Head of Technology Risk Management (Giám Đốc Quản Lý Rủi Ro CNTT)

Prudential's purpose is to be partners for every life and protectors for every future. Our purpose encourages everything we do by creating a culture in which diversity is celebrated and inclusion assured, for our people, customers, and partners. We provide a platform for our people to do their best work and make an impact to the business, and we support our people's career ambitions. We pledge to make Prudential a place where you can Connect, Grow, and Succeed.

Job Purpose

This role is to:

• Build and rolemodel a risk culture of ownership and accountability for technology risks.
• Xy dng v lm gng cho vn ha s hu v trch nhim i vi ri ro cng ngh
• Ensure no audit overdue, including SOX audit, through proactive tracking, escalation and closure governance.
• m bo khng c hng mc kim ton qu hn, bao gm kim ton SOX, thng qua theo di ch ng, bo co leo thang v qun tr ng h s.
• Identify, assess and escalate material technology vulnerabilities with potential impact on confidentiality, integrity or availability.
  Nhn din, nh gi v bo co cc l hng cng ngh trng yu c th nh hng n tnh bo mt, ton vn hoc sn sng.

• Provide assurance and oversight on information and technology risks that might pose a threat to the business.
• Provide LBU management with objective analysis, detailed observations and recommendations relating to key information and technology risk areas to mitigate the spectrum of risks relating to the achievement of the LBU's business operations.
• Provide oversight and assurance within the LBU that processes, tools, and technologies are operating effectively to mitigate risks to information and technology assets.
• Monitor and review the effectiveness of implementation of information technology, security and data protection standards, policies, and procedures within the LBU to ensure compliance with regulatory, Group, and LBU specific policy requirements
• Support LBU operational functions as required to manage risks to information and technology assets appropriately
• Provide independent, objective assurance that information and technology risks are being managed to ensure they are within the risk appetite approved by the Board.
• Work closely with the Group Technology Risk Management team to roll out and ensure the effective implementation of information and technology risk frameworks, policies, processes, and other initiatives

Job Responsibilities

IT Operational Risk Management

• Embed ownership and accountability within 1stline technologyrisk processes (incident, change, problem, SDLC), with named control owners and clear due dates
• Run auditaction governance to ensure no audit overdue (including SOX), using an integrated tracker, periodic updates and timebound escalation.
• Drive systematic identification of material technology vulnerabilities through scanning, penetration testing, threatintelligence inputs and control monitoring ensure timely risk treatment.
• Conduct IT risk governance, risk exercises following ORM framework.
• Conduct frequent deep dive review of IT Key risks, processes and investigate incidents root causes to optimize process and propose recommendations.
• Access and monitor IT Incident Management systems to support business teams and IT to control risk of IT system disruptions.
• Review, advise, train IT Risk Champion to enhance IT processes and risk controls.
• To advise, support digitalization projects/process in company.

Cyber and Data Risk Management

• Provide oversight of the security and privacy incident. Ensure proper escalation of incident as per LBU incident management process and Group CSIRP. Review the recovery, remedial, and preventive actions taken by 1st Line is effective in managing security and privacy incidents
• Review the effectiveness, and completeness of the Risk and Control Self-Assessment (RCSA). Ensuring that risks are properly articulated, controls are effective in ensuring risk are adequately managed. Performs control testing for key Technology and Privacy related risk as part of RCSA.
• Review accuracy / completeness of reporting, ensuring security and privacy risks are properly identified and articulated. Prepare and submit Technology Risk update to LBU risk committee/relevant forum. Collect data for KRI reporting.
• Review BISG metrics trend and review the effectiveness of actions / controls implemented by 1st line. Escalate overdue issues and gaps to senior management / and Risk Committee where appropriate
• Review the effectiveness of GwISP solution, overall implementation plan - e.g., timeline
• Pre-audit review of effectiveness of controls (ideally should be on on-going basis). Review completeness of Issue Self-identified and Being Actioned by Management (ISBAM).
• Provide oversight on IT and security spending. Review ACR and PIR to ensure that objectives are met
• Review the completeness and effectiveness of the training and awareness session conducted by 1st line. Enhance TRM in 1st line by conducting training/coaching
• Review and ensure access (e.g., Cloud Storage, SFTP, RMD) are properly reviewed and approval is valid with proper business justification.
• Review the completeness and adequacy of the review performed by 1st line for PIA and SIT.
• Review the completeness and adequacy of the review performed by 1st line for TISQ.
• For DPL rules, review and ensure access are properly reviewed and approval is valid with proper business justification. Review DPL rules and effectiveness of DPL controls. Review the completeness and adequacy of documentation, controls, ensuring that risk is properly articulated, and controls are in place e.g., Risk and Materiality Assessment, Critical System Assessment, Cloud Risk Assessment, Cloud Consultation Presentation, Internet Insurance Attestation, etc.

Others:

• Proactively look for better ways to improve the effectiveness of the risk management activities
• Other tasks to be assigned by Line Manager or CRO or Company's management (if any).

