Description of the Business Line
The Risk Management (RISQ) Division in the UK. Independent from the Business Lines, RISQ Division's mission is to contribute to the development of the SG Group's activity by facilitating the objectives of the Business Lines while maintaining independent oversight through risk evaluation and monitoring.
The mission of the Operational Risk Second Line of Defence department (RISQ OPE) is to provide independent, objective and leading operational risk management challenge and oversight services to assist the firm in maintaining an effective system of operational risk management.
RISQ OPE conducts the oversight of the governance, risk and control frameworks and tolerances of Operational Risk.
RISQ OPE provides proactive advice to help management identify and measure key risks, and to evaluate controls in existing and expanding businesses. An objective is to accompany the employees and raise awareness on the importance of operational risk management which is based on the principle that “everyone is an operational risk manager”.
RISQ OPE organises and/or tests the soundness and efficiency of the operational risk framework, especially on governance, risk identification and mitigation as well as permanent controls.
Summary of the key purposes of the role
In this role, the Operational Risk Supervisor needs to assess the First Line of Defence (1 LOD) framework in the identification and management of its operational risks, defining and implementing the right remediation plan and challenge, if required, the risk acceptance taken by the business line (through the governance such as (operational risk committees) or normal day to day interaction on incidents…). This role applies to existing business as well as key projects or by conducting analysis and providing an opinion in new product committees.
The Operational Risk Supervisor should also make sure that the first level of control framework (on operational risk) is adapted and efficient.
The Operational Risk Supervisor needs to ensure that the processes and governance around operational risk (Incident Collection/Reporting, RCSA, Permanent Supervision, etc…) respect the group policies and norms. The incumbent will challenge and may conduct investigations/post mortems and follow-up on red flags and corrective action items.
In case of major risk identification or a risk that is not appropriately managed by the department in charge (or lacking of department in charge) the Operational Risk Supervisor has the duty to escalate the information through the appropriate channel starting with his/her management.
In the context of the Leadership model, the Operational Risk Supervisor will invest its time and skills towards team work, act ethically and with courage, propose new ideas and contribute to change management, and finally lead as an example and by its support to colleagues or other teams. All these actions and values will contribute to the development of client positive impact (client being internal or external).
Summary of responsibilities
Primary Responsibilities as a member of RISQ/OPE
• Participate in LOD1 committees such as IT Risk, Information Security and Cyber Security, understand their operational and cyber resilience exposure for the SGLB products, services and processes.
• Evaluate the scope of the information security management organization and determine whether essential security functions are being addressed effectively for the following:
o Implementation of information security architecture, policies and procedures.
o Alignment of information security strategies within business and functional units.
• Provide independent opinion, analysis and expert judgement to RISQ/OPE management with an assessment of the effectiveness of the information systems and security management processes. The processes are:
o Data management lifecycle and protection management.
o Security in project lifecycle which includes applications and IT infrastructure.
o Access control and user identity management.
o Configuration management of other security tools such as intrusion detection and penetration testing systems and antimalware.
o Information security incident management and security forensics.
• Review management of information security technologies within the SGLB UK, formally challenge governance of information security processes, enforcement of policies and monitoring.
• Provide advice on proposal or decision made by business lines related to processes, tools or solutions related to operational risk management.
• Perform independent analysis of the LOD1 reports to provide expert judgement for the areas specific to IT / Cyber incidents, non-compliant information systems, data leakage/breach and non-compliant to the Group's information security policies.
• Assess the robustness and sustainability of the Business Continuity Management (BCM) framework and governance of the associated processes embedded with SGLB business and functional units. Review adequacy of the BCP test plan and challenge the test results assuring effectiveness of the Business Continuity arrangements.
• Develop knowledge (e.g. participate or engage industrial working group/forum) and advise on (market) best practices related on risk management
• Produce and animate the necessary operational reporting and governance for the executive committee in line with the local risk teams.
• Participate or coordinate with other second line teams and third line exercises as well as regulator requests on operational risk