IT Risk Officer

IT RISK OFFICER (JOB NUMBER: IRO-ML-0123)

This role will oversee and monitor the IT risk management system, with particular attention to the management of major IT risks for Pinnacle Pet Group.

You will be working alongside the CRO and IT General Management team to oversee and monitor the Group IT Risk and Governance Framework and to engage with stakeholders and senior management, for the delivery of controls relating to IT risks on IT Security, IT Continuity, IT Governance, IT HR Management, IT Legal aspects, IT Sourcing / IT procurement, IT Compliance, IT Obsolescence, IT Execution processes, Shadow IT, IT Licenses, Datacenters and IT Outsourcing.

**Key Responsibilities**:

- Ensure reporting to relevant stakeholders for IT risk management those risks that have a “material” impact on the objectives or results, and are of a nature that requires the stakeholder’s attention.
- Identify the means and follow action plans to respond to IT risks, by ensuring the completeness and exhaustiveness of the action plans, ensuring the follow-up of progress, and updating regularly the status of each IT risks in corresponding logs.
- Manage the process for acceptance of IT Risks, ensuring that the non-tolerable IT risks are formally accepted by the relevant stakeholders and monitored following the defined process.
- Oversee and report on the output of control activities relating to IT risk conducted by the first line of defence.
- Analyse the results of the controls to identify specific risks and register them into the IT Risk Register or the Group Risk Register (as appropriate).
- Participate in the work of the IT Risk committee in order to provide to the COO with challenge of the IT Risks status.
- Oversee the closure of recommendations related to the Group issued by the Group's internal or external auditors and / or control functions in accordance with the objectives of risk coverage and planning.
- Monitor the conformity level for all IT governance rules with declaration of any non-compliance.
- Review and assess the analysis of significant incidents by the first line of defence to help estimate the level of operational risk.
- Review the output of IT Risk Maturity Evaluation.
- Review and challenge the IT Risk Mapping.
- Ensure communication and awareness on good IT risk management practices.

**Additional Responsibilities**:
To support and assist the CRO and other members of the Business Risk and Controls team to identify, report, escalate, manage, mitigate and consolidate with all other non-IT risks affecting the business. In particular to
- give the Board of Directors of the Company a clear view of all the risks within individual areas of the business or affecting the business as a whole and information on the mitigation or management of those risks;
- assist in the identification and management of all operational risk incidents with oversight of all actions necessary for closure;
- permit oversight and management of the closure of all internal and external audit recommendations;
- deliver reporting to the Risk & Audit Committee, Executive Risk and Control Committee, Investment & Capital Committee, Underwriting Credit and ALM Risks Committee, Customer & Conduct Committee, Cyber & IT Risk Committee and Vendor Risk Management Forum.

**Key skills**:
**Essential**
- Knowledge of IT risk management and analysis methods
- Good knowledge of IT organisations and professions
- Relevant IT technical knowledge
- Experience with internal / external Security and Governance audits.
- Use of Corporate and Group tools related to IT Risk management
- Ability to conduct professional discussions face-to-face or on the phone
- Ability to adapt communication to material relevant to varying audiences (IT and non-IT), and the situation.
- Be educational and effective in communication
- Have the ability to provide advice / recommendation / judgment by taking a step back and looking at the overall picture
- Ability to identify and engage resources and coordinate their intervention, working in teams and / or across multiple teams.
- Ability to accurately evaluate a situation and facts
- An understanding of best practices for Incident handling, security investigation processes and techniques.
- Experience with the latest information security threats & vulnerabilities and appropriate counter measures,

**Desirable**
- Experience with attack monitoring and Intrusion Detection (IDS/IPS), SIEM, Anti-Virus, WAF, Firewalls, Identity and Access Management (IAM), patch management, and encryption,
- Experience with, and in-depth understanding of security vulnerability tools, techniques, and standards used to conduct penetration testing
- Knowledge of regulations and frameworks related to IT Security and Personal Data Protection will be an asset

**Desirable Qualifications**:

- An understanding of CIS20, NIST, ISO 27001/22301 and SOC 2 frameworks.
- Security related degrees and/or relevant industry qualifications such as CRISC, CISSP, CISA