Group ICT Risk Manager

About the job
Location: Karachi, Pakistan
Full time / Permanent

Special requirements:

The role is a Group role and will at times require working Swiss or UAE hours as the Group teams are located in these two cities. Travel to our Group offices in Dubai, UAE or Head Office in Switzerland may be required as the Group Information Technology team are located here.

About us:
Habib Bank AG Zurich is a Swiss-incorporated bank that was established in 1967, embodying a rich tradition of banking excellence and a commitment to providing personalized financial services. Known for its robust focus on international banking and finance, the bank caters to both individual and corporate clients, offering a wide range of products including private banking, commercial loans, and online banking solutions. We have a presence in eight geographies across four continents. The bank prides itself on its customer-centric approach, ensuring that clients receive tailored financial solutions designed to meet their unique needs.

About the role
Responsibilities:

This newly established position is designed specifically to manage Information and Communications Technology (ICT) risks. The role involves independently evaluating and managing ICT risks within the framework of the Group's comprehensive operational risk management strategy. The ideal candidate will have an understanding of IT risk management and financial services regulations generally.
Serving as the second line of defense for ICT risks, which are a subset of operational risks, the responsibilities include identifying and addressing critical technology risks, such as:
ICT availability and continuity risk
ICT change risk
ICT data integrity risk
ICT outsourcing risk
The incumbent will ensure regulatory compliance as outlined in the FINMA circular 2023/1 on Operational Risk & Resilience, as well as any local regulations in countries where the Group has branches and operates.
1. Strategic Leadership
Develop and implement the Group’s ICT risk management strategy in line with the bank's overall risk management framework.
Provide strategic direction and advice on ICT risk issues to senior management and the board of directors.
2. Risk Identification & Assessment
Challenge and verify the first line of defense's (1LoD) risk identification, ensure consistency in quantifying potential incidents, conduct independent ICT risk assessments (incident reviews, post-mortem analyses), and validate the closure of permanent control actions.
Develop and implement risk mitigation strategies, policies, and procedures to minimize ICT-related risks.
Conduct regular risk assessments and audits to ensure compliance with internal policies and external regulations.
3. Risk Treatment & Decision
Oversee the risk treatment process, including acceptance, transfer, and remediation of risks.
Participate in and oversee change management, new activities, new processes, vendor assessments, emerging technologies, and share opinions on ICT risk exposures with Group Operational Risk and Business/Management.
4. Testing
Conduct independent testing and challenge the 1LoD (IT Operations) controls, perform second line of defense (2LoD) tests as required.
5. Planning; Projects & Initiatives
Identify key ICT priorities, define approaches in line with the ICT Risk Management Framework, and manage relationships with key stakeholders.
Participate in ICT projects and initiatives to incorporate proactive risk management into solutions.
6. Regulatory Compliance
Ensure compliance with relevant regulatory requirements, such as the FINMA circular and other local regulations like the Enterprise Technology Governance & Risk Management Framework for Financial Institutions issued by SBP.
Monitor changes in regulations and update risk management practices accordingly.
Ensure all ICT policies and procedures comply with regulatory requirements.
7. Collaboration and Communication
Collaborate with other departments, including IT, compliance, and legal, to ensure a holistic approach to risk management.
Clearly and concisely communicate IT risk issues and mitigation plans to senior management and the board.
8. Vendor Management
Assess and manage risks associated with third-party vendors and service providers.
Conduct due diligence and ongoing monitoring of vendor security practices.
9. Business Continuity Coordination & Disaster Recovery
Manage business continuity by identifying key business processes, conducting Business Impact Analyses, and instituting mitigating actions.
Facilitate business continuity and disaster recovery tests.
Monitor processes for continuity needs to enable optimal business performance.
Coordinate with stakeholders on incident documentation, resolution, and crisis management, with approval from the Crisis Management team.
Train staff on business continuity management in collaboration with Group HR or Country HR.
Liaise with alternate business continuity sites for timely support during crisis management.
Maintain the ICT Disaster Recovery Plan, including annual reviews.
Coordinate regular testing of the Disaster Recovery Plan and updates for major changes in hardware, applications, business, and regulatory requirements.
Coordinate testing and reporting of data backup restorations in accordance with Key Performance Indicators (KPIs).
10. Risk Reporting and Documentation
Prepare regular reports on IT risk management activities, including risk assessments, incident reports, and compliance status.
Maintain comprehensive documentation of IT risk management processes and procedures.
Support Group Operational Risk and stakeholders on key ICT incidents and crisis management (e.g., unavailability of critical applications).
Candidate requirements
Bachelor’s degree in information technology, Computer Science or a related field. Advanced degree preferred.
Professional certifications such as CISA, CRISK, COBIT, CISSP, CISM, CRISC, or similar.
Business analysis skills – ability to understand requirements and delivering these requirements in the context of tool implementation.
Good stakeholder management.
Good level of English is essential.
Minimum of 8 years of experience in IT risk management or a related field within the financial services industry.
Understanding and knowledge of IT risk management frameworks, methodologies, and best practices.
Understanding of financial services regulations and compliance requirements.
Proven leadership and management skills with the ability to lead a team and influence senior stakeholders.
Excellent analytical, problem-solving, and decision-making abilities.
Strong communication and presentation skills.