Information Technology Risk Manager

Collinson is the global, privately-owned company dedicated to helping the world to travel with ease and confidence. The group offers a unique blend of industry and sector specialists who together provide market-leading airport experiences, loyalty and customer engagement, and insurance solutions for over 400 million consumers.


Collinson is the operator of Priority Pass, the world's original and leading airport experiences programme. Travellers can access a network of 1,500+ lounges and travel experiences, including dining, retail, sleep and spa, in over 650 airports in 148 countries, helping to elevate the journey into something special. We work with the world's leading payment networks, over 1,400 banks, 90 airlines and 20 hotel groups worldwide.
We have been bringing innovation to the market since inception - from launching the first independent global VIP lounge access Programme, Priority Pass to being the first to sell direct travel insurance in the UK through Columbus Direct and creating the first loyalty agency of its kind in the travel sector with ICLP. Today we still invest heavily in innovation to ensure that we continue to deliver superior customer experiences.
Key clients include Visa, Mastercard, American Express, Cathay Pacific, British Airways, LATAM, Flying Blue, Accor, EasyJet, HSBC, Chase, HDFC.
Our mission is focused on doing good beyond profit, which for us means we seek out opportunities for our people to share in our success and that we give back to the communities and people within which we work.
Never short of ambition, the success of our business is delivered through the diverse and talented team of over 1,800 global colleagues.
This role is a crucial part of the first line of defence (FLOD) of the Collinson Insurance organisation.
Providing guidance, expertise and coordinating all FLOD activities to meet regulatory,industry and best practice requirements associated with the technology and data estate forthe Insurance organisation.
Acting as the go-to person for IT risk related matters, supporting the Head of Engineering infulfilling all activities for the FLOD, including maintaining adherence to all IT GeneralControls, FCA/PRA guidelines, Maltese Financial Services Authority (MFSA) guidelines, andthe requirement of the European Digital Operational Resiliency Act (DORA), and relatedregulations and guidelines. Advocating for all IT risk controls and risk management acrossthe organisation.
Coordination with all internal and external second and third line of defence functions, andother compliance and control functions across the enterprise.
Ultimately, this role is focused on ensuring that all IT and data risks are assessed, managed and their impact reduced, in line with a regulated operating company, and will be responsible for identifying, analysing and influencing the management of information and data risks across the organisation. Ensure that the appropriate internal controls are designed, implemented and maintained for allIT and data risk areas.
• Be a key coordinator and contributor to the monthly Technology Risk and CyberSecurity working group.
• Report regularly on key indicators and overall health of the IT and data controls framework tocommittees, boards and 3rd party groups in scope.
• Help educate and consult with the organisation on best practice control design.
• Perform focused information and data risk assessments of existing or new services andtechnologies, along with business counterparts.
• Actively engage in and contribute to agile planning and design sessions, and help product ownersprioritise IT risk, security and data risk items.
• Provide consultative advice to technology, product and service teams that enables them tosuggest informed risk management decisions, based on industry best practice, regulatoryguidelines and rules and latest legislation, also ensuring security and data protection by design.
• Identify and facilitate implementation of appropriate controls to effectively manage information
and data risks as needed. Maintaining and issuing draft policies as needed for the areas in scope.
• Identify opportunities to improve risk posture, developing solutions for remediating or mitigatingrisks and assessing the residual risk.
• Work closely with other second and third line of defence teams, including Group CISO, Insuranceand Group Risk and Compliance and Internal Audit teams.
• Stay abreast of industry-wide best practice, regulatory changes and legislation changes pertinentto all aspects of the Insurance business and directs changes needed to ensure alignment withFLOD activities.
• Seek opportunities to mature the IT and data risk framework and achieve and maintain industryrecognised accreditations.
• Ensure robust and effective security and data incident management practices are in place, withcontinuous improvements sought. Take the lead on incident and problem management ofpriority (P1 and P2) security and data incidents that affect the Insurance organisation, to theirsatisfactory conclusion, coordinating with Group Data Protection Officer, CISO and externalparties as needed. A good practical knowledge of IT security technologies and wider business solutions includingFirewalls, IDS/IPS, identity and access management, SIEM, remote working and cloudtechnologies.
• An understanding of current and emerging information security threats and countermeasures and the organisational challenges to addressing these threats.
• Solid understanding of IT risk frameworks, and practical experience of using and deploying frameworks for business advancement, regulatory compliance and information security management frameworks (e.g., An understanding of legislation and regulations that impact information Security e.g., Experience managing security governance within AWS and Azure environments.
• Demonstrable experience in a FLOD role, ideally as an IT Risk Analyst or Manager in a regulated industry, ideally Insurance.
• Evidence of continuous improvements being made in the IT and Data Risk areas
• Ability to communicate security and risk-related concepts to technical and nontechnical audiences.
• The ability to be pragmatic and balance the commercial needs of Collinson with security and data protection requirements.
• Qualification or experience with Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and/or Certified Information Systems Auditor (CISA) is desirable.
• Ability to identify and assess the severity and potential impact of risks. Communicate risk assessment findings to risk owners outside the cybersecurity and data protection areas in a way that consistently drives objective, fact-based decisions about risk that optimise the trade-off between risk mitigation and business performance.
An ability to work on several tasks simultaneously and pay attention to sources of information from inside and outside one's network within an organization.
• An understanding of business needs and commitment to delivering high-quality, prompt and efficient service to the business.
• Have good judgment and a sense of urgency, and demonstrate commitment to high standards of ethics, regulatory compliance, customer service and business integrity.
• Excellent written and spoken English
• Ability to bridge communications between technical and business focussed groups
• Ability to build and use positive relationships with your team, business, and technology partners
Collinson is an equal opportunity employer and welcomes differences in all their forms including: colour, race, ethnicity, gender identity, sexual orientation, neurodivergence, family status, age, individuals with disabilities and people from all backgrounds, cultures and experiences as we strongly believe this contributes to our on-going success.
These help guide everything we do internally in terms of how we think, act and interact, right through to how we deliver value to our customers and clients.
We also have our very own Beacons (Domestic Abuse Advisors) supporting within each of our global offices. Division Insurance Role Tech Locations London , Haywards Heath , Malta Remote status Hybrid Remote #J-18808-Ljbffr