Job Description
Purpose of the Role -
- Responsible for advisory and assurance to ensure the Division/Department maintains an adequate and effective first line of defense based on the compliance and operational risk management programs;
- Promote and support the Division/Department to ensure adherence with applicable banking laws, rules, regulations and internal policies, procedures and processes. Ensure action plans are developed by the Division/Department to address the risk and control issues;
- Enable the effective execution of the operational risk and compliance risk framework throughout the Division/Department, with respect to identifying, quantifying, reviewing, evaluating, and mitigating risk to ensure that all compliance and risk categories are identified and managed in accordance with regulatory, internal policies and procedures requirements.
- Be the first point of contact for the Management of the Division/Department in providing independent advice, support, and assurance for risk & compliance matters within the division/ department, integrating business, risk & compliance knowledge. In the event of operational risk and compliance matters beyond Line 1.5 (RCU Heads) purview, to escalate the Line 1's issues to to the Line jointly with Line 1.;
- To support and provide feedback on the standard setting by Line 2 (Risk and Compliance), including providing division/department specific inputs for frameworks, policies, procedures and risk appetite.
- Responsible for embedding adequate risk culture and providing training on compliance and risk management practices to all staff within the Division/Department
- Take on an advisory role for the division's regional teams to share best practices in relation to operational and compliance risk management.
- Provide oversight updates on a regional basis to the relevant governing committee, where applicable
Scope of the Role -
- Provide independent and active advice, support and assurance for their division/department, to ensure quality and comprehensiveness of risk & issue identification, assessment, mitigation, monitoring and reporting, including compliance to risk appetite, regulations, frameworks and policies
- Provide independent and active advice, support and assurance for their division/department in the design, implementation and monitoring of controls to mitigate identified risks; Conduct periodic independent reviews and testing of controls to assess their effectiveness and identify potential weaknesses
- Advise and support Line 1 in assessing the business impact of regulatory changes and changes to CIMB Group Policy and Procedures; Advise and assure Line 1 on the design of the implementation action plan to ensure quality and comprehensiveness
- Consulted on the standard setting by Line 2, including providing division/department-specific inputs for frameworks, policies, procedures and risk appetite; Line 1.5 should not be expected to take a cross-divisional view, its mandate should only be within its own division/department
Key Responsibilities *
Strategy
- Review and challenge the division/ department strategy from a risk and compliance perspective in alignment to the risk management framework and ensure implementation adheres to Group Operational Risk Management Framework, Policy and Standards.
- Support and facilitate the roll-out of the Group-wide risk frameworks, policies and procedures for the division/ department and provide advice, assurance and validation to ensure the risk management SOPs and divisional control frameworks, policies, and procedures are defined comprehensively and adhere to Group-level risk frameworks, policies and procedures
- Act as the first point of contact for Line 1 in providing advice, assurance and validation to the division/ department to ensure the risk management SOPs and divisional control frameworks, policies, and procedures are defined comprehensively and adhere to other Group-level risk frameworks, policies and procedures
Culture and Training
- Provide advice and assurance to the division/ department in monitoring, reporting and escalating any risk culture issues/ updates to ensure that they operate within the risk and compliance culture framework as well as escalation of any risk culture issues/ updates (including initiatives to address identified risk culture areas for improvement) to Line 2, management and/or relevant risk committees
- Promote risk and compliance culture and awareness within the division/ department to uplift outcomes through initiating and participating in relevant initiatives, including conducting division/ department -specific risk and compliance training/ workshops (e.g. for procedural guidance) and increased risk communication within the division/ department
- Monitor, report and escalate relevant risk culture items to Line 2, management and/or relevant risk committees
Risk Appetite
- Provide oversight on the BUs setting of BU-level risk thresholds and other related metrics (e.g. limits, risk metrics tolerances), ensuring that they are within the Bank's / Group's risk appetite and Management Risk & Compliance Collective Scorecard
- Provide oversight on the BUs management of risk to ensure that they operate within the BU-level risk thresholds and Group-level risk appetite
- Provide advice and assurance to BUs to support development of remediation plans
- Provide input and feedback to Group Risk appetite setting as required
Risk Governance (for NFRM)
- Attend, report to, and escalate where appropriate to the risk committees for division/ department related matters, based on the committees pre-determined function and role, reporting relationship (e.g. parent or delegated committees), frequency and composition
- Provide SME risk advice and assurance to the division/ department in the preparation and presentation of materials to relevant risk committees, including validating the materials to ensure quality, accuracy & thoroughness
- Liaise with Line 1 and 2 to cross-check division/ department and Group-level findings, insights, and analysis to ensure consistency and unified risk representation when presented to committees
Risk identification and assessment
- Provide advisory and assurance that risks have been appropriately and thoroughly identified by division/department and correctly logged as part of RCSA, including challenging the Line 1 on whether all the material risks have been identified (e.g., verify the identified risks by Line 1 against the Group Risk Library, past LEDs & RCSAs, MRA exercise etc)
- Ensure risk identification and assessment is done in a complete, accurate and timely manner that conforms to the SOP and templates; includes verification for RCSA (e.g. verify inherent risk rating assignment by Line 1 based on their documented rationale / evidence)
- Provide advice and assurance to the division/ department by supporting it to
- Identify, assess, monitor and respond to emerging risks
- Verify relevant risks/controls impacted by regulatory change are accounted for and implement action plans to address the changes
