Position Summary
The job holder is responsible for the 2nd line of defense in Operational and Technology risk related matters under 3 lines of defense model, establishing risk management framework, policy and bank-wide risk control mechanism for identifying and managing risks in accordance with the Enterprise Risk Management (“ERM”), HKMA Operational Risk Management (“ORM”), Technology Risk Management (“TRM”), Operational Resilience (“OR”) and Cybersecurity Resilience Assessment (“C-RAF”) frameworks. This governance applies to Head Office, BEA China, Branches in Macau, Taiwan and Overseas and significant subsidiaries.
Responsibilities
- ERM and C-RAF Functions - Perform the 2nd Line of Defense functions to support the Head of OTMD in discharging his duties as the Risk Controller of operational & technology risk for the Bank Group under the ERM and C-RAF
- Operational Resilience Oversight – Provide 2nd Line of Defense oversight to ensure the Bank’s OR framework remains compliant and integrated into BAU processes post-implementation. Monitor performance against established impact tolerances, conduct independent validation of disruption scenarios, and drive continuous improvement in resilience capabilities within BAU operations
- Risk Assessment and Monitoring – Implement / Perform / Review / Comments on below assessment related to the operational & technology risk of the Bank Group
- Risk Remediation & Challenge – Challenge the 1st Line of Defense’s risk mitigation plans and track the remediation of identified technology risk gaps, audit findings, and regulatory inspection issues to ensure timely closure
- Risk Reporting – Support Governance & Business Management section in compiling management reports on the monitoring results of operational risk for the Bank Group for submission to the GCRO, the Operational Risk Management Committee, the Risk Management Committee, the Risk Committee and the Board, as appropriate
- Risk Monitoring - Review and monitor the management of operational & technology risk which includes reviewing risk assessments, risk indicators, incident reporting and escalation, issue management, and conducting thematic reviews, periodic reviews and regular reviews. Review regular reports submitted by regional office and oversight any exception or deviation from the standards or requirements set by the Group
- Change Oversight – Review the new products / growth initiatives from operational & technology risk perspective and assess if all material risks or issues have been identified and addressed prior to the launch. Keep track of Cyber risk intelligence from regulatory initiated platforms and industry alliances
- Communication and Liaison – Assist the Head of OTMD in corresponding with the regulators and other parties in relation to the operational and technology risk management related issues of the Bank Group, including incident reporting, notification of material outsourcing, examinations, risk and maturity assessments, adoption of intelligence sharing platform, professional development and ad-hoc enquiries
- Operational Risk Management System (ORS) – Oversee, review and monitor the ORS and maintenance of the relevant guidelines. Evaluate the improvement initiatives for the automation of operational risk data collection in fulfilling the requirements of BASEL 239 and regulators
- Independent Risk Challenge – Provide independent challenge to 1st Line of Defense functions on their operational risk profiles, ensuring adherence to the Bank’s established risk appetite and tolerance levels
- Risk Culture Advocacy – Drive a risk-aware culture across the Bank through the promotion of the ERM, ORM, OR, TRM, Cybersecurity and C-RAF frameworks
Requirements
- University graduate, preferably majoring in Risk Management, Computer Science or equivalent and possessing the relevant professional qualification in operational and technology risk such as ECF on operational risk management, or cybersecurity
- Ideally10-15 years’ work experience in Banking and Finance, with at least 8 years solid experience in operational or technology risk management, internal control function, information security, compliance or IT audit, preferably in Financial Service industry
- Sound knowledge of Basel and regulatory requirements related to operational and information security in banking sector such as HKMA Supervisory Policy Manual modules (OR-1, OR-2, IC-1, TM-C-1, TM-E-1, TM-G-1, TM-G-2 and SA-2), MAS, PCI-DSS, SWIFT-CSCF etc.
- Good understanding of banking operational guidelines, and risk management control tools (KRIs, KCIs, RCSA, control assurance)
- Thorough knowledge of risk management practices in IT infrastructure (data center and cloud computing), System Applications (SDLC, Agile, RPA and DevSecOp) and Service Management (ITSM, ITAM, ITGC, third party vendor risk)
- Knowledge of emerging technologies, such as blockchain, stablecoin, tokenized assets and/or AI model risk is an advantage
- Strong communication ski