BNP Paribas is a leading European bank with an international reach. It has a presence in 74 countries, with more than 192,000 employees including more than 146,000 in Europe and over 4,000 in Portugal alone.
BNP Paribas is present in Portugal since 1985, having been the first foreign bank to operate in the country. Today, BNP Paribas has several entities operating directly in this territory, offering a wide range of integrated financial solutions to support its clients and their businesses.
Worldwide, the Group has key positions in its three main activities : Domestic Markets and International Financial Services (whose retail-
banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises : corporate clients and institutional investors.
The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporate and institutional clients) to realize their projects through solutions spanning financing, investment, savings and protection insurance.
The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer.
Among others, the department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions.
This is achieved by delivering :
tracking issues and agreed actions to completion
Horizontal Risk Assessments : Assessing technology risks in relation to a particular theme or technology across the organization
Vertical Risk Assessments : Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.
or our Internet connectivity
Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions
Recurrent analysis of maturity of controls on all entities of the Group
Involved in running and improving the development and implementation of the worldwide ICT risk assessment program, the Management Consultant will have proven track record of developing and implementing risk assessment programs in global organizations, with robust knowledge of technology, risks, architectures and related tools.
Prior ICT risk experience (IT, Cyber, Vendors, etc.) is required.
The Management Consultant will develop, use and communicate the risk assessment engagement models to ensure that ICT risk considerations are accounted for in all the bank’s operation.
Moreover, the Management Consultant will be responsible for the Risk Management environment, namely :
Identification and assessment of operational risks that must be effectively performed across the organization by correlating inputs from Audit Findings, Internal Loss Data Collection & Analysis, External Data Collection & Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs & KRIs, Scenario Analysis, Quantified Measurement & Comparative Analysis
Participate to the implementation of a process to regularly monitor operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines.
Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices
Improve the effectiveness of the Internal Controls program by reviewing the control environment; assess risks in processes, control activities, information and communication and monitoring activities.
And, assesse operational risk response strategies
Provide updates on regulatory and financial disclosure while complying with external and regulatory communications standards and disclosing the operational risk management framework of the bank in a manner that complies with the formal disclosure policy approved by the board of directors
Participate in the establishment of the IT & Cyber Risk Assessment Program for the bank within the three lines of defense model in alignment with the Group Risk Management Framework
Participate to the effective implementation and communication of Operational Risk Management policies and guidelines
Provide support to other teams with respect to management of security and technology risks of core systems and applications
Participate in the overseeing of the Operational Risk Management infrastructure and ensures practices are consistent with regulatory expectations and industry sound practices
Provides IT & Cyber Risk Management consulting to the business, technical and operations groups
Participate to appropriate Risk Management governance committees and arranges agendas as appropriate
Participate to the GRM’s oversight model for the IT and Operations Transformation projects including the review of major outsourcing partners
Master Degree in ICT domains (or equivalent)
Minimum experience of 3 years in Security and Technology assessments
Experience in Financial Services industry
Experience in Information Security, namely in Risk Assessment, Third Party and technology assessments
Experience in GRC tools and other Risk Management Information Systems is a plus
Professional qualification relevant to Information Security (such as a university degree, CISSP, CISM or CRISC)
Knowledge of Regulations in the Financial sector (i.e., Basel, ECB, AMF, FSA, FFIEC, SMA, HKMA, FED, among others)
Excellent understanding of emerging technologies : CLOUD, IoTsThorough understanding of the ISO27005 and overall the ISO 2700X series of standards and guidelines
Knowledge of Archer Technologies SmartSuite Framework and Tufin
Operations Management will be a plus
Proactive and problem solver
Solid communication and interpersonal skills
Fluent in English
Please note that only applications submitted in English will be considered.