Head, Technology Risk Oversight

Job Purpose

• This leadership role is responsible for overseeing the end-to-end technology and cybersecurity risk landscape, providing strategic guidance and assurance across the organization. 
• The scope includes risk governance over technology obsolescence, control exceptions, security control effectiveness, and third-party oversight, while ensuring alignment with the enterprise risk appetite. 
• The role also plays a pivotal part in executive risk storytelling, surfacing emerging risk hotspots, and guiding senior stakeholders toward informed risk decisions.

Key Responsibilities

• Ensure the Board of Directors and Senior Management have clear and adequate oversight of the organization's cyber risk posture, supporting the protection of employees, customers, reputation, assets, and stakeholder interests (including shareholders and regulators).
• Drive consistency and compliance in IT Risk Management policies, methodologies, and processes across the organization.
• Oversee the effective and timely execution of IT project risk assessments to ensure technology initiatives are aligned with risk tolerance and regulatory expectations.
• Lead the implementation and management of Operational Risk and Control Self-Assessment (RCSA) within the CISO function to strengthen internal control awareness and accountability.
• Provide independent risk assessments for system developments, tool/platform onboarding, and production readiness to identify and address potential cyber and technology risks.
• Conduct comprehensive cyber risk assessments aligned with regulatory and internal standards.
• Communicate effectively, both verbally and in writing, with technical and non-technical stakeholders, and deliver high-quality documentation and presentations.

Job Specification

• Lead the technology and cybersecurity risk management program, covering infrastructure, applications, data, and third-party environments.
• Govern and challenge management on IT obsolescence risks, tracking lifecycle, technical debt, and exception processes.
• Oversee the exemption governance framework, including evaluation, approval workflow, residual risk justification, and sunset management.
• Provide leadership on security control assessments, validating coverage, effectiveness, and remediation of high-impact gaps.
• The scope of this role encompasses information, security, and technology risk management, covering areas such as enterprise risk, regulatory and operational risk, corporate governance, and acting as a supporting function for business continuity.
• This will be achieved through the following responsibilities:

1. Assess and evaluate information technology risks across business operations, and implement appropriate action plans, policy enhancements, and procedural changes for risk avoidance and mitigation.
2. Support business owners in identifying, assessing, documenting, managing, and monitoring IT risks, controls, and mitigation actions, in alignment with the company's risk management framework.
3. Ensure periodic review of risk limitations and control strategies to accurately reflect the evolving IT risk profile, leveraging appropriate strategies aligned with the organization's risk appetite.
4. Evaluate alignment between the IT risk posture and the company's mission and business objectives, ensuring obligations to stakeholders are met through sound risk oversight.

• Drive full compliance with all applicable regulatory requirements relating to technology and cyber risk management.
• Review and assess the organization's IT risk framework, guidelines, programs, and processes to ensure relevance, effectiveness, and alignment with regulatory expectations and industry standards.
• Lead the development and execution of the Technology Risk Framework and Cyber Risk Framework, including supporting policies, guidelines, and standards applicable across CIMB and its operating entities.
• Conduct periodic reviews of the IT risk profile, supported by self-assessments of risks and controls to ensure risk exposures are identified, managed, and reported in a timely and consistent manner.
• Oversee the risk profile of the CISO Office, ensuring periodic reviews of risk limits and control strategies are conducted and aligned with the overall risk appetite.
• Collaborate with stakeholders to assess system readiness and identify risk areas that may impact product launches.
• Co-develop risk papers and assessments for Management attention or decision-making.
• Customize risk checklists for vendor/platform assessments, including outsourcing service providers (OSPs).
• Conduct cyber risk assessments on OSPs and third-party vendors managing company data.
• Identify gaps and propose mitigation plans; guide vendors on regulatory and internal security policy requirements.
• Ensure internal cyber risk assessments are conducted for CIMB on an annual basis.
• Translate technical security or risk-related terms into clear business language for non-technical stakeholders.