The Technology and Cyber Compliance and Operational Risk Office (TCCORO) at Citi is the firm’s reliable second set of eyes. Our mission is to drive comprehensive and consistent practices designed to identify, measure, monitor, report and manage operational and compliance risks while promoting the implementation of actions to address root causes which may lead to unintended operational losses or regulatory breaches. TCCORO provides the specialist subject matter experts to challenge Enterprise, Infrastructure, Operations and Technology entities across the firm. We are the technology and cyber conscience of the bank. In line with the Operational Risk Management (ORM) and Independent Compliance Risk Management (ICRM) frameworks, we aim to ensure that the internal controls that are designed to mitigate technology and cyber risks are managed, mitigated, and aligned with our risk appetite.
You as a Senior Analyst - Technology Risk is part of thewithin TCCORO. The role will leverage[technology]
What you will do:
- Reviews and evaluates compliance and[technology]policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from[technology]risks.
- Assesses[technology]risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices.
- Supports independent assurance activities to assess areas of concern including substantive and controls testing.
- Monitors, evaluates, and challenges Key Risks and associated Key Risk Indicators triggers andthresholds. Alsoliaises with Key Indicator owners on breaches and action steps to correct breaches.
- Reviews potential risks associated with program/project delivery on a technical and detailed level.
- Participates in various second line of defense[technology]assessments including risk assessments, control assessments, maturity assessments etc.
- Assesses[technology]risks associated with new initiatives and programs being proposed for implementation.
- Challenges the design, adequacy and strength of the control environment associated to technology and cyber and recommends actions to ensure the operational risk profile is in line with the[technology]riskappetite.
- Executes ad-hoc activities for the TCCORO organization, including but not limited to: researching and drafting materials for presentations of deep dives into selected topics, coordinating deliverables related to audits and examinations, and maintaining associated data for executive reporting.
Qualifications:
- 5-8 years relevant experience.
- Knowledge of products within the coverage area, including an understanding of current and emerging trends as well as the ability to apply understanding of the business impacts of technical contributions.
- Experience in[technology]risk assessments, metrics, enterprise technology services, risks, and controls within globally complex, dispersed and diverse organizations.
- In-depth knowledge of[technology]risks and controls across various information system architecture and engineering domains including: data protection, identity and access management, vulnerability management, network security, endpoint security, logging and monitoring, incident management, and third-party management; preferred expertise in preferred expertise in
Emerging technology, SDLC, Change Management, Strategy, Public Cloud and Resilience and Response
]. - Proficient in industry standard risk management frameworks (including ISO27001, COBIT, TOGAF and CRI for example), and an in-depth understanding of[technology]risk mitigation strategies.
- Consistently demonstrates clear and concise written and verbal communication skills
- Developed communication and diplomacy skills are required to guide, influence, and convince others, in particular colleagues in other areas and occasional external customers. Requires good analytical skills to filter, prioritize and validate potentially complex material from multiple sources.
- Bachelor’s/Universitydegree, Master’s degree preferred.
- Relevant certifications (in CISM, CRISC, CISSP, CISA, or PMP) a plus.