tech Risk SME role is responsible / accountable for creation of thematic and aggregate (where required) view of risk or events

    Treatment Plans:
•    T&O Coverage role is responsible / accountable for:
•    Completeness, accuracy, and timeliness of remediation / actions.
•    Ensuring relevant changes are made to risk / control profile.
•    Ongoing monitoring of treatment plan / action / risk closure or downgrade.
•    ICS and Tech Risk SME role is responsible / accountable for creation of thematic and aggregate where required) view of risks and issues across ICS.
    Thematic and Emerging Risk Reporting:
•    ICS and Tech Risk SME role is responsible / accountable for:
•    Creation of thematic risk profile report for ICS and Tech Risk, if required.
•    Special reports and briefings on priority topics, domains, or emerging risks, if required.
•    T&O Coverage role may be consulted / informed on the above.
    Change Governance (2LoD Oversight):
•    T&O Coverage role responsible for review / challenge / oversight sign-off / approval for relevant change documentation (e.g., where material).
•    ICS & Tech SME role may be consulted on input to prioritization decisions (e.g., risk challenge) and discussion and assessment on the change with local stakeholders and, to some extent, regulatory engagement for significant changes.
    Risk Committee
•    T&O Coverage role is responsible/ accountable for:
•    Provide update, review and challenge of risk matters to relevant Risk Committees.
•    Provision / input into approval decisions at relevant committees.
•    Preparation of material in business risk forums (i.e. papers / updates).
•    ICS and Tech Risk SME role may be consulted in the preparation of material in relevant risk forums (i.e. papers / updates).

Key Responsibilities

Strategy
•    Awareness and understanding of the Group’s and Function’s business strategy and model appropriate to the role.
Business
•    Awareness and understanding of the wider business, economic and market environment in which the Group operates.
Processes
•    Responsible for executing risk management responsibilities of the second line as defined within the Technology Risk and ICS Function.
People & Talent
•    Lead through example and operate with the appropriate culture and values.
•    Uphold and reinforce the independence of the second line ICS and Technology Risk function.
•    Responsible for individual training and familiarisation of knowledge relevant to the role and subject matter areas of work that is assigned. 
•    Working in collaboration with stakeholders, whilst upholding and reinforcing the independence of the second line.
•    Establishing constructive relationships with Key Stakeholders (as defined below).
Risk Management
•    Deliver the defined aspects of the OTCR role to support the Group's ICS and Technology risk management approach and objectives.
•    Ensure that the role is executed in accordance with the defined OTCR Governance Risk Type Framework and associated Policy and Standards; and that issues are identified, escalated, and addressed as appropriate.
•    Understanding the role’s responsibilities with respect to the relevant risk policies/standards, risk framework owner role, and second line operational risk role.
Governance
•    Establish strong ties into the relevant country leadership, governance, risk and control committees to ensure adequate monitoring, tracking and governance of ICS and Technology risk.
•    Drive integration of ICS and Operational & Technology Risk Framework and support implementation for the ongoing governance of country risk.

Regulatory & Business Conduct
•    Display exemplary conduct and live by the Group’s Values and Code of Conduct. 
•    Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across Standard Chartered Bank. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Group Code of Conduct.
•    Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.
Key stakeholders
•    Country and Cluster CRO
•    Country and Cluster OTCR Heads
•    Country and Cluster CIO
•    Country, Cluster and Group COO
•    Country Compliance Officer
•    Country and Cluster CEO
•    Banking Regulators
•    Group OTCR Leadership Team
•    Country, Cluster and Group CISO
•    Global Head, Security Technology Services
•    Group Internal Audit
•    Head of ICS Assurance and Testing
•    OTCR Policy Owners
Other Responsibilities
•     Embed Here for good and Group’s brand and values.
•     Perform other responsibilities assigned under Group, Country, Business or Functional, Frameworks, policies, standards and procedures.

Skills and Experience

•    Technical Foundations
•    ICS and Technology Risk Assessment & Management
•    Security frameworks & standards
•    Risk Management Methodologies
•    Threat Intelligence and Analysis
•    Continuous Learning of Emerging Technologies
•    Communication & Reporting

Qualifications

Education
•     Degree in Cyber Security or Technology or equivalent
Training
•    Proven experience in an information security office, senior governance and policy, ICS/ Technology Risk or Operational Risk or Audit role
•    Thorough understanding of IT security business process risks, threats, and internal controls relevant for managing and mitigating risks.
•    Strong knowledge of cyber security and technology frameworks, information security principles, architecture.
•    Technical knowledge across a broad range of ICS and technology risk capabilities including Cyber Defence, Security Monitoring, Analytics, DLP, Access management, Cloud etc. etc.
•    Strong leadership, negotiation and collaboration skills, and ability to work effectively in a complex multicultural and multi-time zone organization. 
•    Strong interpersonal and stakeholder management skills with experience across various levels in the organization including senior leadership teams, in influencing key decisions taken in the business and in support teams.  
•    Ability to collect and analyse data, establish facts, and make recommendations based on sound risk management principles.
•    A passion for keeping technical knowledge and skills up to date and horizon scanning new and emerging thematic risks from new technology or techniques.
•    Ability to articulate inherent and residual risk with specific ability to communicate complex ICS, technology and process risk clearly, concisely, and accurately to non-technical stakeholders in a lucid way.
•    Must be a self-starter who is able to initiate and successfully drive initiatives to completion with little or no management supervision.
Certifications
•     Professional certifications related to ICS and Technology risk are desirable (e.g., CCSP, CRISC, CISA, CISSP, CISM, GIAC etc).
Languages
•     Excellent English communication skills – oral and written.

About Standard Chartered

We're an international bank, nimble enough to act, big enough for impact. For more than 170 years, we've worked to make a positive difference for our clients, communities, and each other. We question the status quo, love a challenge and enjoy finding new opportunities to grow and do better than before. If you're looking for a career with purpose and you want to work for a bank making a difference, we want to hear from you. You can count on us to celebrate your unique talents and we can't wait to see the talents you can bring us.

Our purpose, to drive commerce and prosperity through our unique diversity, together with our brand promise, to be here for good are achieved by how we each live our valued behaviours. When you work with us, you'll see how we value difference and advocate inclusion.

Together we:

• Do the right thing and are assertive, challenge one another, and live with integrity, while putting the client at the heart of what we do
• Never settle, continuously striving to improve and innovate, keeping things simple and learning from doing well, and not so well
• Are better together, we can be ourselves, be inclusive, see more good in others, and work collectively to build for the long term

What we offer

In line with our Fair Pay Charter, we offer a competitive salary and benefits to support your mental, physical, financial and social wellbeing.

• Core bank funding for retirement savings, medical and life insurance, with flexible and voluntary benefits available in some locations.
• Time-off including annual leave, parental/maternity (20 weeks), sabbatical (12 months maximum) and volunteering leave (3 days), along with minimum global standards for annual and public holiday, which is combined to 30 days minimum.
• Flexible working options based around home and office locations, with flexible working patterns.
• Proactive wellbeing support through Unmind, a market-leading digital wellbeing platform, development courses for resilience and other human skills, global Employee Assistance Programme, sick leave, mental health first-aiders and all sorts of self-help toolkits
• A continuous learning culture to support your growth, with opportunities to reskill and upskill and access to physical, virtual and digital learning.
• Being part of an inclusive and values driven organisation, one that embraces and celebrates our unique diversity, across our teams, business functions and geographies - everyone feels respected and can realise their full potential.