The Head of Technology Risk Management supports the Chief Information Security Officer by overseeing the end-to-end technology and cyber risk management lifecycle, including risk identification, assessment, treatment, and monitoring. The role is responsible for evaluating technology and cyber risks that may impact the organisation's profitability, service delivery, customer experience, regulatory compliance, and reputation. This position leads risk assessments across all internal systems and external third-party environments for MAHB entities in Malaysia and Singapore, as well as regional EIH entities. It ensures consistent risk ratings and provides clear recommendations to avoid, mitigate, accept, or transfer identified risks. Serving as the single point of contact for all technology risk matters, the role enables informed decision-making, strengthens governance, and enhances overall organisational resilience.
Requirements & Responsibilities
- Possesses a Bachelor's Degree in Information Technology, Computer Science, or equivalent, with a minimum of 10 years experience in IT Risk.
- Technology Risk Governance Provide the Board of Directors and Senior Management with clear visibility of the organisation's technology and cyber risk profile, ensuring appropriate controls and risk treatment measures are in place. Support business owners in managing technology risks in accordance with the enterprise risk management framework, including risk ownership, controls, and mitigation tracking. Review the effectiveness of risk controls and limitation strategies to ensure continued alignment with the approved risk appetite. Ensure alignment between technology risk appetite, organisational objectives, and stakeholder obligations. Consolidate business, project, and IT risk perspectives to deliver a holistic view of the IT risk landscape across Etiqa and its regional entities. Apply industry-recognized risk frameworks, comply with Bank Negara assessment requirements, and collaborate effectively with internal and external auditors.
- Cyber & Technology Risk Assessments - Conduct Cyber, Technology, and Third-Party Risk Assessments (CRA, TPCA, TechRA) across outsourcing service providers, third-party vendors, and Tier 1 systems, identifying risk gaps, defining findings, ensuring clear mitigation actions, and guiding relevant parties on regulatory and Group IT Security policy requirements to ensure adequate controls are implemented.
- Stakeholder Engagement Collaborates with key internal stakeholders including the CTO, Group CISO Office, IT Security, Chief Risk Officer/ERM, Compliance and Legal Teams, Internal Audit, Business and Product Owners, IT Operations, Project/Transformation Teams, and the Board Risk Committee/Executive Management on technology risk oversight, controls, and governance. Engages external stakeholders such as regulators (e.g., Bank Negara Malaysia), external auditors, third-party vendors, cloud service providers, and risk advisory consultants to ensure effective risk assessments, monitoring, and compliance.
- Risk Oversight and Governance Ensures robust technology and cyber risk governance by implementing consistent risk frameworks, monitoring controls, and providing the Board and Senior Management with clear visibility of the organisation's risk profile to support informed decision-making.
