Last updated 1 hours ago
Role Title: Global Resilience Risk Specialist Cyber Risk Senior Expert
New or Existing Role-New
- Global Operational and Resilience Risk (ORR) is a sub-function of Group Risk. Its purpose is to make sure HSBC understands, and is in control of its non-financial risk position. In addition, the function provides resilience risk stewardship to the Global Business and Functions and the entities we operate in. This is achieved through:
- Completing analytical assessments and opining on the control environment of the First Line of Defence (1LOD) within Businesses and regions
- Constructive challenge to the global businesses and functions on their control environment and assessment of risk
- Oversight of emerging risks, strategic business initiatives and local change activity and new/materially changed products
- Analysis of risk exposure across all bank operations and territories to inform capital management and stress testing requirements
- Completing thematic reviews and aggregated reporting of the Non-Financial Risk profile of the bank
- Responsibility for the implementation of a Risk Management Framework (RMF) that sets out governance, policies and practices to proactively identify, assess, measure and report on, mitigate and control operational risk exposures associated with HSBC’s businesses and operations at all levels of the organisation.
- The role holder will have global responsibility for:
- Deploying deep subject matter expertise on cyber security risk globally and deliver opinion papers on cyber risk including to the NFRMB and respective RCMMs.
- Actively contribute to the approach for Cyber risk ‘Oversight’
- Providing issues, event and incident oversight, including specialist oversight of technical controls
- Supporting ORR Business and Regional Managers with all cyber risk related queries explaining in non-technical terms the impact of issues or events, and top and emerging risks that may require changes (for example, to controls, resources or business operations) to remain within respective Risk Appetites
- Drive improved senior stakeholder insight and decision making by providing (technical) advice, guidance and challenge to senior businesses, functions and entity management, ensuring robust opinion is provided through global governance
- Providing guidance and support with policy writing, owning and monitoring compliance with a comprehensive set of clear and concise policies that outline the key principles and minimum requirements applicable to the management of cyber risk ; Engaging with risk owners, control owners and risk stewards to ensure cyber risks are managed in accordance to policy
- Promoting and developing cyber risk awareness and risk management culture in order to ensure that the material risks are both evident and effectively managed;
- Identifying any concerning trends and control evolution related to Cyber risk and challenging & advise the business and strategic change programmes to address these; drive thematic analysis and read across for Cyber risk globally
- Definethe risk and control library, including minimum control standards, with input from Risk Owners, Business Service and Control Owners, specifying key risks and key controls
- Recommending RCA scoping for cyber risk controls and challenge where this is not appropriately applied in the RCA
- Monitoring the external environment to get early sight of emerging risks and provide detailed guidance on the control evolution required to mitigate against them
- Ensuring concerns with key controls and in-scope material change programmes, relevant to cyber risk, are understood, being well managed and escalated as required
- Providing and aggregating technical guidance & analysis to developand complete of Enterprise Risk and Regulatory reporting obligations (e.g. RAS, Top & Emerging Risks, Risk Profile Reporting, RMM, Board reporting where relevant, etc.)
- Support training and capability uplift across ORR to ensure robust understanding of Cyber risk.
Impact on the Business
- Contributes to the design of and implementation of the Risk Strategy, Risk Appetite, Risk Taxonomy and Risk Control Library strategy and policy framework related to Cyber
- Overseeing, escalating and providing specialist actionable and contextual guidance on the identification of cyber risk and activities owned by the 1LOD, including where control weaknesses and risk events impact the delivery of good outcomes
- Monitors internal and external Cyber risk trends and ensures that mitigating strategies and policies are developed
- Ensuring critical issues, events and incidents both in key controls and material change programmes are timely managed for cyber risk, are understood by and escalated to appropriate governance forums for appropriate and timely resolution
- Educating stakeholders to understand the impact of emerging risks that require changes to controls, resources and business operations to ensure they remain within appetite
- Ensuring that cyber risk initiatives are not adversely affected as a result of poor planning, testing and approach during the delivery of significant change
Customers / Stakeholders
- Create and maintain influential relationships with senior stakeholders and control owners across HSBC Technology, including the Group Chief Information Security Risk Officer and their directs, and various GB/GF Chief Information Security Officers.
