My Career Development Portal: Wherever you are in your career, we are here for you. Design your future. Discover leading-edge guidance, tools and support to unlock your potential. You are Absa. You are possibility.

Job Summary

Reporting to the Head of Risk and Compliance, the role holder is responsible for ensuring that specific IT risk controls and solutions are applied and that they comply with the Technology Key Risk policy and standards, and consequently meets the businesses requirement and safeguards the Banks reputation.

Job Description

Accountability:  IT Risk Identification and Control Assessment

• Assist in conducting effective local risk assessments to assess all new IT systems or Processes, clearly identifying the risks and issues and the controls and measures required to mitigate those risks / issues.
• Review and identify new risks that may be introduced into the business by any proposed change to IT Systems or Processes
• Assist in undertaking local 3rd Party Due Diligence for critical IT Vendors and Service Providers
• Conduct IT Security Controls Snap checks (CSA) and monitor IT Security activities e.g. application & system controls, physical and logical access security controls, review of disaster recovery and back-up procedures, media storage
• Report on the compliance levels and provide comprehensive MI reporting
• Follow-up on any IT Security weaknesses identified and put in place effective measures to safeguard the bank’s IT resources, information and reputation.

Accountability: Key Risk Monitoring

• Assist in setting and measuring technology risk thresholds and the related key indicators.
• Ensure roles & responsibilities are defined and agreed for metric collation and ownership
• Ensure that Key Risk Indicators are monitored by Technology Senior Management, reasons for out of threshold indicators are defined and remediation is actively monitored.
• Ensure alignment of KRI position and CSA results

Accountability: Event Analysis

• Review major incidents (severity 1, 2 and 3), identify root cause , control objectives and ensure consistency with CSA
• In conjunction with the Group Key Risk Owner, Operational Risk management and the central Technology Risk team define the loss / risk appetite for the country.
• Analyse TKR loss data and conclude on required actions to prevent exceeding loss budget
• Ensure that loss events are correctly attributed to TKR where applicable.

Accountability: Remediation Management

• Ensure action owners compile their own closures and define ongoing management controls
• ensure that defined action plans are agreed with the responsible assurance providers and trackers are defined detailing actions, sub actions, deliverables, evidence, control maturity and action owners.
• Provide regular status update report to senior management commensurate with item status (at risk, on track, overdue)

Accountability: Reporting

• Ensure that all high/medium risk projects in the area are identified and RAG status from a risk perspective is tracked
• Ensure that ORIAs are completed, required actions taken and operational risks being migrated into production are defined, understood, accepted (RFNC) and remediation planned for all high/medium risk projects
• Ensure that high probability and high impact items on top project risk logs have adequate remedial actions defined.
• Be involved in project assurance reviews, as managed by the central project assurance team, where required.

Accountability: Technology Risk

• Risk Assessment and Management: Expertise in conducting comprehensive risk assessments, identifying potential vulnerabilities, and developing risk mitigation strategies.
• IT Audit and Controls: Proficiency in performing IT audits, evaluating internal controls, and assessing compliance with industry standards and regulatory frameworks (e.g., ISO 27001, PCIDSS, NIST, GDPR).
• Security Architecture and Design: Knowledge of designing secure IT architectures, implementing robust security controls, and evaluating the effectiveness of security solutions.
• Vulnerability Assessment and Penetration Testing: Ability to conduct vulnerability assessments, penetration testing, and security code reviews to identify weaknesses in systems and applications.
• Incident Response and Forensics: Understanding of incident response processes, including the ability to investigate and analyze security incidents, conduct digital forensics, and develop incident response plans.
• IT Governance and Compliance: Familiarity with IT governance frameworks (e.g., COBIT) and regulatory compliance requirements (e.g., SOX, PCI-DSS) to ensure adherence to relevant policies and standards.
• Cloud Security: Knowledge of securing cloud-based environments, including understanding of cloud service models (IaaS, PaaS, SaaS), cloud security controls, and cloud-specific compliance considerations.
• Data Privacy and Protection: Expertise in data privacy laws and regulations (e.g., Ghana Data Privacy Laws, GDPR, CCPA) and the ability to assess data handling practices, implement privacy controls, and ensure compliance with applicable regulations.
• Business Continuity and Disaster Recovery: Understanding of business continuity planning, disaster recovery strategies, and the ability to assess and test plans to ensure system resilience and data integrity.
• Emerging Technologies and Trends: Keeping up to date with technological advancements, such as AI, blockchain, IoT, and their associated risks, to proactively identify potential vulnerabilities and security challenges.

Education

Further Education and Training Certificate (FETC): Physical, Mathematical, Computer and Life Sciences (Required)