Risk Analyst

Position Purpose

ITRM is the 1loD is the 1st line of defence in terms of control and has the responsibility of continuous permanent control. Control framework aims to identify IT and Cyber risks and vulnerabilities and improve IT and Cyber robustness and maturity of the entity. In that context, one of the main control activities is to coordinate and execute all the I(nformation) C(ommunication) T(echnology) controls defined at Group level in a Group Control Library. This activity ICT control plan is under the responsibility of Control and Continuous Monitoring team (CCM). 5 controls categories are in the scope: IT Change controls, IT Outsourcing controls, Availability and Continuity controls, IT Security controls and Data integrity controls.

2loD is the 2nd line of defence under RISK responsibility and run controls to check, challenge and verify 1loD has correctly execute its controls and identify IT and Cyber risks. One of the controls is an annual verification and reperformance of the ICT controls executed Y-1.

Responsibilities

Direct Responsibilities

With CCM, schedule the annual ICT control plans (date and time for each control = campaign)

Prepare each campaign (execution)

- consider the feedback of the annual verification and reperformance of the ICT controls executed Y-1 in order to avoid same errors,

- understand the expected evidences for each controls points and results (1, 2, 3 or 4),

- take into consideration sampling rules for some control points,

- identify the executor and validator,

- set parameters in SNOW to run the control execution,

- communicate to the stakeholders all relevant information for the campaign.

Launch each campaign (execution)

- request/collect evidences,

- check/control evidences consistency,

- rate the controls accordingly,

- check existence of action plans for all 3 or 4 results,

- exchange with executor if necessary to clarify.

Prepare each campaign restitution (execution)

- prepare consolidation controls results,

- with CCM, coordinate action plan merging in generic action plan,

- analyse controls results,

- communicate results to the stakeholders.

Draw a lessons-to-learned of the overall annual ICT controls execution

Continuous action: Report all incidents in the process during the execution (coordination)

Contributing Responsibilities

Control campaign coordination

Schedule the annual ICT control plans (date and time for each control = campaign): 5 controls, some of them are executed on quarterly, biannually or yearly frequency.

Control campaign follow up and reporting in terms of campaign process and also control results.