Technology Risk Consultant

Title: Technology Risk Consultant

Location: On site (London) 3-5 days a week

Length: 6 months

Rate: £600-£800 per day (via umbrella)

Position Purpose:

Support Technology COO team in ensuring a positive and responsible approach to risk management across technology in an environment of increasing regulatory and audit attention

• Support the group's approach to managing risk, aligning with group risk, audit, regulators and other stakeholders
• Work with divisional teams to ensure timely planning for adequate resources and priority to meet demand for risk data and process
• Ensure divisional leaders are managing top risks responsibly and build transparency around remediation plans into the change portfolio
• Provide support to the regulatory office in delivering required data and constructive challenge to regulators
• Provide quality assurance support Group Risk, regulatory, and audit responses

Contract Deliverables

• Good quality issues, actions, risk acceptances, waivers / exceptions that can be uploaded into the MetricStream GRC tool
• Robust Risk Acceptance process where the output can be uploaded into the relevant GRC system
• Defined L3 risks and standardised controls that can be used across technology that meets operational resilience requirements
• Support divisional CIO's and their risk teams to move the risk culture of 1st line to be stronger, proactive and with increased capacity to provide timely and quality input to 2nd and 3rd line, getting on the front foot with implementing controls
• Maintain IT control library that can be applied across all Technology divisions
• Support and monitor remediation of key risks from 1LoD, 2LoD and audit observations
• Execute assurance activities to ensure appropriate and periodic risk management activities are completed to a level of rigour that supports responsible risk taking by Technology
• Prepare reports for various risk committees

Key Responsibilities

• Perform quality assurance over the issues, actions, risk acceptances and waivers/exceptions raised by each Technology division and address the gaps together with the 1st line Technology Risk & Control divisions
• Provide requirements input into MetricStream GRC system implementation to be able to be used by 1st line
• Standardise risks, IT controls and document test steps and evidence requirements for system development lifecycle (SDLC), infrastructure and programme/project management and map to COBIT2019 that can be applicable for all Technology divisions that meets operational resilience requirements
• Lead the process to follow up and challenge risk acceptances before expiry
• BCP Review - follow up each Technology Division to obtain information to analyse resiliency
• Follow up progress of risk remediation and maintain database that reconciles issues and actions with the technology divisions
• QA documentation to support action closure
• Draft committee papers
• Deliver training as required
• Other ad hoc activities as required

Background Skills

• Previous IT Audit, 2nd line Technology Risk or 1st line technology risk assurance (i.e. risk, controls and testing) expertise in financial services for SDLC, infrastructure, ITSM - IT asset management, incident and problem management, disaster recovery, agile, programme/project management, IT third party risk management
• Review / challenge risk & control assessments and control testing performed by the Divisional risk representatives and provide training as required
• Perform validation testing on actions
• Ability to write and distinguish between risks, controls, process, issues and actions
• Help to facilitate updates/refreshes of the Group Risk Taxonomy and Risk Appetite with the Divisional Technology Risk Officers
• Ad hoc projects and initiatives
• GRC tool design requirements and testing
• Thematic analysis of risk exposure
• Qualifications: CISA, CRISC, CGEIT, CDPSE, CCSK or similar