Senior Executive (IT Governance, Risk & Compliance)

SUMMARY OF RESPONSIBILITIES

• Assist Head of IT Governance, Risk & Compliance on the implementation and continuous improvements in Technology Risk, Governance and Compliance, including any other new areas that may be set up to meet business strategy and organizational needs.
• Collaborate with Business and Technology division and units within Risk and Compliance in ensuring risks are identified and considered in the development of PayNet’s strategic vision, and proactively manage and balance both risk and rewards of the business.
• Perform risk assessments, including to identify operational and strategic risks and relevant controls, facilitate prioritization of risks and identification of risk owners, and develop risk reports and highlight relevant risks and mitigations to Management and Group Risk Committee and Board
• Coordinate and maintain security governance implementation and certification such as PCI DSS and drive security culture and behavior internally through continuous security awareness programs.

KEY AREAS OF RESPONSIBILITIES

1.    Technology Risk Management

• Perform review technology risk related assessments such as Change Request Risk Assessment (CRRA), Project Risk Assessment (PRA), Risk and Control Self Assessments (RCSA), Cloud Risk Assessments (CRA), exceptions requests to established IT policies and procedures and other relevant assessment
• Provide consultations, advice, expert opinion and level 2 reviews to Business and Technology division on areas relating to IT Risk, Governance and Compliance
• Participate in periodic IT and information security risk assessments, including those associated with developing new or significantly enhanced business applications
• Recommend improvements and mitigations on current systems, policies and strategies and take the necessary actions to mitigate IT related risks
• Develop, implement, and maintain IT risk monitoring for the ecosystem, including critical vendors and relevant PayNet Participants
• Perform special reviews on regulators’ requirements and or as required by the Management, Board and Board Committees

2.    On-boarding Due Diligence and Continuous Assessments

• Perform on-boarding due diligence on prospective third-party acquirers (TPA) and Non-Bank Participants (NBP). The on-boarding processes include but not limited to pre-admission assessment, interview, off-site due-diligence, on-site due-diligence and system audit review
• Perform review on system audit report submitted by the TPA and NBP

3.    Governance and Compliance

• Design, develop, execute, and oversee technology risk awareness programs delivered to users, technical staff, management, and relevant third-party personnel.
• Prepare and periodically update information security policies, architectures, standards, and other technical requirement documents needed to advance information security at PayNet.
• Establish and fine-tune IT Risk, Governance and Compliance metrics, and develop routine reports to the management and Board according to the metrics.
• Monitor current and proposed laws, regulations, industry standards, and ethical requirements related to Technology Risk, Governance, Compliance, information security and privacy, and provide advanced advice and readiness to PayNet to be fully compliant with these requirements.
• Advance and improve management of IT or cybersecurity related risks (e.g., compliance and supervisory assessments, management reporting, etc.) and overall IT Risk, Governance and Compliance operations through process improvements, data analytics, or automation.

4.    Overall Risk Management Department Operations

• Maintain relevant documentation for audit and inspection.
• Maintain close working relationship with all retail payments and cards product owners and stakeholders with respect to Technology Risk, Governance and Compliance matters.
• Inculcate organization-wide culture i.e. risk awareness and management.
• Keep abreast with the latest risk management practices and/or standards and proactively adapt these practices and/or standards where appropriate.
• Perform any other assignments as directed by the Head of IT Governance, Risk & Compliance and/ or Head of Risk Management or Senior Director of Risk and Compliance.

Functional Competencies

• Possesses adequate knowledge of enterprise risk framework and processes.
• Possesses adequate understanding of PayNet products/solutions.
• Possesses adequate understanding of the industry trends and relevant regulatory guidelines (e.g. BNM).
• Possesses comprehensive understanding of types of fraud, red flags and common concealment activities; interprets information on potential fraud areas within PayNet's business, internal controls framework and financial processes.
• Possesses comprehensive understanding of third-party/non-bank onboarding due diligence processes; Suggests improvements on the onboarding due diligence processes.
• Possesses comprehensive understanding of non-compliances/improvement areas related to third-party service providers/non-bank participants; Suggests improvements on processes to identify possible mitigation opportunities.
• Possesses adequate understanding of data sources and systems based on operational execution experience; able to perform non-routine analysis on information sources.
• Possesses adequate understanding of relevant stakeholders decision-making process (e.g. approval levels) based on operational execution experience.
• Possesses adequate understanding of project management tools and resources (e.g. Gantt charts, task lists) used in different scenarios (e.g. non-routine situations).
• Able to assist in management meeting i.e. deliver technical message in layman terms across to all levels of audience especially Management, Group Risk Committee and Board.
• Possesses comprehensive understanding of technology risk management framework, IT threats and its linkages to processes, guidelines, and control measures; Suggests improvements on the application of framework for PayNet's needs.

QUALIFICATIONS & EXPERIENCE

• Degree in Information Technology (IT), Computer Science or other related disciplines with relevant experience in managing cyber risk in financial market infrastructures, critical national infrastructure, military, security intelligence or equivalent
• 3 to 5 years of IT governance, risk and compliance or information security experience
• Experience in various regulatory requirements such as BNM RMiT, ISO27001, MAS Technology Risk Management Guidelines, National Institute of Standards and Technology (NIST), Centre for Internet Security (CIS), FMI Cyber Resilience Guidelines or equivalent would be an added advantage
• Thorough understanding of end-to-end IT operations and how IT interfaces with business, risk management and compliance processes and IT Security
• Relevant professional certifications such as CISA, CISSP, CEH, GPEN, CISM, ISO27001 auditor would be an advantage
• Must possess excellent interpersonal skills and be able to communicate and manage the relationship at all levels
• Fluency in written and spoken English is essential for this position.