Business Unit Portfolio, Budget and Performance Office
Contract Type Fixed Term
Contract Length 2 years
Posting End Date 24/07/2018
This is a 2 year Fixed Term contract, based in London HQ.
The Principal, IT Risk Management is responsible for establishing and maintaining the Information Technology risk management approach and framework, ensuring adequate mitigation plans are in place and progressed.
The Information Technology department is subject to internal audits throughout the year as well as an annual external audit. These processes require significant co-ordination, direction and management once any actions are identified. This can impact or involve any area within the IT department and require a good working knowledge of IT practices. This role acts as the point of contact for these as well as ensuring any identified actions are appropriate, realistic time frames for resolutions are agreed and that they are delivered as agreed.
The role works extensively with stakeholders both internally (all levels of the Bank) and externally where required (e.g. External auditors)
The focus of the role is to maintain and enhance the ability of the IT Department to control and mitigate its operational and project related risks and relevant internal controls, as well as oversee the implementation of external and internal audit recommendations
The role is responsible for co-ordinating relevant risk assessments, enforcing associated mitigation and identifying additional provisions or processes where required to satisfy newly identified risks.
The risks relate to operational risks which will require working through with the relevant management team owner, as well as project related risks.
The role will provide insight and guidance to managers on the relevant processes and provide assurance to managers that adequate actions and standards are in place, as well as necessary challenge on solutions and progress.
The role will act as a trusted advisor for Management within Information Technology on all aspects of risk and audit work, ensuring the level of effort required within these areas is prioritised, appropriate and adding value.
Accountabilities & Responsibilities
The Principal will work within the Portfolio, Budget and Performance team with a focus on improving and streamlining the IT's internal controls and ensuring their correct execution and annual testing. The role will also oversee the management of the implementation of external and internal audit recommendations. Working closely with managers who are involved in the internal control processes or with the implementation of agreed recommendations from external or internal audit reviews.
Design, develop and enhance IT risk tools and methodologies such as risk assessment process, incident reporting, key risk indicators, control capture and remediation.
Maintain and enhance the IT Risk Register and co-ordinate updates into the Operational Risk Register cross referencing the IT departmental risk register with the Banks central risk register OneSumX. The role will also assign the correct level of risk to audit items and challenge the levels assigned where necessary.
Develop reporting templates to provide IT management Risk exposure, residual risk and action plans to mitigate such risks in a cost effective manner.
Design and provide frameworks for project associated risks, ensuring Project Managers are working to consistent standards in their assessment, reporting and appropriate action.
Review the controls on an annual basis, highlighting any enhancements or changes required to the Operational Risk Department and MD IT to ensure that the appropriate controls are valid and fit for purpose and be accountable for ensuring appropriate operational procedures documented and maintained.
Administration of the IT ICF templates, currently 15 containing 82 key controls.
Regularly communicate with IT control owners and testers to ensure compliance with operational ICF process.
Annually identify, review and update process flows for key processes on a risk based approach identifying/confirming key risks / controls, reviewing design effectiveness and ensure the key risks/controls are mapped to control templates and tests.
Conduct walkthroughs of the key process on a risk based approach, to confirm the operation of key controls with relevant issue owner within IT.
In conjunction with the test team and Auditors ensure testing is designed to meet the control objective and conduct a detailed review of testing produced by the business before the auditors review. Track and review failures in IT controls testing, agree approach to remediate with control owners and report on significant deficiencies according to defined policy.
Act as the point of contact with internal and external auditors, agreeing activities and challenging identified actions where appropriate.
Liaison with IT Managers to ensure that the appropriate operational procedures are created and reviewed on a regular basis.
Liaison with the external auditors (EA) on behalf of IT to ensure approach is understood and to answer queries on controls testing / approach, clear and address EA review points with testers and EA.
Management of the outstanding Internal and External audit points, ensuring that ownership is identified, and that deadlines for completion are met.
Support the MD IT in the management of risk around IT related initiatives as required.
Enhance the liaison with internal and external auditors and the implementation of audit recommendations using good judgement to ensure standards are up-held within a reasonable framework. Co-ordinate and hold action owners to account in implementing audit recommendations.
Knowledge, Skills, Experience & Qualifications
The Principal, IT Risk Management is a subject matter expert in IT Risk management, with a solid understanding of risk frameworks, best practice within an IT environment.
Bachelor degree, or relevant experience, displaying knowledge and understanding of computer information systems, general controls, information technology infrastructure and information security.
Strong understanding and working knowledge of information security standards and laws (e.g., ISO 27001/27002, NIST, FFIEC, etc) and associated qualifications (e.g. ISO27001/2 Lead Auditor, Implementer), and commonly used concepts, practices and procedures within the information security and privacy field.
Extensive knowledge of industry good practice across various sectors including the financial, commercial and ideally public sectors.
Ability to read, understand and analyse highly complex regulatory and control information and develop or modify policies or programs to ensure organizational compliance.
Excellent oral and written communication skills to effectively interact with executive management, internal and external clients.
Strong project management skills.
Diversity is one of the Bank's core values which are at the heart of everything it does. A diverse workforce with the right knowledge and skills enables connection with our clients, brings pioneering ideas, energy and innovation. The EBRD staff is characterised by its rich diversity of nationalities, cultures and opinions and we aim to sustain and build on this strength. As such, the EBRD seeks to ensure that everyone is treated with respect and given equal opportunities and works in an inclusive environment. The EBRD encourages all qualified candidates who are nationals of the EBRD member countries to apply regardless of their racial, ethnic, religious and cultural background, gender, sexual orientation or disabilities.