The Head of Technology Security Risk role is to help the organization build the super app of Myanmar. The candidate will report to the Chief Information Security Officer (CISO) and matrixed managed to the Chief Risk Officer (CRO) at Wave Money. As the Head of Technology Security Risk, your mission is simple; take full responsibility and accountability for the development, implementation, and management of a complete end-to-end Technology and Security Risk Management Program including project risk management to industry standards and best practices.
Key Result Areas
- The Head of Technology Security Risk function is a centralized risk management function for Technology and Security within DMM. The key result areas include:
- assisting Technology and Security organizations to identify, assess, monitor, manage, and mitigate its risks, and promote a solid risk culture. Security being inclusive of all security including but not limited to information, technology, cyber, etc.
- assisting the Chief Risk Officer (CRO) and Management to develop and maintain DMM’s enterprise risk management system, including promptly informing the Chief Risk Officer (CRO) and Management of any circumstance within Technology and Security that may have an adverse effect on the risk management system of DMM. Management being the Leadership Team (LT) and Extended Leadership Team (ELT).
- assisting the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Technology Officer (CTO), and Business Security Officer (BSO) on any risk activity requested on regular basis and an ad hoc basis as required.
- working closely with Technology, Security, Risk, Audit, Compliance, and Assurance organizations and functions within DMM.
Key Responsibilities and Accountabilities
Risk Strategy, Policies and Implementation
- Develop, implement, maintain risk strategies, risk policies for the Technology and Security, ensure alignment between Technology and Security standards, and that of DMM.
- Develop a framework in collaboration with DMM Risk for Technology, Security, and Cyber risk management.
- Embed policies and train all required staff accordingly.
- Co-ordinate and manage the policy attestation and assurance requirements for risk policies within portfolio and report the results to Management.
- Establish, monitor, improve the risk governance structure and reporting requirements of the Technology and Security and at various levels within DMM.
- Ensure that all organizations, within the Technology and Security have an established risk appetite, risk tolerances and key risk indicators for relevant risk classes as well as principal risks.
- Demonstrate value add on risk activities to Technology and Security needs and objectives.
- Monitor maximum usage of the risk management framework and system throughout Technology and Security well as the relevant stakeholders.
- Develop and implement risk responses to ensure that risk factors and events are addressed in compliance with applicable laws, regulations, policies and standards.
- Develop, implement and maintain standardized templates for Technology and Security risk activities across the three lines of defense.
- Develop, implement and maintain risk toolkits as well as process flows for Technology and Security risk activities. Across the Technology and Security organizations, which include inter alia strategic risk process, RCSA, PCSA, Deep Dives, project risks, emerging risks, incident management, escalation and reporting, KRI monitoring, mitigation development and monitoring, etc.
- Develop, implement and maintain risk criteria keeping these current to the changes in the Discovery risk environment. These include inter alia risk matrices, impact, likelihood and controls criteria, risk aggregation and weighting, risk incident, escalation and reporting criteria
- Overlook the uniformity of Technology and Security risk processes across the Group and correct deviations thereof.
- Recommend a protocol of Technology and Security risk management oversight.
- Recommend the risk culture positioning and drive initiatives towards an ideal risk culture
- Provide support to the DMM CRO and first line officers in terms of their roles relating to the Technology and Security risk portfolio.
- Implement a Technology and Security wide training and awareness program relating to the Technology and Security risk portfolio.
- Implement and maintain a risk management system that caters for the full requirements of the Technology and Security.
- Implement and maintain a full knowledge database to give effect to risk intelligence and ensure that risk reporting at various levels are automated and generates value added information for decision making.
- Implement the combined assurance strategy and framework for the group on par with best practice relating to the Technology and Security risk portfolio.
- Provide a basis for identifying any areas of potential assurance gaps and duplication of resources within the combined assurance framework.
- Develop and implement the tools and templates required for Management and assurance reporting.
- Identify all assurance providers and recipients of assurance relating to the Technology and Security risk portfolio.
- Develop and obtain approval for the annual combined assurance plans, assess adequacy, recommend corrective solutions for gaps and duplications within the plan.
- Monitor and report on progress against the combined assurance plan as well as the framework.
- Conduct bi-annual assessments for the audit and/or risk committee on the results of combined assurance.
- Develop a structure to give effect to combined assurance and maintain relationships with the key assurance providers.
Enterprise Risk Management (ERM) Framework & Maturity
- Implement a continuous improvement program such that DMM is assessed at best practice maturity for risk management.
- Conduct best practice research, recommend and implement solutions to improve the effectiveness of risk management practices across the group relating to the Technology and Security risk portfolio.
- Play a trusted advisor role to Management with regard to leading Technology and Security risk practices and consulting activities.
- Perform any activities as required in respect of discovery’s participation in industry forums and as required by the Chief Risk Officer (CRO).
- evelopment of the Risk Management Framework working with the organization to provide a consistent, pragmatic, and effective approach to Risk capture and assessment.
- Contribute to keeping the team abreast of changes in the environment, best practice and risks affecting the organizations in Technology and Security.
- Conduct an annual self-assessment of the ERM program relating to the Technology and Security risk portfolio.
Strategic and Operational Planning
- Co-ordinate the preparation of the annual, 3 year rolling risk management plans, training and development plans for timely approval by the Risk and Management Committee (RMC) ensuring combined assurance and strategic objectives alignment.
- Prepare presentations to discuss the plans across all business units in the Technology and Security as well as for the Chief Risk Officer (CRO).
- Track progress against the plan per organization and for the Technology and Security as a whole.
Experience, Functional Skills and Knowledge Areas
- Minimum Bachelor of Commerce Degree in Finance or Risk.
- Relevant certification that support business or risk related knowledge/experience such as FINRA, PMP, CRISC, CFE, CISSP, CIA, CISA, CISM, or CRISC, etc. is high desired.
- 10+ years’ experience in technology and security risk management, IT audit, and cyber with a professional services background in financial services industry.
- Experience in fintech, mobile payments, and/or digital wallet would be advantageous.
- Working knowledge of IT and information security and risk management best practices, and familiarity in implementing enterprise-wide programs in a highly regulated business environment.
- Extensive experience in compliance, operational risk management (includes audit, legal, credit risk, market risk, or the management of a process or business with accountability for compliance or operational risk).
- Extensive experience of technology systems security, business process management or financial services industry experience .
- Demonstrated experience in facilitating and managing technology, security, and cyber risk assessments across technology and security environments, projects, and third parties.
- Strong understanding, experience, and application of information security risk, governance, and control frameworks such as ISO 27001/2, NIST, COBIT, FFEIC, ITIL, COSO, and CSA CCM.
- Strong understanding, experience, and application of risk standards such as ISO 31000, FAIR, etc.
- Strong understanding, experience, and application in technology, security, cyber, and operational risk management.
- Demonstrated ability in leadership and strategy and able to work independently and in multi-disciplinary teams, managing priorities to meet competing deadlines.
- Advanced knowledge of Enterprise Risk Management (ERM) processes; program development, integration, and management; and risk policies and procedures.
- Working knowledge of a technology and security risk system is required.
- Relevant legislative knowledge.
- Strong business acumen, with the ability to set technology and security KPIs and evaluate whether a particular risk management met expected business outcomes.
- Proven analytical problem-solving skills with excellent interpersonal, verbal and written communication skills.
- Fluent in English language (verbal and written) is required.
- Fluent in Burmese language (verbal and written) would be advantageous.