AVP, IT Risk

About Alliance Bank Malaysia Berhad

Alliance Bank Malaysia Berhad and its subsidiary, Alliance Islamic Bank Berhad, offers banking and financial solutions through its Consumer, SME, Commercial, Corporate and Islamic banking. The Bank provides easy access to its broad base of customers throughout the country via multi-pronged delivery channels that include retail branches, Privilege Banking Centres, Business Centres, Investment Bank branches, and mobile and Internet banking.

We are currently seeking a high caliber professional to join our Group Information Technology (IT) Risk department under Group Risk Management division as an Assistant Vice President, IT Risk (AI & Cloud)

The Role

A successful candidate in this position will be accountable to support IT Risk Department and Group Risk Management for tasks related to management of enterprise-wide IT risk matters. These include:

• Manage the bank's technology and cyber security risks while meeting business service commitments
• Review Business Requests, Projects and Initiatives while ensuring technology and cyber risks are adequately assessed and mitigated.
• Keep stakeholders abreast of technology and cyber security threats, effectiveness of current controls and priority of enhancement initiatives
• Assess technology and cyber risks, and oversight on the implementation of mitigating controls
• Management of Cloud and AI frameworks & implementation
• Reviews on Cloud/Ai/Digital/IT infrastructure architecture and design from risk perspective
• Emerging tech risk reviews (e.g. automation, biometrics, chatbots, Digital/Cloud/AI design and architecture)
• To develop and implement the appropriate framework and policies to mitigate technology & cyber risks for the group.

Job Description

Independent Risk Reviews

• To bridge the gap between security and business interests across all business functions.
• Conduct independent risk reviews of cloud architecture and AI/ML models, including data residency, encryption, and ethical AI use.
• Perform emerging technology risk assessments (e.g., automation, biometrics, chatbots, generative AI).
• Manage all cloud, digital, and AI-related data reporting to internal and external stakeholders.
• Analyzing the trends and addressing anomalies in security statistics cutting across key areas of security monitoring such as security alert notifications from our SOC monitoring center, Advanced Persistent Threat (APT) monitoring, DDOS attacks, phishing sites and rogue mobile application in the security related statistics and Key Risk Indicators for Dashboard Reporting.
• Managing third party risk across Outsourcing Service Providers (OSP) and IT Service Providers of the bank.
• Responsible for conducting IT thematic reviews ranging from emerging threats to resiliency (e.g. Bank's ability to withstand a Ransomware attack, system end of life, capacity management & etc.), regulatory concerns as well as process effectiveness in the IT Security Domain.
• Participation and role play during simulated cyber-attacks/cyber drills, information security incidents and other types of disruption events to test the organization's cyber capacity by measuring its ability to detect and respond to a security incident.
• To provide recommendations and feedback to improve the capabilities to comply with BNM's Managing Customer Information and Permission Disclosure (MCIPD) controls from IT Risk perspective. Provide security awareness training to RCOs in regard to MCIPD checklists and guide them on how to comply with the checklist.

Consultative and Advisory Role

• Provide consultative advice and guidance on IT and cyber security related risks / issues including internal and regulatory guidelines related, ongoing IT concerns and BCM/DRP.
• Participate in IT projects and initiatives to assist in managing the IT and cyber risk profile.
• Provide advice and feedback to GIS on Penetration Testing & IT infrastructure risk reviews.
• Provide consultative advice and guidance to business stakeholders on IT and cyber security related risks via Independent Risk Reviews (IRR) during the reviews of proposal memos papers
• Frameworks, Policies and Procedures
• Develop / review IT Risk Management Framework, other related frameworks and policies for consistent and synergetic implementation across the Group.
• Review and evaluate supplementary policies and procedures on IT risk related matters.

Risk Appetite and KRI Monitoring

• Establish / develop and maintain IT and cyber risk metrics, Risk Appetite Statements (RAS) and Key Risk Indicators (KRI).
• Monitor IT and cyber risk RAS and KRI within the Group.
• Summarize the performance and trends of IT and cyber risk RAS and KRI for periodic reporting to management and board.

Regulatory / Audit Requirements Follow-ups

• Understand the requirements from regulators / auditors and ensure we comply to the regulators requirements
• Follow up issues from all regulators and auditors requirements and inquiries, including the BCM/DRP requirements.
• Develop / review framework /policies on cyber risk and controls and map the controls to meet the regulatory/ audit requirements.
• Understand the requirements and follow-up with all stakeholders and provide the necessary information to regulators / auditors / stakeholders in a timely manner

BAU /Daily Operations

• Where required, to perform business continuity management related functions.
• Daily Cyber Events reporting to BNM based on analysis of security monitoring results from Security Operations Centre (SOC) which include hacking attempts, malware attempts as well as DDoS attempts.
• Provide training / guidance on raising awareness and understanding of IT and cyber risk to the new staff via induction program.
• Operations Oversight Review initiatives from operational and business units to ensure effectiveness of technology and cyber security risk management including 3rd party vendors.
• Assessments (RCSA), Control Self Assessments (CSA), Key Risk Indicators (KRI), and Loss Event Data (LED) for IT risk.
• Review and evaluate supplementary policies and procedures on IT risk related matters.
• Conduct Risk Reviews and provide guidance and feedback during IT Incident (including Post Incident reviews (PIR) and technical reviews).
• Reporting to management and board level committees on IT and cyber risk related matters via monthly reporting

Job Requirements

Skills

• Detail orientation and quality in work output
• Customer / stakeholder management
• Time management
• Understand business requests and provide value to business
• Communication skills
• Being organized and structured in carrying out tasks
• Flexibility to change and respond to changing requirements
• Proactive and independent in managing expected outcomes based on historical work practices

Knowledge

• Sound understanding of Information systems and security controls as well as relevant technology solutions which comply with regulatory and banking industry requirements.
• Manage information security and cyber-attack incidents according to industry standards.
• Develop technology and cyber security risk management related framework, policies and procedures
• Regulatory requirements for Financial Services Industry in relation to technology risk, cyber security risk and risks in managing customer information such as RMiT and MCIPD.
• Management of RCSA, KRI, LED, MCIPD, CSA in banking industry

Experience

• At least 5 years of working experience in Risk Compliance banking environment
• At least 2 years of working experience in AI/Cloud/Digital risk compliance background.
• Relevant professional certifications will be advantageous. For example, CCSK, CISSP, CISM, CRISC, ISO 27001 Lead Auditor
• Experience in banking / financial industry will be advantageous