Role Title: ISR Risk Analyst
Business: Group Risk – SR –Information Security Risk
New or Existing Role? Existing
· The ISR Risk Analyst role is part of the ISR Risk Analysis team within Information Security Risk.
· The role of the ISR Risk Analyst is to assist in the production of timely and accurate reporting on Key Risk Indicators (KRIs) for the GB/GFs and Regions, and to provide analysis of the KRIs and other risk data to highlight areas of concern and changes in the Information Security Risk position.
Impact on Business
· Analysis of the Information Security Risks faced by the GB/GFs.
· Monitoring KRIs and providing updates on changes in the Information Risk position of a GB/GF, region, or country
· Providing monitoring of GB/GFs adherence to applicable regulations and analysis of impacts from/exposure to up coming changes in regulations
Customers / Stakeholders
· Liaising with interested parties including Audit, and other 2LoD functions external to ISR such as Operational Risk
· Providing analysis and explanation of the changes in the Information Security Risk position
· Working with the ISR GB/GF Oversight team to provide useful and effective reports on the Information Security Risk position of the GB/GF
· Assist in the preparation of risk analysis and KRI data to the ISR Assurance Review team as part of the planning and preparation for Assurance Reviews
Leadership & Teamwork
· Collaborating effectively with SMEs from across the ISR teams to understand changes in the Information Security Risk position
· Collaborate with ISR colleagues in other regions and countries to monitor and understand the Information Security Risk position for the GB/GFs
· Work with the ISR Information Managers to support the definition, review and update of the Information Security Risk KRIs
Operational Effectiveness & Control
· To support the rollout and monitoring of a globally consistent Risk Analysis framework that supports ISRs transformation to a global function including:
· Reducing duplication of effort
· Aligning to a single, global framework
· Supporting a standard, bank wide risk model
· Driving efficiency and practical improvements through the implementation of global processes
· Standardising and Globalising where feasible and manageable without losing coverage for regional or local processes
· Establishing and maintaining effective communication with other ISR teams, 2LoD functions, Internal Audit, and GB/GF contacts.
· Establish processes to monitor compliance with all relevant country and regional regulations
· Integrate with Risk governance structures to ensure that risk is reported through the correct channels
· Complete other responsibilities, as assigned
· Assist in the identification of data sources, data collection, and definition of the KRIs to provide the GB/GFs with a good set of information risk indicators
· Establish ISR Risk Analysis as a useful resource for the new 2LoD ISR teams
· Create effective relationships with ISR GB/GF Oversight and Regional representatives through the provision of regular and ad hoc reports
· Support the development of an Information Security Risk analysis and reporting framework
· The ISR function is transforming, and this role is being created, in response to four main drivers:
o Bank’s realignment around Global Businesses and Global Functions
o Deployment of the Lines of Defence Model
o Need to become more efficient and standardized
· Need to become intelligence led to effectively keep pace with ever increasing and sophisticated cyber threats.
· Regulatory punitive damages and censures possible in the event of Information Security weakness and/or failures Potential significant reputational damage and consequent share price impacts due to Information Security incidents
Management of Risk
· The role is expected to adhere to all relevant FIM policies and operational risk guidelines
· Provide analysis of the exposure of the GB/GFs to information security risks, highlighting vulnerabilities, increases in risk, and risk position on emerging risks
Observation of Internal Controls
· Maintains HSBC internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators.
· Monitors adherence to the Information Security Risk policies (B.10.x) in the Global Risk FIM, the effectiveness of controls set up to implement these policies, and adherence to relevant regulations.