- Influence and provide direction to the 1LOD senior stakeholders and ORR Business & Functions teams to ensure they fulfil own roles and responsibilities and manage resilience risk according to the Group’s frameworks and within stated appetite
- Build and maintain relationships with external partners, regulators, industry bodies and others to keep up to date with developments
- Manage relationships with wider ORR team
Leadership & Teamwork
- Challenge and influence to ensure specialist advice and guidance is understood and followed; Partners with HOST and other 1LoD statekholders to ensure a strong risk management culture and behaviours is effective and embedded
- Work in conjunction with ORR Business & Functions team and the wider specialist teams
- Support diversity and reflect the HSBC brand and organisational value
- Leads and role model aligning with the Bank’s strategy, behaviours and values
Operational Effectiveness & Control
- Partner with ORR Business & Functions team and 1LOD to identify, measure, mitigate, monitor and report resilience risks related to their area of specialism
- ORR services as detailed in the Service Catalogue are embedded consistently globally
- Audit issues, actions and regulatory findings on cyber risk are closed in a timely manner, supported with detailed and realistic Management Actions Plans
- Keeps abreast of industry and regulatory developments in non-financial risk management and continually assess the impact these might have on the firm
- Operating with influence and gravitas across all Lines of Defences, Global Businesses and Legal Entities within HSBC, in relation to the management and oversight of non-financial risk
- Providing effective leadership to influence and embed culture change across all businesses and functions
- Maintaining a commercial understanding without compromising standards of internal control and organisational risk appetite in a growing and successful business
- Adapting quickly to changing situations and influence strategies with practical, effective commercial solutions through a comprehensive assessment if the non-financial risks are perceived to exceed appetite
- Maintaining independence of thought and lateral thinking to assist in optimising the level of business control and maximising efficiency
- Board level scrutiny around cyber risk and the associated risk profile
- The role holder will maintain close working relationships with the wider ORR team, locally, globally and globally.
- The role holder will have close working relationships with senior stakeholders across the C-suite population of HOST globally
- The jobholder is required to contribute to maintain a strong relationship with regulators and industry bodies in respect of Cyber risks.
- HSBC serves the needs of retail, corporate and institutional clients delivering innovative and integrated financial solutions. The Risk function discharges oversight on the management and monitoring of financial and non-financial risk by the businesses and their support functions.
- The importance of non-financial risk and control has increased in recent years and is now the most influential subject for senior management, boards, and regulators. An organisation’s ability for effective identification, measurement and mitigation of non-financial risk will have a significant impact on the achievement of strategic objectives.
- The role has influence over a wide group of stakeholders and employees across the organisation.
- You will be required to
- Work closely with all components of the ORR Team.
- Manage multiple senior stakeholder relationships, spread across HOST and wider 1LoD globally
- Enhance risk understanding and control across HSBC’s related to Cyber risk globally
- Work closely with C-suite population on reporting of progress against appetite and the adequacy of Policy and the control environment.
- Enhance control understanding across HSBC’s Products and Services globally
- The responsibility for non-financial risk spans globally. You may also be responsible for local entity management for other team members
- Continually assess the adequacy of HSBC’s policy and the control environment relative to risk, taking account of changing economic or market conditions, legal and regulatory requirements, operating procedures and practices, organisation change, the impact of new products, services, cyber and / or threats. Accountable to support the creation and maintenance of relevant core policy and guidance, and overseeing the alignment of 1LoD development of procedures and standards
- Consistently display positive leadership behaviour for the management of risk, including notification and escalation of any concerns and ensuring timely action in relation to points raised by audit and external regulators.
- Continually support HSBC's approach to conduct, which is designed to ensure we deliver fair outcomes for our customers and do not disrupt the orderly and transparent operation of financial markets.
- Maintain awareness of operational risk and minimise the likelihood of it occurring, including its identification, assessment, mitigation and control, loss identification and reporting in accordance with the HSBC Operational Risk Management Framework.
Observation of Internal Controls
- You will adhere to and be able to demonstrate adherence to HSBC internal control standards. This is achieved by adherence to all relevant procedures, keeping appropriate records and, where appropriate, by the timely implementation of internal and external audit points, including issues raised by external regulators.