About Standard Chartered
We are a leading international bank focused on helping people and companies prosper across Asia, Africa and the Middle East. To us, good performance is about much more than turning a profit. It's about showing how you embody our valued behaviours - do the right thing, better together and never settle - as well as our brand promise, Here for good. We're committed to promoting equality in the workplace and creating an inclusive and flexible culture - one where everyone can realise their full potential and make a positive contribution to our organisation. This in turn helps us to provide better support to our broad client base. Job Purpose
: Ensure that effective and efficient controls to minimise / mitigate operational impact are implemented by process owners, challenge and validate controls and assure control measurement and efficacy Ensure appropriate management of risk and timely resolution of issues. Develop OR skills in line with the Group’s Enterprise Risk Management Framework (ERMF) and Methodology. Ensure that ERMF and Methodology are cascaded to the 1st line in the relevant domain as required. Promote understanding, practice and culture of Operational Risk within the Function. Advise and assist the Function Head in driving and directing effective compliance with the prescribed Framework, Policies and Procedures. Key Responsibilities:
Strategy Support the CIO in the overall effective and proactive management of technology risks and controls in accordance with the Bank’s operational risk framework as well as local Technology regulatory requirements or guidelines. Engaging key stakeholders - Group Technology, CEOs, Business Heads, Business CIOs/COOs and GBS to develop and implement an end-to-end Technology risk management strategy. Provide technology risk management thought leadership and influence country/region’s technology risk strategy with the effective technology risk management.
Audit To be 'ever audit ready'. Leverage Group Subject Matter Experts where necessary. Represent the Function as the Single Point of Contact (SPOC) on internal and external audits and Subject Matter Expert (SME) on the audit working practices. Ensure that the affected function (and units within) are sufficiently prepared for upcoming audits. Review adequacy of management response to audit findings. Review progress and timely closure of audit findings. Share thematic risk & audit findings across functions and units and best practices. Ensure adequate support is available for Regulatory inspections and internal/external IT audits. Facilitate discussions with audit or to ensure any audit observations are reflected factually and action plans are effective to address the issue and root cause. IT Audit Issue and Regulatory Inspection Findings Tracking & Closure - track aging of findings, periodic follow-up to ensure that all findings are remediated by the committed timelines and that the actual root causes are being addressed. Validate issue closure. Review and perform audit ripples.
Risk Reviews Scope and plan thematic risk / control reviews aligning with the function’s key objectives, Group Internal Audit themes and key risk areas (may include suppliers where appropriate) Provide guidance to Risk Controllers on execution of risk / control reviews. Track material actions and risks arising from the reviews. Provide support and guidance on control design to Risk Controller and Process Owner. Review and provide their consensus on proposed addition of or change in controls. Implement Enterprise Risk Management Framework (ERMF) for Technology. Review and recommend changes and / or new KCSA/CST with Country OR.
Risk Management Ensure Outsourcing policy and procedures are adhered with for all India Technology outsourcing arrangements. Participate in Service Review Meetings of outsourcing service providers and ensure that risk issues are evaluated / followed up / resolved. Raise awareness of operational and technology risks among India Technology team members. Act quickly and decisively when any risk and control weakness become apparent and ensure they are addressed within an appropriate timeframe and escalated through the relevant committees. SPOC for the function on any Risk, Control or Audit initiatives.
Process Risk Analysis (PRA) Ensure good understanding of the IT processes and key controls. Perform proactive process reviews and self-identification of risks in country and GBS. Review and endorse outcomes of PRA and track material actions and risks that arise from it. Control Design – assess ‘potential failure events’ and arrive at key controls, key control indicators, key risk indicators, control sample test parameters and determine residual risk. Provide support and guidance on control design to Risk Controller and Process Owner. Scope and plan risk / control reviews of significant new Projects/Process.
Risk Committee Meetings Ensure that all risk committee meetings within the function operates within the approved Terms of Reference (ToR), including membership, agenda, frequency.etc. Facilitation of and Pack preparation for the risk committee meetings. Provide challenge to ensure robust Risk Management practice. Provide governance support to the Risk Controller at the unit risk meetings. Submission of risk and control related details to Risk governing committees within schedule and at the required quality. Adherence to Risk Assessment & Risk Acceptance policy. Effective management of all Technology risks including reporting high or very high rated risks based on Group materiality thresholds to the relevant Risk Committees. Escalate material technology risks to Group Technology for TNFRC attention as appropriate.
Root Cause Analysis (RCA) Assist the department heads to complete the Root Cause Analysis (RCA) report as per the Operational Risk Events Procedure.
Management Information Facilitate the Technology Risk Review Discussions. Ensure that the Committee/Forum decks are prepared with quality write-ups and contain complete, accurate and appropriate risks/root cause assessments of incidents and risks. Represent Country Technology in various Technology Risk Forums Ensure that management (and any other stakeholder as required) is kept aware of the risk, control and audit profile of the function through periodical reporting. Ensure that all management information is produced in line with the defined schedule and quality and should support management decision and action. Ensure integrity of source and the processing of data to deliver accurate representation in management information. Oversight of completeness and integrity of data. Ensure Group Outsourcing Inventory is maintained with Technology arrangements.
