Summary
The Information Technology Risk Office (ITRO), within Risk Management and Control (RMC), is responsible for the end to end execution, coordination, challenge, and continuous enhancement of ICT risk management in alignment with Group standards and applicable regulatory requirements.
The Head of IT Risk Officer for APAC-ME will directly report to the Regional Head of Risk Management and control department and functionally report to Head of IT Risk Officer Head office. He will work in close relationship with him and follow the same standard and process.
Key Responsibilities
1. ICT Risk Strategy & Governance
· Contribute to Group and Regional ICT risk management by monitoring and reporting ICT risk levels across local and regional information systems and processes
· Prepare ICT risk reporting for management and governance bodies. Provide a local vision for ICT risk deliverables, reflecting regional IT environments and operational realities.
· Support alignment of ICT risks with business strategy and risk appetite
2. ICT Risk Identification, Assessment & Monitoring
· Perform and coordinate:
o Annual ICT risk assessments
o IT Risk Self‑Assessments (IT Radar)
· Ensure full coverage of all nine ICT risk domains
· Monitor emerging ICT risks related to technology evolution, operational changes, suppliers, or incidents
· Identify early indications of material risks or potential risk appetite breaches
3. Regulatory Watch, Interpretation & Gap Identification
· Perform regulatory watch on ICT‑related regulations and supervisory expectations (e.g. MAS TRM, HKMA)
· Analyse regulatory requirements and identify gaps against existing ICT risk practices
· Propose remediation actions and coordinate follow‑up with stakeholders
· Translate regulatory expectations into operational and technical ICT risk considerations for management
4. ICT Risk Controls & Internal Control System (LoD 2.1)
· Identify and maintain local owners for each ICT risk type
· Establish, maintain, and execute Level 2.1 ICT risk controls
· Ensure appropriate Level 1 controls are designed and performed locally
· Challenge control design and implementation choices prior to execution
5. Risk Metrics, Dashboards & Transparency
· Ensure accurate regional ICT risk data feeding into the Risk Operational Dashboard (ORD)
· Define and instantiate regional KPIs and KRIs where relevant
· Produce ICT risk dashboards and management risk summaries
· Highlight trends, deteriorations, interdependencies, and forward looking ICT risk concerns
6. ICT Risk Management Tooling
· Ensure deployment, usage, and maintenance of IT Risk Management tooling
· Raise regional specificities during tooling design or evolution phases