Job Accountability /

Key responsibilities of the position include:

• Accountable for cultivating an ownershipandaccountability culture for technology risks across Business and IT.
• Chu trch nhim thc y vn ha trch nhim i vi ri ro cng ngh trn ton Khi Kinh doanh v CNTT.
• Accountable for ensuring zero audit overdue (including SOX) with defined SLAs for remediation and closure.
• Chu trch nhim m bo khng c kim ton qu hn (bao gm SOX) vi SLA r rng cho vic khc phc v ng h s.
• Accountable for the oversight of identification and escalation of material technology vulnerabilities to the Risk Committee.
  Chu trch nhim gim st vic nhn din v bo co cc l hng cng ngh trng yu ln y ban Ri ro
• Ensure the formation of LBU Technology Risk Management framework and the successful rollout and implementation within the LBU
• Provide technical and best practice guidance on information and technology risk taking into account specific platform and regional complexities and issues
• Support the LBU CRO in ensuring periodic reporting of information and technology risk matters to LBU risk committee
• Work closely with LBU operational risk management team in managing LBU information and technology risk
• Ensure the formation of the information and technology risk appetite and key risk metrics for management oversight and the successful rollout within the LBU
• Proactively monitor LBU risk register and to escalate any potential risk area for Group level risk reporting
• Work closely with LBU ORM to review LBU risk register to ensure the risk rating, treatment plan and target completion date are able to reduce/mitigate the risk on reasonable basis
• Promote a risk culture to LBU stakeholders in managing information and technology risk

Job Requirements / Yu cu

Qualifications

Mandatory:

• Bachelor degree in Technology, Information systems, Data science or related subjects.
• Good awareness of Enterprise Risk Management.
• In addition to a technology degree, is appropriately certified and / or has other relevant technical certification such as Technology Risk Management, Technology Audit, IT Management, Cybersecurity, Cloud, Software Engineering or Project Management. Examples of certifications:
• Risk Management: CRISC Audit: CISA IT Service Management: ITIL Foundation, PRINCE2, PMP IT Architecture/Cloud/Network: Microsoft Certified Azure Solution Architecture Expert, (ISC)2 CCSK, CompTIA Cloud Essentials IT/Info Security: CISSP, CISM, CompTIA Security Software and Application Development: DevOps Engineer Professional, Google DevOps Engineer, Microsoft Specialist

Advantage:

• Known as an SME in own functional area and is often sought after for advice / consultation
• Apart from business-as-usual work, have delivered impactful initiatives / products which has helped elevate the function (e.g. helped automate a certain manual process / delivered an automated dashboard for more efficient risk identification etc.)
• Coding background / data analytics capability (familiar with tools such as Python, SQL)
• Has a good network with people in the industry (to stay informed on developments in a fast-moving IT landscape)
• Having certificate in insurance, finance business, business management is advanced.

Experience

• 15 years and above of relevant experience (Technology AND Risk Management/Audit experience is compulsory)
• Experience in Data analytics, Power BI.
• Candidates having experience in financial services (Banking, Insurance, etc.), Consultancy (e.g., Big-4, Accenture, etc.) in Technical Advisory, Technology Risk Management, Internal IT audit services, or Tech Companies (Digital Fintech, Digital Banks etc.) will be a plus.
• Experience in identifying, managing and reporting risk and controls in at least five or more of the following areas:
• IT infrastructure management (e.g. network, platforms such as IBM, Unix, Windows, middleware, and databases)
• IT operations (e.g. data centre management, backup, batch processing, incident, and problem management)
• Application and interface security
• Application development and change management (SDLC)
• IT project management/delivery
• Third party risk management
• IT Service Management
• Identity and access management (including familiarity with tools such as SailPoint and CyberArk)
• Cybersecurity (e.g. NIST framework, security tools, security operations)
• Added advantage if candidates have experience in identifying, managing and reporting technology risks and controls in at least five or more of the following areas:
• Cloud (PaaS, IaaS, and SaaS)
• DevOps and / or DevSecOps
• API management
• Robotics process automation
• Artificial intelligence
• Data governance
• Agile development
• Mobile device management (including containerization)
• Mobile application development

Knowledge and skill / Kin thc v k nng

• Good written and verbal communication (both English and Vietnamese), critical thinking skills, effective interpersonal skill and strong project management experience.
• Good skill in data analytics, Power BI.
• Ability to analyze, communicate, articulate governance, standards and framework.
• Ability to be flexible and work effectively.
• Customer services and positive mind-set.
• High sense of responsibility, integrity, and confidentiality.

Prudential is an equal opportunity employer. We provide equality of opportunity of benefits for all who apply and who perform work for our organisation irrespective of sex, race, age, ethnic origin, educational, social and cultural background, marital status, pregnancy and maternity, religion or belief, disability or part-time / fixed-term work, or any other status protected by applicable law. We encourage the same standards from our recruitment and third-party suppliers taking into account the context of grade, job and location. We also allow for reasonable adjustments to support people with individual physical or mental health requirements.