Expert, Technology Risk Management

Job Purpose

'1. Develop and maintain technology risk management framework, policies, procedures, guidelines
'- Develop principles and methodologies for technology risk management, establishing technology risk limit, key risk indicators ... according to international practices, legal regulations, and internal governance requirements
- Standardize risk management activities including identifying, assessing, responding and monitoring technology and information security risks following industry best practice and international standards (NIST, ISO, COBIT ...)
- Develop technology & information security threat/ vulnerability/ scenario/ control catalogs
- Consult relevant units to develop BCP/DRP in bankwide level.
2. Develop technology risk management capabilities and improve bankwide technology & information security risk awareness and culture

Key Accountabilities (1)

Establish and maintain the technology risk management framework
- Provide subject matter advices and develop technology risk management framework, methodologies, regulations, policies, standards, procedures, guidelines.
- Enhance risk taxonomies, governance policies and operating models collaborating with ORM based on investigation findings to enhance robustness of existing risk mechanism
- Establish and allocate technology risk limits, key risk indicators (KORI) according to international practices, legal regulations, and internal governance requirements

Key Accountabilities (2)

Assess technology risks, consult to develop mitigation solutions and monitor:
- Review and approve technology risks in technology platforms, technology and business processes under the authority as prescribed
- Consult to develop solutions and methods to effectively mitigate and manage technology risk based on technology risk management framework, ensuring comprehensive risk management implementation
-Technical control assurance based on internal policies, government law and regulations, international security standards
- Independent investigate cybersecurity/ technology risk events or digital platform risks; analyzing root causes, proposing solutions/actions to mitigate and manage risks

Key Accountabilities (3)

Develop technology risk management capabilities, improve bankwide technology risk awareness and culture:
- Research on emering technologies appying in banking operations to provide subject matter advices in managing emerging risks
- Build & implement technology risk management capabilities (i.e. competencies standard, training, upskilling, coaching and communication) to enhance bank’s capability in managing technology risks in bankwide level
- Support other units to conduct training and communication to improve bank-wide technology risks awareness and culture

Success Profile - Qualification and Experiences

Experience
- At least 8 years of relevant work experience in IT field, including at least 3 years of IT risk management (1st or 2nd line of defence) experience
- Have experience in developing IT risk governance & management framework, risk management policies, procedures and guidelines.
- Have experience in IT infrastructure operation/ IT Architecture/ Cybersecurity operation/ DevSecOps/ Cloud Computing
- Have experience in IT Audit, IT compliance & assurance
- Have experience in developing IT risk management capabilities to enhance bank’s capability in managing technology risks

Expertise
- Extensive knowlegde IT & cybersecurity risk management framework (COBIT, ITIL, ISO, NIST ...), internal information security laws & regulations (Circular 09/2020-NHNN, Circular 50/2024-NHNN, Cybersecurity Law, Personal Data Protection Law ...), and international information security standards (SWIFT CSP, PCI DSS, CIS ...)
- Deep knowledge in at least 1 of the following areas: IT infrastructure operation/ IT Architecture/ Cybersecurity operation/ DevSecOps/ Cloud computing
- Good knowledge of emerging technologies such as GenAI, Blockchain, Quantium technology, etc.

Qualifications
- Having a university degree or higher on Information Technology, Information System, Computer Science, Electronics & Telecommunications, Information Security or equivalent...
- English: TOEIC 500 or equivalent
- Professional certifications in IT Risk, IT Security: CISA/CISSP/CRISC/CISM/COBIT/ITIL ...