Senior Manager: Cyber Risk - Third-Party Risk Centre of Excellence
  • South Africa Johannesburg
  • Absa Group
1 year before
31.12.2023
Oversee and Govern
Cybersecurity Management
Job Description

Bring your possibility to life! Define your career with us

With over 100 years of rich history and strongly positioned as a local bank with regional and international expertise, a career with our family offers the opportunity to be part of this exciting growth journey, to reset our future and shape our destiny as a proudly African group.

Job Summary

Ensure that all activities for the centre of competence and duties assigned are carried out in full compliance with regulatory requirements, enterprise-wide risk management and governance, management frameworks (and other applicable guidelines), internal policies and standards

Job Description

The Senior Manager : Cyber Risk - Third-Party Risk Centre of Excellence will act as Subject Matter Expert, advisor, consultant, and coordinator group wide, therefore must:

Understand the business value chain and leverage from all sub-functions and activities.

Stay abreast of market, tools, methodologies, practice changes and act as an advisor to guide business in managing the applicable risks exposures and provide Research and Development services, support and systems pertaining to Third-Party Cyber Risk.

Be responsible for designing, implementation and monitoring of group-aligned and integrated risk governance, insights & reporting in terms of third-party cyber risks exposure.

Provide advisory, insights and specialist support services to the central functions and business units’ processes relating to third-party management in terms of the relevant risk types.

Consult all available enterprise frameworks to shape and inform the PPSG’s (Procedures, Policies, Standards and Guidelines) to be adapted by the COE as they relate to the management of third-party cyber risks and provide specialist support to all Business Heads, Executives and Line Management with required governance, controls, monitoring and group wide reporting, in terms of the relevant risk types.

Develop and implement group wide third-party cyber risk proactive and preventative models, controls, processes, systems and tools, KPIs, key risk drivers, and associated risk impacts.

Identify potential risks using data, dashboards, and/or other relevant metrics by analyzing risk information. Provide advice and recommendations regarding any emerging risks, trends, and early detection of issues for the relevant risk types by employing their capacity and tools to be innovative while recognizing and respecting the need to be prudent in Third-Party risk management.

Support and promote an effective risk culture, where there is an open, proactive, and constructive dialogue in the management of the relevant risk types and enable management to monitor the effectiveness of the control environment and to take action to prevent, mitigate and remediate the relevant risk types, where required.

Key Accountabilities And Responsibilities

Training and Communication

Provide relevant coaching, guidance and training on the implementation and maintenance of the enterprise-wide relevant risk types and business components such as Critical Process Assessments (CPAs), Key Indicators (KIs), Events, Strategic Risk Assessments, and capital drivers. Provide guidance and approach toward the assessment of the level of compliance for the relevant risk frameworks and policies adapted. Manage, facilitate, and participate in the relevant working groups, committees, and combined assurance forums, in conjunction with the Department Head. Educate business on the appropriate proactive remediation of any identified assessments and vulnerabilities. Review and understand existing and new PPSG’s (Procedures, Policies, Standards and Guidelines) and analyze for potential impact and incorporation. Provide input in the drafting of new PPSG’s. Be responsible for the overall design, development, testing and coordination of the overarching detailed design of solutions. Ensure business and - collaboration by ensuring services meet both business and relevant risk type requirements. Provide consultation on the automated business services and applications. Be responsible for the alignment of business and relevant risk type priorities and should review all business linkages and alignment to methodologies for best practice adaptations for the organization. Provide consultation on the ownership/accountability of services, especially for those services that straddle across business units and operating jurisdictions. Ensure that services are tested and working accordingly and report any malfunction/ service outages to business.

Leadership and Stakeholder Management

Engage and coordinate internal stakeholders across various business areas and functions across the group and external stakeholders (e.g., regulators and other third-parties). Provide strong leadership (of self), direction and display role model behaviors, inspiring others to work together to achieve the strategic vision. Build effective working relationships with key stakeholders and information flows across the business units, risk functions and the various entities. Assist the business units on execution of strategy by providing advice on risk/control and challenge decisions that pose risk. Advise leadership on emerging global third-party risk trends and advise accordingly. Support and influence the organization in improving the third-party risk management through digitization, automation, standardization, and simplification.