- Provide assurance that risks have been appropriately and thoroughly identified by Line 1 and correctly logged as part of RCSA, including challenging Line 1 on whether all the material risks have been identified (e.g., verify the identified risks by Line 1 against the Group Risk Library, past LEDs & RCSAs, MRA exercise etc)
- Drive consistency of approach in the assessment and management of risks across the division/ department by ensuring Line 1's adherence to relevant risk assessment procedures (e.g. RCSA)
- Advise the division/ department to ensure timeliness and quality of risk identification, act as the first point of contact for Line 1 for any risk and compliance matters
- Provide advice and assurance to the division/ department to (a) Determine how changes in regulations will impact the business and control environment, and (b) Verify that the gap analysis performed is comprehensive (e.g., ensure all relevant risks / controls impacted by the regulatory change are accounted for (c) Design and implement action plan to address the changes
Controls definition, execution, & assurance
- Provide advice, assurance and validation to division/ department to
- ensure the respective division/department Control Framework, Policy & Procedures and SOPs are defined comprehensively as per risk and compliance requirements
- ensure that the division/ department adequately balances their needs with risk and compliance management requirements in terms of control design, implementation and operationalisation
- ensure the RCSA is completed in a timely and correct manner across risk identification and risk assessment; provide the first layer challenge to Line 1 for RCSA outputs that do not conform to requirements (including whether any material items are left out)
- define, execute and document assurance plan covering key controls by Control owners
- Identify any controls that are not adequately covered within the Group Controls Library (incl. any flagged by Line 1) and escalate them to the Library owner
- Maintain a list of division/ department specific non-library controls, created by exception due to specific local regulatory, legal or business requirements (relevant once Group Controls Library has been implemented)
Monitoring and reporting
- Provide advice and assurance to the division/ departments in designing and implementing its monitoring activities and its compliance with regulatory and policy obligations, and monitors progress towards mitigating risks
- Perform periodic independent reviews (e.g. Line 1.5 Assurance as part of RCSA) to assess if there are deviations to key controls, and to flag them to Line 1 for remediation if found
- Provide SME risk expertise, input and advice to support the division/ departments in reporting to Line 2, management, Board, Regulators and other external stakeholders
- Prepare reports based on the reviews to objectively assess the underlying quality and thematic weaknesses with division/ departments risk management practices, including adherence to relevant policies and data quality, including reports requested by the Division Head / CEO on the risk position of the division
Action and responses
- Provide advice and assurance to support Line 1 activities; with focus on:
- validating LEDs & KRI's before submission by Line 1 to ensure that they are submitted with quality, in timely and accurate to ensure CIMB meets Operational Risk regulatory reporting requirements.
- Ensuring the Root Cause Analysis performed appropriately identifies the underlying reasons for the control breakdowns / deficiencies.
- validating CIMs before submission by Line 1 to ensure that they are submitted in a timely manner with action plans appropriately addressing the risk issues and control gaps.
- supporting the division/ department in the tracking, monitoring, governance and reporting of regulatory commitments as well as identifying regulatory commitments at risk of falling overdue and escalate to relevant stakeholders
- Authority to make the final decision on which stakeholder within the division/ department owns the LED and/or compliance breach
- Act as an escalation point for the division/ department to Line 2, playing a key liaison role to facilitate communication between Lines 1 & 2
- Perform thematic incident cause and controls breakdown analysis at a division/ department level
- Provide advice and assurance to the division/ departments in identifying, assessing, escalating and remediating compliance breaches
Employee Engagement and Development
- Monitor performance of the relevant RCU team and QA testers KPIs; including soliciting and incorporating performance feedback from Head of Group ORM and Head of Group Compliance
- Develop direct and indirect subordinates training needs and development goals to ensure each team member has the necessary skillsets to execute their functions and grow in their roles.
- Provide timely feedback to staff and complete appraisal processes in line with CIMB process.
- Comply with HR performance processes and meet internal KPIs
- Attract, develop and retain talent by ensuring constant engagement surrounding risk & compliance related agenda
- Through leadership by example, actively work to create an environment for the team that encourages open and honest dialogue and escalation of issues.
- Ensures that every business and support unit within the Division/Department has appropriate RCS, DCORO and QA testers and the appointment is properly executed via GHR
- Track and maintain an updated list of the RCU team members (onboarding and offboarding) within the Division/Department
Key Dimension of Impact *
i.e. Financial/Non-financial targets [To be updated by BU/BE]
Job Specification *
Qualifications
(Basic Degree/Diploma etc.)
A Bachelor's Degree/Diploma in Information Technology, Computer Science or equivalent.
Professional Qualification And/or Regulatory, Licensing Requirements
- It will be advantageous to have professional qualifications: -
- Data/Technology: CISA, CDPSE, CIPP, CRISC, CISM, CISSP, AIGP
Compliance or Risk (ICA CRC or regulatorily recognized accreditation)
Relevant Work Experience
- Extensive experience with large-scale environment including skills and in depth understanding of IT and business applications and system.
- Minimum 10 years work experience with relevant experience of IT, Data or Operations risk/audit/compliance related role within the relevant business/function preferred
- Good knowledge and grasp of banking practices and products at a higher level and awareness of the BNM policies/guidelines and other regulatory framework
Required Competencies and Skills *
Competencies/Skills
(Essential to succeed in this job)
- Excellent communication skills both, verbal and written.
- An understanding of risk drivers and ability to articulate risk to non-risk personnel.
- Knowledgeable about the regulatory compliance and risk management aspects of data, technology, and privacy
- Able to work autonomously
- Demonstrated managerial, leadership and facilitation skills
- Knowledge of the banking processes
