ISR Risk Analyst
Sheffield (South Yorkshire) Accounting / Management control
Job description
Role Title: ISR Risk Analyst
Business: Group Risk – SR –Information Security Risk
New or Existing Role? Existing
Grade: GCB5
Role Purpose
· The ISR Risk Analyst role is part of the ISR Risk Analysis team within Information Security Risk.
· The role of the ISR Risk Analyst is to assist in the production of timely and accurate reporting on Key Risk Indicators (KRIs) for the GB/GFs and Regions, and to provide analysis of the KRIs and other risk data to highlight areas of concern and changes in the Information Security Risk position.
Key Accountabilities
Impact on Business
· Analysis of the Information Security Risks faced by the GB/GFs.
· Monitoring KRIs and providing updates on changes in the Information Risk position of a GB/GF, region, or country
· Providing monitoring of GB/GFs adherence to applicable regulations and analysis of impacts from/exposure to up coming changes in regulations
Customers / Stakeholders
· Liaising with interested parties including Audit, and other 2LoD functions external to ISR such as Operational Risk
· Providing analysis and explanation of the changes in the Information Security Risk position
· Working with the ISR GB/GF Oversight team to provide useful and effective reports on the Information Security Risk position of the GB/GF
· Assist in the preparation of risk analysis and KRI data to the ISR Assurance Review team as part of the planning and preparation for Assurance Reviews
Leadership & Teamwork
· Collaborating effectively with SMEs from across the ISR teams to understand changes in the Information Security Risk position
· Collaborate with ISR colleagues in other regions and countries to monitor and understand the Information Security Risk position for the GB/GFs
· Work with the ISR Information Managers to support the definition, review and update of the Information Security Risk KRIs
Operational Effectiveness & Control
· To support the rollout and monitoring of a globally consistent Risk Analysis framework that supports ISRs transformation to a global function including:
· Reducing duplication of effort
· Aligning to a single, global framework
· Supporting a standard, bank wide risk model
· Driving efficiency and practical improvements through the implementation of global processes
· Standardising and Globalising where feasible and manageable without losing coverage for regional or local processes
· Establishing and maintaining effective communication with other ISR teams, 2LoD functions, Internal Audit, and GB/GF contacts.
· Establish processes to monitor compliance with all relevant country and regional regulations
· Integrate with Risk governance structures to ensure that risk is reported through the correct channels
· Complete other responsibilities, as assigned
Major Challenges
· Assist in the identification of data sources, data collection, and definition of the KRIs to provide the GB/GFs with a good set of information risk indicators
· Establish ISR Risk Analysis as a useful resource for the new 2LoD ISR teams
· Create effective relationships with ISR GB/GF Oversight and Regional representatives through the provision of regular and ad hoc reports
· Support the development of an Information Security Risk analysis and reporting framework
Role Context
· The ISR function is transforming, and this role is being created, in response to four main drivers:
o Bank’s realignment around Global Businesses and Global Functions
o Deployment of the Lines of Defence Model
o Need to become more efficient and standardized
· Need to become intelligence led to effectively keep pace with ever increasing and sophisticated cyber threats.
Role Dimensions
· Regulatory punitive damages and censures possible in the event of Information Security weakness and/or failures Potential significant reputational damage and consequent share price impacts due to Information Security incidents
Management of Risk
· The role is expected to adhere to all relevant FIM policies and operational risk guidelines
· Provide analysis of the exposure of the GB/GFs to information security risks, highlighting vulnerabilities, increases in risk, and risk position on emerging risks
Observation of Internal Controls
· Maintains HSBC internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators.
· Monitors adherence to the Information Security Risk policies (B.10.x) in the Global Risk FIM, the effectiveness of controls set up to implement these policies, and adherence to relevant regulations.
Desired profile
Qualifications :
Knowledge & Experience / Qualifications
· The role requires a good knowledge of ISR policies and standards
· Should possess good analytical skills to undertake analysis and interpretation of information risk related data, and identify the key trends and changes in the risk position that need to be highlighted as part of Risk Analysis.
· Experience working in relevant environment/s, i.e. Information Security, IT Operations, Software Delivery.
· Expertise in a relevant area i.e. production of Management Information, Analytics, or Risk related activities.
· Able to explain information security risks clearly and in non-technical language to the business and how these apply to them.
· Good technical writing skills to allow the results of risk analysis to be presented clearly, concisely and consistently.
· Have knowledge of ISR’s role within the three lines of defence and the Operational Risk framework
· Able to build connections and work effectively as part of a virtual team of people across boundaries working on global risk analysis
· When required, able to escalate issues appropriately in order to ensure that remedial action is taken.
· Need to have strong interpersonal skills to build and maintain relationships with a wide range of people involved in risk analysis activities, from data collection to users of the analysis.
· A flexible and adaptable approach to change and will support others to respond in a similar way
· A flexible and adaptable management style with experience of developing yourself and others
· Professional Security Qualifications such as CISA, CISM, CRISC – preferable
· Operational Risk (Non-Financial Risk) experience
For more information about the relevant additional checks for this role please contact the hiring manager.
We are an equal opportunity employer and are committed to creating a diverse environment.