Regulatory Compliance Ensure Regulatory interactions are timely and appropriate. Ensure Regulatory audit data submissions are facilitated. Ensure Regulatory returns are submitted timely and accurately. Ensure Regulatory circulars are tracked and timely addressed. Ensure good understanding of RBI Technology Risk Management and technology related requirements. Perform periodic assessments to ensure the Bank has the necessary controls to adhere with the regulatory requirements.
Validation of Controls: Key Control Self Assessments (KCSA) or Control Sample Testing (CST) / Key Risk Indicators (KRI) / Key Control Indicators (KCI) Ensure that all Key Control Self-Assessment/Control Standard Testing are relevant and assessed effectively and timely. Any KCSA/CST exceptions are addressed and tracked till closure. Review trend analysis of exceptions and identify systemic failures. Identify material exceptions and escalate. Residual Risk Assessment for Control Indicator measurement. Ensure risk metrics are actively reviewed. Review and perform assessments of Group risk acceptance papers.
Issue Management (Records in OR System like EORP) Ensure IT related risk/loss incidents are logged and managed in accordance to group OR procedures.
Conduct Display exemplary conduct and live by the Group’s Values and Code of Conduct. Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across Standard Chartered Bank. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Group Code of Conduct. Effectively and collaboratively identify, escalate, mitigate and resolve risk, conduct and compliance matters. Embed Here for good and Group’s brand and values in the ASIA T&I team, Perform other responsibilities assigned under Group, Country, Business or Functional policies and procedures. Responsible for building a culture of good conduct.
Internal: ASIA and India CIO India CTM Team India COO Business CIOs First & Second line Information & Cybersecurity (ICS) Second line Operational Risk Teams Group Internal Audit Risk Teams/Committees Executive Risk Committee (ERC) Legal and Compliance (Regulators) Group Technology Group Technology Risk and Control
External: Local Regulators and other Government Departments/Officials Clients Industry Partners, Banking Associations, etc Relevant Exchange and Cyber Security Forum Relevant Banking Associations
Key Relationships : Function Heads and Process Owners within and outside of the function in the management of controls. Peer Risk Managers / Controllers in other functions in managing cross functional risks and sharing of best practices. 2nd line (Operational Risk and Risk & Control) for advice and guidance and steering with regards to Group initiatives Group Operational Risk (GOR) for interpretation and effective implementation of its Policy and Procedures Business Operational Risk functions in-country, GBSs, CIC/CB/TB Operations and Retail Operations on relevant Operational Risk and Controls. Legal & Compliance for interpretation of and consultations on regulatory requirements. Process Governance team for process and control metrics. Group Internal Audit and External Auditors on audit and reviews.
Key Measurable: Effectiveness of the controls and Monitoring of operational risks and controls at the Functional level. Satisfactory results on audits undertaken by Group Internal Audit, Regulators and External Auditors. Timely reporting and escalation of all operational risk exposures and control failures. Timely communication of changes to Policies, control environment and regulatory environment from Legal, Compliance and GOR. Monitoring and adherence to timelines on Risk & Control or Group initiatives. Cross team collaboration and leadership skills – proactive engagement with stakeholders. Succession planning for Risk Manager & Risk Controllers roles. Ensure regulatory interactions are timely and appropriate. Ensure regulatory audit data submissions are facilitated. Ensure Regulatory returns are submitted timely and accurately.
Experience and Skills: In-depth understanding of the banking business, technology or risks and controls. Good level of understanding of Banking operations / Technology, RBI Technology Risk Management, Outsourcing and Operational risks & controls. Results driven with strategic qualities. High degree of independence, responsibility and integrity. Ability to work within a multi-function, multi-discipline team environment with strong influencing and stakeholder management skills. Excellent communication capability - Good command of written English. Knowledge of approaches, tools, techniques for recognising, anticipating, and resolving operational or process problems. Ability and confidence to operate across a wide range of seniority levels, functional division, locations and businesses. Possess a pro-active posture and committed to continuous improvement. Good presentation skills. Demonstrable analytical thinking. A team player who enjoys working with people on all levels as well as being able to work independently and under pressure to meet tight deadlines. An in-depth understanding of controls required to manage Technology Risk and preferable experience with tools that have been used in the industry to do so. An understanding of technology Project Lifecycle and the associated controls required through project delivery to manage and mitigate risk.
The following skills are not a pre-requisites, but will be advantageous: Practical experience in engaging / managing technology audit engagement or being a member of a technology audit team. Experience in implementing ITIL or COBIT. Organizational Change Management experience. Plan for and overcome the issues encountered with change, deliver sustainable change. Project management experience / background, ideally with distributed teams. Experience in any other risk management discipline (Credit, Market.etc). Experience working in a financial institution industry.
Qualifications: Tertiary qualifications in Technology, Business Administration or Commerce. ITIL Foundation certified. Certification in CRISC (Certified in Risk and Information Systems Control certification), Certification in CISA (Certified Information System Auditor) or any other related qualification would be beneficial. Any COBIT related certification would be beneficial.