Head of Technology Risk Management  

Why We Exist

The most awarded digital bank in the Philippines.

We entered the Philippines market to spark the future-ready, customer-obsessed transformation in the Banking sector. Since our launch, we have rallied behind the vision of bringing an accessible and seamless banking experience to the consumers while helping them achieve financial freedom. We aim to be the most trusted digital bank for every Filipino.

The People & Culture

We call ourselves CIMB Mavericks – unique individuals who are thriving in a fast-paced and highly competitive environment. Everyone who joins CIMB Bank is not afraid to own big responsibilities and are very persistent in creating new ways to achieve our goals. Aside from looking after our own successes, we embody malasakit and ensure that we also take care of our colleagues’ feat. Every day we are fueled by our shared purpose. To top it off, we thrive in a modern work environment which allows us to be fun to the core.

Overview of the Role

The Head of Technology Risk Manager sits on the 2nd Line of Defense who will fulfill the requirements of BSP MORB Section 148 and all regulatory requirements related to IT/Tech Risk Management. The successful candidate will protect CIMB's IT assets and information by implementing the Group Technology Risk Framework and aligning the Bangko Sentral ng Pilipinas Manual of Regulation for Banks (BSP MORB) requirements on Information Technology Risk Management, Electronic Payments, Electronic Banking Services, and Digital Banking with the needs of the business and operations of CIMB Bank Philippines in coordination with the 1st Line of Defense.

The Head of Technology Risk Manager is based in Taguig City, Philippines, and shall report under the Chief Risk Officer, based in the Philippines.

Key Accountabilities

1. Provide timely and regular reports and advice to the CRO on IT Risk Management agenda.
2. Implement the Group Technology Risk Management framework and the IT Risk Management Procedure for CIMB Bank Philippines, and align with Bangko Sentral ng Pilipinas Manual of Regulation for Banks (BSP MORB).
3. Recommend local policies and procedures that are aligned with GTRM Policy and the BSP MORB on Operational Risk Management, IT Risk Management, Electronic Payments, Electronic Banking Services, and Digital Banking.
4. Assess and monitor the active performance of the 1st Line of Defense of a system of IT general and application controls to manage the confidentiality and integrity of information and the continued availability and reliability of IT infrastructure during normal and stress conditions.
5. Assess and monitor the operationalization of IT controls within the 1st Line of Defense and provide guidance on the identification and rectification of control weaknesses.
6. Lead the business continuity planning and testing and coordinate BCP activities with the IT department and the concerned operational units.
7. Conduct an independent risk assessment of all IT domains for determining the acceptable level of stability, availability, performance, recoverability, and resilience from cybercrimes and fraud.
8. Perform reviews and regular risk assessments of third parties partners, vendors, and outsourced service providers for Risk Department’s endorsement for on-boarding, and endorsement of annual performance, and to identify control issues related to information security, data privacy, and cyber resilience.
9. Conduct pre-implementation and post-implementation reviews of major IT projects in coordination with the 1st line of defense IT to ensure that controls are in place and operating effectively, service-levels are met, and business continuity issues are avoided or addressed beforehand by the 1st line of defense.
10. Coordinate with the Information Security Officer on the vulnerability assessment and penetration tests and monitor the resolutions of the recommended actions.
11. Research on the latest threats and vulnerabilities and, where appropriate, advice the Head of Information Technology, through the CRO, on the mitigation and remediation of IT related risks.
12. Participate on the investigation of any technology and information security violations by providing post-mortem analysis to illuminate the issues and recommend possible solutions to the CRO.

About You

1. Bachelor’s Degree in Information Technology, Computer Engineering, Computer Science, Business and Accountancy, or other relevant courses from a reputable school or university
2. Post-graduate degree in Business is an advantage2. Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) or Certified Information Systems Security Professional (CISSP), A52ITIL, ISO27001 and COBIT Certification is an advantage
3. Agile collaborator, high performing, and highly effective oral and written communication4. With good moral character, and ability to inspire colleagues

Experience:

1. At least 8 years of experience in Information Technology Risk Management preferably in a bank or financial institution
2. With strong understanding of bank’s processes, systems, and regulatory environment
3. Able to implement an integrated technology and information security risk framework and align with the BSP MORB regulations on ITRM, Electronic Payments, Electronic Banking Services, and Digital Banking.
4. With strong understanding of relevant laws on consumer protection, cyber crime prevention and data privacy.

Required Competencies and Skills:

1. Detail oriented person with desire to help business and organization in meeting regulatory expectation and improving the organization’s information security practices.
2. Ability to manage relationships with internal and external stakeholders and positively influence employees across the three lines of defense.
3. Working knowledge on security standards for IT infrastructure such as network, operating system, databases and other IT appliances
4. Technical proficiency on analysing security threats and vulnerabilities, including the execution of VAPT.
5. Leadership qualities and influencing skills
6. Integrity, independence, robustness and resilience
7. Sharp business acumen, including the ability to assess risk
8. Excellent inter-personal skill and analytical skill
9. Able to deliver even under extreme pressure