Third-Party Risk Management and Governance

Advise on risk decisions and escalate risk decisions to the relevant Head. Assess the relevance and performance of the third-party risk indicators and thresholds as defined in the monitoring tools and methodologies, leveraging on the business risk appetite or materiality thresholds. Partner with the second line of defense and in-business unit teams to provide guidance on issue/action documentation, tracking, escalation, and remediation. Investigate third-party matters affecting the relevant business risk profile, which may pose an undue risk. Oversee deep dive and lessons learnt exercises for material risks, including the review, challenges, and tracking/escalation of findings. Review and lead major remediation plans for adequacy, completeness, and progress. Escalate any unresolved concerns directly to the Business Heads. Ensure that third-party processes, control requirements and governance frameworks that impact the relevant risk types are documented and understood by all interacting members of the team and value chain. Create and maintain a central communication portal (knowledge base) for the COE to ensure knowledge content is up to date and relevant.

Project and Change Management

Promote the sharing of information across the various business units and functions through working group collaborations and other means. Participate in or lead related change or improvement projects from design through to deployment, including such aspects as resource, plan and issues and risk management. Establish an operating model and manage the relationship with the Business/third-party teams by acting as the primary point of contact, regarding day-to-day management of the services provided and issues experienced by the business and ensure that agreed standards are met, escalating issues where required.

Behavioural Competencies

Must be able to work independently. Analytical and be able to understand business models, strategy, process, products and systems, and influence change. Confident to responsibly challenge data, facts, or trends. Ability to manage and resolve conflicts. Collaborate with colleagues and business unit representatives to resolve issues. Effective interpersonal skills and ability to interact at all levels. Pragmatic with a logical and flexible approach to problem resolution. Develop effective working relationships within and across teams. Leverages understanding of customers / consumers / suppliers / stakeholders to inform business decisions.

Qualification, Skills, And Business Competencies

Education and Experience

B-degree or relevant qualification
Minimum 4 Years relevant experience in one or more of the relevant risk type domains (Information Security & Cyber, Data & Records Management, Business Continuity Management, Third party Management)
Any relevant IT resilience and third-party certification will be an advantage

Domain expertise

Data and Records Management
Business Continuity
Third party risk management
Risk management
Knowledge of cyber security governance and general security in computing

Required Knowledge & Skills

Knowledge of banking environment
Knowledge of the cyber risk environment
Knowledge of computer networks and databases
General knowledge of legal and ethical issues in information security
General knowledge in Procurement and/or Vendor Management
PmBOK, PRINCE II, CyBOK
Cyber security frameworks (ISO27001, CIS controls, NIST)
Applicable cyber security laws and regulations

Business acumen:

Proactive
Relationship building and networking
Persuading and influencing
Presenting and communicating
Applying expertise and technology
Analysis
Change agent
Track record of delivery using structure methodology and tools

Absa Values and Behaviours

We drive high performance to achieve sustainable results. We are obsessed with the customer. Our people are our strength. We have an African heartbeat.

Helping people achieve their ambitions in the right way through;

Respect Integrity Service Excellence Stewardship

Mental & Environmental Demands

Mobility across operating jurisdictions as and when required.

Special work requirements:

Staying abreast with changes both internal and external environments.

Business change accountability:

Be willing to drive change and enforce standards and Be the change agent.

Education

Bachelor`s Degrees and Advanced Diplomas: Business, Commerce and Management Studies (Required)

Absa Bank Limited is an equal opportunity, affirmative action employer. In compliance with the Employment Equity Act 55 of 1998, preference will be given to suitable candidates from designated groups whose appointments will contribute towards achievement of equitable demographic representation of our workforce profile and add to the diversity of the Bank.

Absa Bank Limited reserves the right not to make an appointment to the post as advertised


Quick response

Required Knowledge
  • K0001   Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0002   Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0004   Knowledge of cybersecurity and privacy principles.
  • K0026   Knowledge of business continuity and disaster recovery continuity of operations plans.
  • K0038   Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
  • K0043   Knowledge of industry-standard and organizationally accepted analysis principles and methods.
  • K0048   Knowledge of Risk Management Framework (RMF) requirements.
  • K0126   Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)
  • K0149   Knowledge of organization's risk tolerance and/or risk management approach.
  • K0169   Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.

Required Skills
  • S0018   Skill in creating policies that reflect system security objectives.
  • S0027   Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0086   Skill in evaluating the trustworthiness of the supplier and/or product.

Required Abilities
  • A0161  Ability to integrate information security requirements into the acquisition process; using applicable baseline security controls as one of the sources for security requirements; ensuring a robust software quality control process; and establishing multiple sources (e.g., delivery routes, for critical system elements).
  • A0165  Ability to manage Communications Security (COMSEC) material accounting, control and use procedure.
  • A0167  Ability to recognize the importance of auditing Communications Security (COMSEC) material and accounts.
  • A0177  Ability to recognize the unique aspects of the Communications Security (COMSEC) environment and hierarchy.