EMEA Operations Risk

Purpose of Job

The purpose of the EMEA Operations Risk & Control Officer is to ensure that within EMEA Operations:

• All risks are identified, assessed and managed in line with risk appetite.
• The control environment is robust, comprehensive, and effective.
• Staff operate in accordance with risk policy, comply with relevant regulation and behave in line with SMBC’s values.

Background

The EMEA Operations Risk & Control team is being established in order to improve the risk management capability within EMEA Operations. EMEA Operations encompasses OPPD and OAD/ODED and provides key capabilities and core services for SMBC EMEA:

• OPPD (Operations Planning Department): provision of Data Management, Change Management, Third Party Management, Business Service Management and Corporate Real Estate & Services to all departments in EMEA.
• OAD/ODED (Operations & Administration Department / Operations Department Europe Division): middle office, transaction processing and customer servicing support for all business departments in EMEA. This includes Financial Crime Middle Office, Derivative Operations, Securities Operations, Treasury Operations, Loan Administration, Trade Finance Operations, Trade & Transaction Reporting and Payments.

As the lead of the EMEA Operations Risk & Control team, the EMEA Operations Risk & Control Officer will drive enhancements in risk management and control design and execution across EMEA Operations. The role holder will be a key participant (and chair in some cases) of the risk and control governance committees within the Department and play a key role advising and challenging the EMEA Operations management team. A key element of the role is supporting the co-Head of EMEA Operations / co-General Manager of OPPD in meeting their obligations as SMF24 for SMBC Bank International.

A project is underway to uplift the Non-Financial Risk Framework, enhance the Three Lines of Defence operating model and create an EMEA wide Control Office to enhance risk management in 1st Line of Defence (1LoD) across EMEA. This role will play a key role in the implementation of the new framework within EMEA Operations and, subject to future organisational design decisions, is likely to have a reporting line in to the EMEA-wide Control Office (once it is established).

The EMEA Operations Risk & Control Officer will also partner with, and support as necessary, other risk and control teams across the 1LoD (especially those in IT and Cyber) in developing and driving common agendas. Additionally, the role holder will support the 2nd Line of Defence (2LoD) in developing and implementing risk policy and risk frameworks and assist them in executing their responsibilities to provide oversight of the EMEA Operations. Similarly, the role holder will work with Internal Audit (3rd Line of Defence) to support their work, as well as engaging with external parties (such as Regulators) as needed.

Accountabilities & Responsibilities

The EMEA Operations Risk & Control Officer is responsible for building, leading and developing a team with the capability to:

• Oversee and support risk owners, control owners and other relevant senior management within EMEA Operations to ensure that (i) all risks are identified, assessed and managed, and (ii) the control environment is robust, comprehensive, and effective. This should be achieved in the context of the business strategy and risk appetite and in line with applicable laws and regulations, internal policies and procedures.
• Ensure robust and comprehensive governance of risk and controls within EMEA Operations. This includes implementing the 1LoD risk governance framework, providing insightful, timely and accurate data and analysis, and orchestrating the governance meetings. This governance should ensure appropriate visibility of the status of EMEA Operations owned risk and controls, escalation of material issues and drive appropriate action from the accountable individuals.
• Provide independent and insightful analysis of the risk and control environment within EMEA Operations. For example, analyse key risk indicators, key control indicators, risk ratings, control ratings, issues, events, audit findings etc. to identify trends and thematic weaknesses (e.g., unmitigated risks or ineffective controls) that require addressing. Provide guidance on how best to address these concerns.
• Ensure rigorous investigation of Operational Events to ensure that root cause is identified and solutions to support prevent reoccurrence are identified and implemented (where appropriate). Similarly, ensure that “read across” of issues and Operational Events takes place so that learnings from a weakness identified in one area are applied to all areas.
• Perform deep dive “Risk Reviews” to assess how robustly and comprehensively risks are mitigated and/or investigate potential weaknesses in the control framework. (For example, this could involve an assessment of the design and operating effectiveness of controls in an end-to-end process or in a complete customer journey.)
• Drive remediation of weaknesses in the control environment (for example, issues identified by Risk Reviews or Audit findings)
• Assess the operating effectiveness of controls through control testing and assess the effectiveness of risk identification and mitigation through thematic risk reviews.
• Support (and lead where appropriate) initiatives to assess and enhance the risk culture within EMEA Operations.
• Support 2LoD with the development and implementation of risk policy and risk frameworks and assist them in executing their responsibilities to provide oversight of the 1LoD.

To achieve this, the EMEA Operations Risk & Control Officer will be expected to demonstrate clarity of purpose, excellent values and behaviours and deep expertise that can be applied to enhance the risk management capability of EMEA Operations.

Knowledge, Skills, Experience & Qualifications

• Leadership. Experience of leading organisations through shifts in mindset and culture (especially risk culture). Able to motivate staff across the Departments and generate enthusiasm for, and alignment with, the enhanced risk management framework and Three Lines of Defence operating model.
• Risk Management. Deep understanding of risk management frameworks and control environments as applied to Commercial & Investment Banking.
• Business Knowledge. Extensive knowledge of Commercial and Investment Banking products and services - and the end-to-end processes and infrastructure required to deliver these products and services to customers. Experience of identifying and addressing deficiencies in risk management and/or control operation across the full product lifecycle and/or end-to-end processes.
• Market Best Practice. Good understanding and awareness of market-standard approaches for risk mitigation and control design and execution. Familiarity with relevant regulation and regulatory expectation across EMEA.
• Senior Stakeholder Management. Proven ability to build positive working relationships with senior stakeholders (e.g. Department Head), able to become a “trusted advisor” whilst maintaining the ability to provide robust challenge.
• Communication. Excellent communication skills. Able to communicate effectively at all levels of the organisation. Able to convey complex topics simply and to articulate issues in a way that eases decision making and drives action.

Specific requirements:

• Experience of a senior leadership role (Executive Director or equivalent) in a risk management and/or control office function in a major financial institution.
• Highly numerate with a strong analytical skill set
• Broad industry knowledge encompassing Operations and/or COO functions gained at major global financial institutions.
• Detailed knowledge of Non-Financial Risks and experience of designing and operating control frameworks to mitigate these risks.

Challenges

The Non-Financial Risk Framework and Three Lines of Defence operating model at SMBC EMEA are relatively immature (when compared to Tier 1 Banks). In addition, EMEA Operations has, to date, not had a dedicated risk and control capability and hence the “risk ecosystem” (including governance and MI) within EMEA Operations is also relatively immature.