The Chief Technology Risk Officer reports directly to the Chief Risk Officer. The position supports Cenlar's second-line risk management functions, particularly as they relate to Information Technology and to Information Security and Cyber Security practices. Specifically, this position ensures appropriate governance over information risk and the technology resources supporting Cenlar's businesses within a regulatory-compliant and risk-managed framework. The Chief Technology Risk Officer establishes and maintains the Technology Risk framework and methodology, which will be aligned with Cenlar's enterprise-wide risk management philosophy. This position documents and maintains the Technology and Security Risk governance methodology, Technology and Security risk management policies and standards, and associated procedures. Additionally, this role manages and oversees related risk assessments, testing, and reporting process. The Chief Technology Risk Officer develops the requisite for security controls and measures and leads Cenlar's Security Program with the Chief Information Security Officer (CISO).
Responsibilities:
General
Supports the assessment of Technology and Security maturity and risk and support the efforts to establish strategic and tactical plans and the development of 1-3-5 year roadmaps
Designs new technology and security controls and control processes for use across the organization as needed; facilitates the deployment and adoption of new controls or control processes
Monitors the comprehensiveness and appropriateness of key Technology and Security risk and control related data and escalate concerns with data owners as appropriate
Reviews results of the RCSA process as they related to technology controls and ensure action plans to remediate identified issues are appropriate
Maintains regular contact with business units to ensure awareness of current initiatives and business requirements
Leads ongoing mandatory Security Awareness training to educate employees about technology and security best practices
Ensures management awareness and governance around technology risks and controls, including regular reporting
Escalates technology or security concerns or exceptions to CRO as appropriate
Identifies specific technology and security needs and discuss and resolve in partnership with CRO and Technology leadership
Interfaces with Technology leadership on a regular basis to provide guidance on Technology Risk related issues
Supports annual budget planning for Technology and Security Risk programs and initiatives. Audit and Regulatory Management
Supports Internal Audit activity which includes responding to audit requests, providing status updates to management, responding to audit findings, and monitoring the progress of audit issues and remedial actions
Assists in Regulatory exam requests as they pertain to Technology and Security which includes interacting directly with examiners, responding to regulatory requests, providing status updates to management, responding to regulatory examination findings, and monitoring the progress of regulatory examination issues and actions.
Policies, Standards, and Procedures
Monitors Technology's compliance with enterprise-wide policies and standards, which includes reviewing relevant metrics and compliance reports
Develops Technology-specific policies, standards, and associated procedures as needed. Additionally, coordinate the implementation and adoption of new or updated Technology policies, standards, and associated procedures as needed
Facilitates the identification and remediation of any gaps identified during regular monitoring and/or risk assessments
Reviews and recommends approval to exceptions of any applicable Technology and Security policies, standards or procedures
Risk Management
Implements and maintains the Technology risk management framework, which aligns with Cenlar's enterprise-wide risk management framework
Develops and implements second line Technology and Security testing protocols
Develops, performs, and report Technology system risk assessment and gap analysis and design remediation plans as necessary
Participates in and provide oversight to the Business Continuity Planning ("BCP") process and annual testing of the BCP
Participates in the vendor risk assessment process, focusing on providing challenge for the initial due diligence and ongoing monitoring of technology and security risks
Reports overall Technology and Security risk position to the Management Risk Committee and Board Risk Committee as appropriate
Appropriately assess risk when business decisions are made, include but not limited to compliance and operational risk. Demonstrate consideration for Cenlar's reputation as well as our clients, by driving compliance with applicable laws, rules and regulations, adhering to Policy, applying sound ethical judgment regarding personal behavior, conduct and business practices, and escalating, managing and reporting control issues, as well as effectively supervise the activity of others and create accountability with those who fail to maintain these standards
Ensure all activities are in accordance with Cenlar's approved risk appetite statement and applicable compliance and regulatory requirements.
Qualifications:
Bachelor's Degree or equivalent experience
Master's Degree preferred
Minimum of 15 years of Technology Risk Management and/or Technology Audit related activities in the financial industry. CISSP accreditation preferred
Thorough understanding of regulatory standards for Cyber and Information Security and FFIEC Technology Examiners Handbook related requirements
Ability to provide constructive challenge and appropriate issue escalation
Excellent technical, analytical, and communication skills. Must be effective with individual contributors, teams and executive leadership