Summary

The Information Technology Risk Office (ITRO), within Risk Management and Control (RMC), is responsible for the end to end execution, coordination, challenge, and continuous enhancement of ICT risk management in alignment with Group standards and applicable regulatory requirements.

The Head of IT Risk Officer for APAC-ME will directly report to the Regional Head of Risk Management and control department and functionally report to Head of IT Risk Officer Head office. He will work in close relationship with him and follow the same standard and process.

Key Responsibilities

1.     ICT Risk Strategy & Governance

·         Contribute to Group and Regional ICT risk management by monitoring and reporting ICT risk levels across local and regional information systems and processes

·         Prepare ICT risk reporting for management and governance bodies. Provide a local vision for ICT risk deliverables, reflecting regional IT environments and operational realities.  

·         Support alignment of ICT risks with business strategy and risk appetite

2.     ICT Risk Identification, Assessment & Monitoring

·         Perform and coordinate:

o    Annual ICT risk assessments

o    IT Risk Self‑Assessments (IT Radar)

·         Ensure full coverage of all nine ICT risk domains

·         Monitor emerging ICT risks related to technology evolution, operational changes, suppliers, or incidents

·         Identify early indications of material risks or potential risk appetite breaches

3.     Regulatory Watch, Interpretation & Gap Identification

·         Perform regulatory watch on ICT‑related regulations and supervisory expectations (e.g. MAS TRM, HKMA)

·         Analyse regulatory requirements and identify gaps against existing ICT risk practices

·         Propose remediation actions and coordinate follow‑up with stakeholders

·         Translate regulatory expectations into operational and technical ICT risk considerations for management

4.     ICT Risk Controls & Internal Control System (LoD 2.1)

·         Identify and maintain local owners for each ICT risk type

·         Establish, maintain, and execute Level 2.1 ICT risk controls

·         Ensure appropriate Level 1 controls are designed and performed locally

·         Challenge control design and implementation choices prior to execution

5.     Risk Metrics, Dashboards & Transparency

·         Ensure accurate regional ICT risk data feeding into the Risk Operational Dashboard (ORD)

·         Define and instantiate regional KPIs and KRIs where relevant

·         Produce ICT risk dashboards and management risk summaries

·         Highlight trends, deteriorations, interdependencies, and forward looking ICT risk concerns

6.     ICT Risk Management Tooling

·         Ensure deployment, usage, and maintenance of IT Risk Management tooling

·         Raise regional specificities during tooling design or evolution phases

7.     Incidents, Lessons Learned & Audit Follow Up

·         Analyze historical ICT and cybersecurity incidents

·         Identify recurring root causes, systemic weaknesses, and improvement opportunities

·         Integrate lessons learned into risk assessments and control enhancements

·         Follow up critical ICT related audit recommendations and track remediation

8.     4.8 Advisory, Stakeholder Challenge & Risk Culture

·         Provide constructive challenge to IT, project, infrastructure, and supplier stakeholders

·         Advise CIO, IT management, and business stakeholders on ICT risk implications

·         Promote ICT risk awareness and contribute to strengthening risk culture

9.     4.9 Governance Reporting & Escalation

·         Highlight significant ICT risks, dependencies, and remediation challenges

·         Provide independent risk opinions, RCSA assurance, and formal ORM escalations

o    Bachelor’s or Master Degree in Computer Science, Information Technology or equivalent,

o    Professional certification such as CISA, CISSP, CISM (preferred).

o    10+ years of experience in operational resilience, business continuity, or risk management within the financial sector.

o    Proven leadership experience.

o    Deep understanding of regulatory requirements in APAC-ME Region, with experience managing regulatory interactions.

Soft Skills & Leadership

o    Strong executive presence with the ability to engage and influence C-suite leaders and board members.

o    Proven ability to lead cross-functional teams and drive enterprise-wide resilience initiatives.

o    Excellent verbal and written communication skills, with experience presenting to regulators, auditors, and senior stakeholders.

o    Ability to thrive in a high-pressure environment, managing crises and business disruptions with a structured and strategic approach.

o    Expected to work with stakeholders from different time zone (Asia, NY, London, Paris)

Incident Management: Ability to coordinate, analyze, prioritize, and manage incidents effectively.

Strategic Thinking: Ability to align resilience initiatives with business objectives

CIB Banking experience: Able to understand the .CIB Business process

Communication and Documentation: Strong ensure thorough documentation and clear communications over security operations activities.

Leadership: Experience in coordinating the Crisis team with Senior Managers.

o    Expertise in IT Risk management, cyber frameworks.

o    Strong knowledge of CIB activities in order to be able to talk with the Business Lines and understand their constraints

o    Familiarity with cloud resilience, third-party risk management, and systemic risk considerations in the financial sector.

Technical Knowledge: Strong knowledge with information security technologies such as Cybersecurity.

Resistance to stress: Ability to keep calm and to manage a crisis.