Job Purpose:
This post is reporting to the Head of IT Risk Control. The DCO assists in discharging ITD responsibilities, promoting clear accountability for internal control. The DCO has the accountability and should consider factors like scale, complexity and resources. A risk-based approach could be considered where appropriate, as long as the overall control environment is maintained.
The DCO acts as a gatekeeper for ITD's control activities in aligning with risk and compliance frameworks. This encompasses internal controls, operational risk, fraud risk, and legal compliance. The DCO collaborates with Head of IT Risk Control and obtains necessary information to understand ITD processes, fostering a holistic control environment view.
The DCO needs to cooperate with the second-line risk and control units (i.e. AFD, GCD and ORD) to ensure the alignment with the risk appetite statement, risk limits and internal control guidelines. The DCO has to ensure proper implementation of internal controls and risk management processes. Breach, changes in risk exposures, and occurrence of major incidents are promptly reported to management, the Operational Risk and Internal Control Committee.
Main Responsibilities:
- Assist Head of IT Risk Control in maintaining/exercising oversight functions on key controls and enhancement initiatives, to ensure proper governance and control are in place and in line with the control strategy and objectives set out by the ITD;
- Play an active role in identifying compliance and internal control issues within the ITD;
- Conduct and Review control self-assessment on governance, control management and compliance to identify, assess, monitor and mitigate risks, and ensure associated controls within the Division are in place and sufficiently robust;
- Closely work with business and operation units in conducting periodic assurance checks or quality assurance reviews on control activities over ITD;
- To conduct end-to-end process review for control enhancements and perform oversight of the implementation of remedial actions;
- Act as a gatekeeper role to exercise oversight on new business initiatives, products, activities, processes and system (e.g. new product approval activities and major processes revision arising) and the implementation of mitigation measures in accordance with risk management and compliance framework;
- Cooperation with second-line risk and control units (i.e. AFD, GCD and ORD) to implement compliance and control enhancements;
- Ensure ITD controls align with the Technology Risk Appetite Statement and internal control requirements.
- Implement adequate control measures, and ensure key control measures are carried out and complied with relevant policies and regulatory requirements, and mitigate emerging risks;
- Conduct control monitoring duties and escalate incidents to ITD management/ compliance units and senior management in a timely manner, and monitor the issue resolution to ensure timely actions are taken;
- Implement and maintain control tools to analyze and mitigate the risk and control issues within ITD;
- Report any events and observations over internal controls and compliance issue within ITD to risk and control units, and provide updates to the Operational Risk & Internal Control Committee in regard to the control environment within the ITD; and
- Promote positive control culture and awareness within ITD.
Incumbent Requirements:
- At least 10 years of relevant experience in banking IT field; with over 8 years in control implementation of information technology area and 4 years or above in managerial role.
- University graduate in Computer Science / Information Technology or equivalent.
- One or more certificates listed below:
- ISC2 Certified Information Security Professional (CISSP)
- ISACA Certified Information System Auditor (CISA)
- ISACA Certified Information Security Manager (CISM)
- ISC2 Certified Cloud Security Professional (CCSP)
- Solid experience in regulators requirement on technology risk management including the Supervisory Policy Manual of HKMA, Personal Data Privacy Ordinance, PCI Data Security Standard, SFC guidelines and Customer Security Controls Framework of SWIFT
- Strong communication skill, both in Chinese and English.
- Able to drive changes and strong execution ability.
- Mature and able to work independently under pressure