The Director, Technology Risk Management (TRM) , will assist the VP, Global Technology Risk Management & GWAM IRO in planning and delivering a comprehensive TRM strategy and framework across Manulife, and for monitoring and reporting on the company’s information risk profile. The Director will work collaboratively with the Global Information Services and Divisions to identify and evaluate technology risks across the enterprise; and provide TRM expertise, advice and counsel on emerging risks and the technology risk impact of major change initiatives, process improvements and transformational projects. The Director will consult with management and decision makers on the efficiency and effectiveness of the control environment to identify gaps and recommend enhancements to reduce Manulife’s exposure to technology risks.
Responsibilities: Provide deep subject matter expertise in Technology Risk management (TRM) areas of focus such as IT asset risk management, change risk management, Data risk management, 3rd party risk management and technology operations and resiliency. Develop and update TRM related policies and standards and its related framework and guidelines. Develop clear first and second lines of defense interaction models. Define and maintain the Technology Risk Management controls. Develop and maintain the Information and Technology Risk Management methodology and framework and ensure alignment to industry, best practices and Manulife target state Manage the implementation of the global TRM strategy and framework across Manulife and the development and maintenance of TRM policies, controls, processes and procedures Lead global technology risk and control assessments to identify key risks and gaps, and to facilitate the development and tracking of management action plans as required Manage the implementation and maintenance of the global information risk and control register Facilitate the development and maintenance of the information risk appetite (and associated thresholds) for Global Information Services and Divisions in conjunction with Business Unit partners and Operational Risk Management Provide technology risk expertise to Global Information Services and Divisions when needed to improve risk-based decision-making:
1. Identify key technology risk exposures across the enterprise
2. Identify and recommend key controls for key technology risks
3. Recommend mitigation strategies Participate in the investigation of material technology risk loss events (and related incidents) to assess for potential systemic weaknesses and ensure appropriate corrective action is taken Manage the development and maintenance of information risk profiles and risk dashboards for Global Information Services and Divisions aligned with enterprise and operational risk reporting; and identify and report on Key Risk Indicators and supporting metrics to support risk reporting As a change agent, help lead the behavioral and cultural embedding of TRM across Manulife Provide expertise to Global Information Services and Divisions around emerging technology risk topics by carrying out research and reaching out to external sources; and serve as champion for TRM domain best practices Provide an integrated view of information risk exposures across the enterprise by collaborating with GIRM COE Leads, Global and Divisional Information Services teams, Global Privacy and Compliance, Operational Risk Management and Audit Services
Knowledge/Skills/Competencies/Education: University Degree (Technology, Risk Management, IT Auditing or related discipline) 10 years progressive experience in Technology Risk ManagementDirect experience with the implementation, execution and maintenance of a Technology Risk Management program in a large and complex multinational financial institutionDeep understanding in IT Asset Management, Data Management, Change Management, IT program execution, and Technology operationsPerformed technology risk and control assessments across multi-jurisdictional locationsExperience with developing and maintaining risk appetite statements and thresholds preferredParticipated in identifying and reporting on key risk indicators (and supporting metrics) using risk dashboardsExperience in implementing a global information risk and control register Previous 2nd Line of Defense experience Experience with implementing and maintaining automated risk management tools (e.g. Governance, Risk and Compliance solution) Actively participated and supported the roll out of an operational risk management framework preferred Related professional designation (CA, CRISC, PRM, CISSP, CISA, GDPR, etc.) required. Demonstrated leadership experience and ability to effectively lead cross-functional teams. Excellent communication skills (oral and written) including presentation skills and demonstrated ability to present at all organizational levels Innovative problem solving skills with the proven ability to exercise flexibility and judgment in assessing business issues and risks in a dynamic environment Strong interpersonal skills, including demonstrated ability in applying sensitivity and professionalism when communicating across geographical and cultural boundaries Strong influence and negotiation skills; ability to achieve consensus in a decentralized/federated environment Results oriented with the ability to work independently and as part of a team, managing multiple priorities within tight deadlines Flexibility to accommodate global project schedules, which may include off-hours conference calls and domestic and international travel that may be required
The role and context for these responsibilities are complex and dynamic in terms of program and process management within a global enterprise, changing technology and emerging threats and risks. Specifically, the context includes: The Director TRM is a new position and the role will evolve with time - Director will need to gain credibility across the Divisions. Federated environment and inconsistent processes make it challenging to provide a single point of oversight for Technology Risk Management – Director will need to work with Divisions to get proper visibility to key technology risks and execute risk and control assessments. Information risk and control assessments span across multiple jurisdictions – The Director will need to work with Global Privacy and Compliance to ascertain regional and country specific regulatory and legal requirements. Changing technology and emerging risks – The Director will need to understand Manulife’s control environment to be able to identify any unmitigated risk exposures introduced by emerging risks. Global scope will mean that the Director may need to work hours outside the 9 to 5 timeframe. Multiple Stakeholders with different needs and priorities – The Director will need to collaborate with GIRM COE Leads, Global Information Services, Divisional Information Services teams, Global Privacy and Compliance, Operational Risk Management and Audit Services.
Position Dimensions (Organizational Impact):
The Director will: Identify and evaluate the incremental information risks related to information security, business continuity/disaster recovery, regulatory and technology introduced by major change initiatives, process improvements and transformational projects in addition to on-going risk and control assessments. Collaborate closely with the Divisional Information Risk Officers and must be able to exhibit strong influencing skills to be able to lead the teams to implement consistent tools and processes for achieving Technology Risk Management. Interact with Divisional SVP/CIOs/CTOs, Regional Application and Infrastructure support organizations, and strategic vendor partners. The Director is a key contributing member of the TRM Centre of Excellence (COE) Information provided by the Director on information risk exposures (and associated management action plans) across the enterprise will be presented to the Information Risk Committee (IRC), Operational Risk Committee (ORC) and Board Risk Committee (BRC)