Senior Manager, Security & Technology Risk Management
Location: HK-HongKong-HKG006-One Bay East, 83 Hoi Bun Road, Kwun Tong
Asia IS Risk Management Office
Manulife has established the Asia IS Risk Management Office which governs the overall Information Services (IS) risk management posture that includes Information Security, IS Privacy, IS Compliance, and IS Audit in Asia. It also integrates closely with the Global IS Risk Management Office.
The candidate will be hired and physically located in Hong Kong, reporting directly to Director, Technology Risk Management.
This role will participate in key projects and initiatives ensuring information risk is always considered and managed. He/she will join a vibrant and global information risk management practice and team that works hard to enable and facilitate business while protecting our people and key information assets located in eleven countries. This multi-discipline team pulls together a number of specialties forging strong ties between:
- Information Security and Information Protection
- Threat Management
- Risk & Control Assessments
- Vendor Information Risk Management
- IS Audit and Compliance support.
As Senior Manager, Technology Risk Management will see the role leading the Technology Risk Management (TRM) program for the Asia division. TRM takes a broad view of information security by overseeing vendor and contract risk assessments, governing application security program, and track key risks and remediation status by using Governance, Risk and Control (GRC) systems. TRM coordinates internal audits including annual third-party audits of our key controls. TRM works to ensure information risk management is included and embedded in key processes not limited to Software Development Life Cycles, acquisitions, Finally TRM works closely with senior management via their tracking and reporting functions ensuring timely response to questions from management, the Board and regulators:
- Reducing information risk exposures by introducing a robust enterprise information risk management framework and supporting infrastructure for proactively identifying, managing, monitoring and reporting on critical information risk exposures.
- Develop and govern Application Security program in Asia divisional level, assist on define application security strategy, assessment methodology and framework, with the objective to reduce financial or reputation loss due to a breach resulting from insecure application.
- Coordinate and collaborate with champions in business and Information Risk Management (IRM) teams to manage Application Security program and manage vendor relationship to support initiative.
- Manage third party assessment and vendor life-cycle including onsite and regular assessment based on criticality. Establish on-going enhancement process.
- Manage all IRM aspects of the vendor risk management for existing and new vendors and partners including conducting risk assessments, doing contract reviews, tracking progress, conducting onsite visits when warranted and participating in RFPs when required.
- Manage threat management process to ensure threat is translated to business and potential risks are mitigated by responsible parties.
- Leverage GRC systems to comment on draft standards, track compliance to in-force standards and policies, monitor risk exceptions and acceptances, report on vendor assessments, follow and confirm compliance to regulations, etc.
- Oversee and coordinate IT audits conducted by Audit Services (including Emerging, Project and Key Risk Audits), regulators (e.g. Singapore’s MAS), clients and third party auditors. Help in drafting responses and remediation plans. Ensure evidence is collected and shared in a timely fashion and all outstanding issues are closed on schedule as promised. Manage third-party IT audit engagements when contracted by either division.
- Assist management in implementing the divisional technology risk framework to measure & report on the achievement of information risk management goals.
- Provide add-value analysis on IT deficiencies from Audit and Risk Acceptance reports to identify the root cause, ensure remediation plan is defined and track.
- Collaborate with other IRM teams and professionals including the Chief Information Risk Officer, the Divisional Information Risk Officer, ORM, Compliance, Audit Services, Procurement Office, and peer Technology Risk Management leads across Manulife globally.
- Contribute and shape divisional and global TRM projects and initiatives. Ensure division-specific requirements and needs are accommodated whenever possible and practical in initiatives, projects and services.
- Play as governance role to review IT operation governance processes.
- Provide advisory to business units in Divisions around current and emerging technology risks and their impact to the company’s information risk profile
- University Degree (Computer Science, Business or Finance preferred).
- 6 years or more of progressive experience in one or more of the following disciplines: Information Technology/Systems, Information Risk Management, Project Management, Audits, COBIT, ITIL, SOX, SOC, Information Security ideally with some of that time spent in a large, complex organization.
- Professional certifications or designations in security, IT auditing, risk analysis or investments a plus, but not a requirement.
- Excellent communication skills (oral and written) including presentation skills and demonstrated ability to present at all organizational levels.
- Innovative problem solving skills with the proven ability to exercise flexibility and judgment.
- Ability to learn, know and act upon what’s important to Manulife and the specific business units you support.
- Proven ability to build relationships, engage and influence others, work with a diverse internal and international user community, as well as vendors.
- Strong interpersonal skills, including demonstrated ability to be sensitive and professional when communicating across geographical and cultural boundaries.
- Effective influencing and negotiation skills with the aptitude to achieve consensus in a federated environment.
- Proven ability to work with different global or regional teams to achieve business objectives
- Ability to work independently and collaboratively simultaneously, while managing multiple priorities within tight deadlines.
- Process and results oriented
- Proven ability to analyse information, innovative and make decisions
- Demonstrated strong understanding of IT audit/compliance/risk management processes and methodologies
- Proactive, self-motivated and work independently
- Minimum 5 year of International working experience
- Proven ability to multi-task, manage and work on tasks concurrently
- Good interpersonal communication, management and presentation skills
- Proficient in English, spoken and written
- Security Certifications: CISM, CISSP and/or CISA, but not mandatory
Manulife Financial Corporation is a leading international financial services group providing forward-thinking solutions to help people with their big financial decisions. We operate as John Hancock in the United States, and Manulife elsewhere. We provide financial advice, insurance and wealth and asset management solutions for individuals, groups and institutions. At the end of 2014, we had 28,000 employees, 58,000 agents, and thousands of distribution partners, serving 20 million customers. At the end of June 2015, we had $883 billion (US$708 billion) in assets under management and administration, and in the previous 12 months we made more than $22 billion in benefits, interest and other payments to our customers. Our principal operations are in Asia, Canada and the United States where we have served customers for more than 100 years. With our global headquarters in Toronto, Canada, we trade as ‘MFC’ on the Toronto, New York, and the Philippine stock exchanges and under ‘945’ in Hong Kong. Follow Manulife on Twitter @ManulifeNews or visit www.manulife.com or www.johnhancock.com.
- Certified Information Security Manager (CISM)
- Certified Information System Auditor (CISA)
- Certified Information Systems Security Professional (CISSP)
- ITIL Practitioner Level
- Asset Allocation
- Financial Advising
- Information Security
- Information Technology Infrastructure Library (ITIL)
- Internal Audit
- IT Audit
- Project Management
- Risk Analysis
- Risk Assessment
- Risk Management