Head of Risk, Cyber

Head of Risk – Cyber & Technology

Who we're looking for
We are looking for an experienced cyber and technology risk professional with strong technical skills combined with the ability to communicate with and influence both technical and non-technical senior management.

About Schroders
We're a global investment manager. We help institutions, intermediaries and individuals around the world invest money to meet their goals, fulfil their ambitions, and prepare for the future.

We have around 6,000 people on six continents. And we've been around for over 200 years but keep adapting as society and technology changes. What doesn't change is our commitment to helping our clients, and society, prosper.

The base
We moved into our new HQ in the City of London in 2018. We're close to our clients, in the heart of the UK's financial centre and we have everything we need to work flexibly.

Team Overview
The Non-Financial Risk function is comprised of several key teams:

• Operational Risk
• Cyber, Technology & Resilience Risk 
• Compliance Assurance
• Risk & Compliance Frameworks, Governance & Reporting
• Physical Security

The Cyber, Technology & Resilience Risk team operates as part of the second line of defence, providing oversight across Schroders. This team develops and maintains the tools and frameworks necessary for overseeing cyber, technology, and resilience risks. It collaborates closely with Global Technology, Information Security, and first-line business units to ensure such risks are clearly defined, assessed, managed, and reported.

Key responsibilities include:

• Overseeing cyber risks via the Information Security Risk Oversight Committee and through review of KRIs and KCIs.
• Collaborating with information security teams to ensure effective articulation, assessment, and management of cyber risks.
• Providing oversight of technology risk through risk control assessments and engagement on strategic technology initiatives.
• Monitoring cyber and technology-related risk events to ensure thorough root cause analysis and appropriate remediation.
• Programme management of the annual operational resilience self-assessment cycle, ensuring all in-scope entities self-assessments are board-approved.
• Programme management of the annual Business Continuity programme.
• Undertaking due diligence on critical third-party continuity and resilience capabilities.
• Maintaining and regularly testing crisis and incident management frameworks.
• Responding to client due diligence requests regarding Business Continuity and Operational Resilience.

What you'll do
This position is responsible for managing this team and ensuring its effective delivery of its responsibilities. 

Primary responsibilities include:

• Provide technical 2nd line oversight of Cyber and Technology, ensuring risks are identified and escalated to appropriate senior stakeholders. Work with the 1st line to improve their controls and improve risk management.
• Facilitate the ongoing effectiveness of the Information Security Risk Oversight Committee (ISROC) as the primary governance forum for overseeing the management of Cyber Risk across the Group by:
• Using a risk based approach to identify appropriate topics for inclusion on the agenda;
• Ensuring high quality submissions are provided as requested;
• Ensuring senior stakeholders are fully briefed on key topics prior to the committee; and
• Providing direct challenge to first line senior management at the committee when required.
• Line manage this specialist capability (3 full time staff) to provide challenge and oversight to Information Security and Technology whilst also supporting broader responsibilities for maintaining and enhancing the firm's business continuity and resilience frameworks.
• In response to requests from senior management or governance committees (including the Group Risk Committee and ISROC) undertake risk based reviews of key cyber security and technology processes and controls. Ensuring that findings are appropriately risk assessed and management identify appropriate plans to mitigate the risk.
• Develop strong and effective working relationships across all 3 lines of defence to facilitate effective identification, management and remediation of cyber and technology risks.
• Review and interpret Red/ Purple Team test results identifying key messages and being able to articulate them to non-technical audiences via briefings.
• Demonstrate strong understanding of what are effective response and recovery strategies for cyber incidents.
• Apply insights from experience within leading financial services firms to drive enhancements across cyber and technology risk. 
• Draft entity board-level reports for senior leadership and governing bodies.
• Present confidently at governance committee meetings, when required.

The knowledge, experience and qualifications you need

• Degree-level education.
• At least 10 years of relevant experience in Technology and Cyber Risk, gained in a Control/ Risk function, such as Internal Audit, First or Second Line Risk or Control functions.
• Strong technical skillset in Cyber Risk.
• Financial Services experience, preferably in Asset or Wealth Management.
• Proactive approach with strong written communication skills and attention to detail; ability to produce clear, accurate reports tailored to the audience.
• Strong analytical, logical, and problem-solving abilities.
• Effective interpersonal and influencing skills with a collaborative, team-oriented mindset.

The knowledge, experience and qualifications that'll help

• Relevant technical qualifications in Information Security or Technology Risk for example CISA, CISM or CISSP.
• Working knowledge of Asset or Wealth Management.
• Consulting or Big Four experience.
• Experience in working in a first line Technology or Cyber Security Function
• Experience in Investment Banking or Retail Banking within a first line or second line risk capacity.

We recognise potential, whoever you are
Our purpose is to provide excellent investment performance to clients through active management. Diversity of thought, facilitated by an inclusive culture, will allow us to make better decisions and better achieve our purpose. This is why inclusion and diversity are a strategic priority for us and why we are an equal opportunities employer. You are welcome here, regardless of your age, disability, gender identity, religious beliefs, sexual orientation, socio-economic background, or any other protected characteristic.