RISK ORM ICT OFFICER – Operational Risk Management

RISK is an integrated and independent control function of the BNP Paribas Group. It is the second line of defense on the risk management activities of the Group which are under its direct responsibilities, including credit and counterparty risk, market risk, funding and liquidity risk, interest rate and foreign exchange risks in the banking book, insurance risk, operational risk, and environmental and social risks.

RISK aims at being a partner of the businesses by contributing to their sustainable development, but also a gatekeeper to ensure risks taken remain compatible with the Group’s Risk Appetite and its strategy. 

RISK Iberian Hub Madrid is a transversal platform servicing the RISK Function by covering added-value activities around credit risk, market risk, operational risk and data protection. Offering a wide range of services to RISK teams, from consulting to cyber security going through data analysis, modelling or artificial intelligence. 

The main objective of Operational Risk Management (ORM) team is to provide a 2nd level of defense on the Bank’s operational risk framework, including all outsourced processes. The ORM framework is based on a risk-based approach with the main objective of avoiding, reducing or transferring major risks, in compliance with the local regulatory framework. The ultimate objective is to reduce losses to the Bank related to operational risk. 

The RISK ORM ICT Officer will ensure that the Group’s policies, rules, standards and methodologies are applied in its various tasks detailed below.

RESPONSIBILITIES

• RCSA (Risk and Control Self Assessment) – Ensure that the RCSA framework is well managed and implemented within the territory; as the 2nd line of defense, perform the RCSA check & challenge for the ICT perimeter;
• Historical Incidents (HI) – Ensure the proper reporting of operational incidents by LoD1; conducting a quality review of ICT-type operational risk incidents and monitoring related action plans;
• Potential Incidents (PI) – Conduct a quality review of potential ICT incidents and ensure the coordination and follow-up of their updates;
• Recommendations – Follow-up the recommendations, permanent control actions and associated action plans ;
• Controls – Implement the centrally defined control plan and perform locally the defined Process Review of the ICT scope ;
• Procedures – Ensure the procedures are properly up to date;
• TAC/NAC – Participate in the new activities/transaction committees by giving RISK opinion on any operational risk arising from the proposed activity/transaction;
• Fraud – Ensuring the proper execution of the Anti-Fraud PCG with LoD1;
• To challenge the first line of defense on the following topics:  

• The ICT risk assessment exercises on Information Systems; 
• The identification of critical IT assets and assessment of the impacts of the risks attached to these assets; 
• The identification of the essential 3rd parties and the assessment of ICT risks associated with their services; 
• The business continuity and crisis management framework; 
• The Control Plans and self-assessments executed by the 1st line of defense and their results.  

Responsibilities related to the Governance

• Alert and escalate to the Management level any incident related to operational risk and/or any recurring weaknesses in the operational risk management framework;
• Contribute to the OPC/ORM community meeting by proposing topics related to the ORMF;
• Actively contribute to the Operational Risk Committee (CRODG) by preparing the support, providing a RISK Opinion;
• Actively contribute to the Internal Control Committee (ICC);
• Participate in the TAC/NAC/NPC committee; analyse & challenge the level of risk;
• Participate in local ICT risk governance bodies.

Responsibilities related to the Regulation

• Ensure that the Operational Risk and Operational Resilience Circular FINMA 2023-01 is properly implemented within BNP Paribas Switzerland;
• Ensure that the principles of FINMA 2018-03 Circular related to Outsourcing are properly managed;

Transversal responsibilities

• Participate in the deployment of methodologies, tools and controls;
• Participate in the creation of a consolidated vision of the various risk assessment tools (mapping, incidents, controls, action plans…);
• Work closely with the Data Protection Office (DPO); help the DPO (central and territorial) to fulfil all their LoD2 obligations and monitor compliance with regulatory requirements for personal data protection;

EXPERIENCE

• Solid experience and skills on ICT & Cyber Security domains
• Capabilty to run risk analysis and execute controls
• Capability to make a decision/provide a risk opinion

TECHNICAL SKILLS

• MS Pack Office (Word, Excel & Power Point)
• Capabilty to run risk analysis and execute controls
• Capability to make a decision/provide a risk opinion
• Ability to manage a project, facilitate a meeting, committee

SOFT SKILLS

• Organizational Skills
• Collaborate/Teamwork
• Manage a project

English Mandatory: Fluent level

French: Optional