Technology Risk Management Consultant

Technology Risk Management Consultant

Background to Role:

The Global Information Security (GIS) Technology Risk Management Senior Analyst will work with peers in GIS and across the Technology Division to ensure that third party technology risks are properly identified, assessed, monitored, and communicated in support of the overall Third Party Risk Management (TPRM) program. The Senior Analyst will assist with the continuous improvement and daily operation of the GIS Third Party Risk Management (GIS TPRM) program.


Responsibilities Include:

  • Work with peers to identify and assess Information Security risks
  • Conduct risk assessments using established GIS Third Party Risk Management assessment process
  • Collaboratively author and edit various assessment related documents including Deficiencies Observed, Summary of Work, Risk Advisory Memos, exceptions from GIS technical policies and standards, and other related output resulting from risk adjudication activities
  • Participate in and contribute to various working groups across the Technology Division, including, but not limited to, Third Party Risk Management working group, GRC working group, etc.
  • Assist the GIS Third Party Risk Management function with:
    • Continuous improvement and maturation of the methods, instrumentation, training, documentation, and processes required to properly manage third party technology risks
    • Providing advisory and consulting services to the Information Technology Management Team related to InfoSec risks, treatment strategies, and decision-making
    • Assist in the preparation of management reports, presentations, metrics, and other documentation required to support governance functions
    • Assist in compiling and delivering business and operational metrics at regular intervals
    • Promoting a culture of risk awareness and accountability through training, education, and risk management consultative support
  • Problem Solving:
    • Objectively assess the impact, likelihood, and velocity of identified risks
    • Objectively advise on any number of controls that will mitigate risk while not imposing undue burden on those who must implement the controls
    • Drive objectivity and build consensus among stakeholders with widely divergent perspectives and drivers
    • Rapidly analyze complex technical details
    • Synthesize detailed analysis into a “big picture” view that can be easily understood by non-technical stakeholders in order to support risk-based decision-making for senior managers within the company
  • Decision Making:
    • Recommend risk treatment decisions
    • Recommend remediation actions when risk mitigation is desired
    • Recommend improvements to methods, instrumentation, training, documentation, and processes
    • Recommend solutions for automating and streamlining GIS TPRM risk management practices
  • Working Relationships:
    • Interacts with peers across all elements of the Technology Division
    • Communicate regularly with cross-functional peers outside of the Technology Division, including Legal, Information Governance, Global Operations, Global Assurance (Internal Audit), Enterprise Risk Management, Third Party Risk Management, and other business unit leadership
    • Interact occasionally with industry peers from other SIFMUs, research organizations, solution providers, etc.

Required Experience:

  • Bachelor’s Degree or equivalent experience
  • Minimum of 4 years of relevant experience in publicly traded companies or finance/technology industry operations with third party risk management experience a plus
  • Experience in at least two of the following: InfoSec (Operations, Program Management, Governance, Risk Management, etc.), Enterprise Architecture, Identity & Access Management, Application Development, Infrastructure & Operations, IT Compliance, or Internal Audit
  • Experience working with industry based information security and / or control frameworks (NIST Cyber Security Framework, ISO 27002, COBIT, etc.)
  • Demonstrable knowledge of a broad range of InfoSec technologies and practices
  • Demonstrable, impeccable writing skills for technical, management, and executive audiences


Additional preferred experience:

  • Demonstrable knowledge of InfoSec risk management methods and practices
  • Experience with operating GRC solutions
  • Professional certification in InfoSec or Risk Management (such as CRISC, CISM, CISSP, CGEIT, CISA, etc.)