Vice President, Technology Business Advisory

Job Purpose:

• Supports the Director of Technology and Cyber Security Management in managing IT and Cyber Risks that may impact the organization's profitability, operational resilience, and reputation.
• The role is responsible for identifying, assessing, and evaluating technology-related threats, and recommending appropriate measures to mitigate, avoid, reduce, or transfer those risks.
• Key responsibilities include supporting IT security advisory efforts, facilitating internal assessments and audit engagements, and aligning with recognized risk and control frameworks. The role also serves as the single point of contact for technology risk matters across CIMB offices in the respective country, ensuring consistent risk oversight and alignment with group-level risk management practices.

Key Responsibilities:

• Ensure the Board of Directors and Senior Management have clear and adequate oversight of the organization's cyber risk posture, supporting the protection of employees, customers, reputation, assets, and stakeholder interests (including shareholders and regulators).
• Drive consistency and compliance in IT Risk Management policies, methodologies, and processes across the organization.
• Oversee the effective and timely execution of IT project risk assessments to ensure technology initiatives are aligned with risk tolerance and regulatory expectations.
• Manage the implementation and management of Operational Risk and Control Self-Assessment (RCSA), Loss Event (LED), Risk Hotspot, Idiosyncratic storyboard telling, Risk Posture Scorecard within the CISO function to strengthen internal control awareness and accountability.
• Provide independent risk assessments for system developments, tool/platform onboarding, and production readiness to identify and address potential cyber and technology risks.
• Conduct comprehensive cyber risk assessments aligned with regulatory and internal standards.
• Communicate effectively, both verbally and in writing, with technical and non-technical stakeholders, and deliver high-quality documentation and presentations.

Job Specification:

• The scope of this role encompasses information, security, and technology risk management, covering areas such as enterprise risk, regulatory and operational risk, corporate governance, and acting as a supporting function for business continuity.This will be achieved through the following responsibilities:

1. Assess and evaluate information technology risks across business operations, and implement appropriate action plans, policy enhancements, and procedural changes for risk avoidance and mitigation.
2. Support business owners in identifying, assessing, documenting, managing, and monitoring IT risks, controls, and mitigation actions, in alignment with the company's risk management framework.
3. Ensure periodic review of risk limitations and control strategies to accurately reflect the evolving IT risk profile, leveraging appropriate strategies aligned with the organization's risk appetite.
4. Evaluate alignment between the IT risk posture and the company's mission and business objectives, ensuring obligations to stakeholders are met through sound risk oversight.

• Drive full compliance with all applicable regulatory requirements relating to technology and cyber risk management.
• Review and assess the organization's IT risk framework, guidelines, programs, and processes to ensure relevance, effectiveness, and alignment with regulatory expectations and industry standards.
• Design the development and execution of the Technology Risk Framework and Cyber Risk Framework, including supporting policies, guidelines, and standards applicable across CIMB and its operating entities.
• Conduct periodic reviews of the IT risk profile, supported by self-assessments of risks and controls to ensure risk exposures are identified, managed, and reported in a timely and consistent manner.
• Oversee the risk profile of the CISO Office, ensuring periodic reviews of risk tolerance and control strategies are conducted and aligned with the overall risk appetite.
• Co-develop risk papers and assessments for Management attention or decision-making.
• Customize risk checklists for vendor/platform assessments, including outsourcing service providers (OSPs).
• Conduct cyber risk assessments on OSPs and third-party vendors managing company data.
• Identify gaps and propose mitigation plans; guide vendors on regulatory and internal security policy requirements.
• Ensure internal cyber risk assessments are conducted for CIMB on an annual basis.
• Translate technical security or risk-related terms into clear business language for non-technical stakeholders.