WesBank: Operational Risk Specialist (IT)

WesBank’s operating environment is driven by technology and automated systems. With the degree of reliance on these automated systems, the need for a well defined IT risk management programme to identify risk exposures and address risk and independently report on the level of IT risk to the organisation is vital. The IT Risk Specialist must engage all stakeholders in the business in ensuring that potential risks to the business are identified and being managed. The candidate must have a solid understanding of the technical IT environment, spend time understanding the WesBank IT environment and be prepared for robust discussions and challenge from management  around risk and adequacy of the controls in the environment. It is imperative that the IT Risk Specialist assist IT in finding solutions to challenges as they arise over and above helping IT identify and classify risks appropriately.

• Minimum requirement of a suitable four year Information Technology and/or  IT Risk Management degree.
• CRISC, CISA, CISSP, CISM, CGEIT, Financial Management recommended

• Minimum 8 years experience with relevant IT, risk, auditing, banking governance and compliance experience.

Deliverables in the WesBank IT and Project Risk Specialist Role

IT Environment

1. Understanding of the WesBank IT environment is critical. Understanding of WesBank IT strategic objectives and imperatives.
2. Identifying and building working relationships with key internal and external stakeholders for the IT environment.
3. Evaluating IT processes and actions against the strategic objectives of the IT business unit.
4. Conducting the risk assessment process within all areas of the IT department, this specifically includes risk identification; analysis and evaluation.
5. Where risks or weaknesses in controls are identified, items must be escalated to ensure that corrective action is taken.
6. Where action is not forthcoming these matters must be tabled at the IT Sub-Risk Committee in WesBank for discussion. If the risk is not addressed, these matters must be escalated to the Head of Operational Risk or the CRO.
7. Monitoring and reporting on the IT Disaster Recovery Plan and the IT Business Continuity Plan.
8. Implementation of Group Policies; Frameworks; Methodologies and Guidance Notes.
9. Identifying and escalating where policies; frameworks and procedures are lacking in WesBank and assuring that adequate action is being taken in the IT environment to address and close gaps.
10. Introduction of best practises that reduce risk or improve process efficiency in the WesBank, IT risk environment.
11. Evaluating and reporting on the processes for change management in the IT environment.
12. Establish KRI relevant to the IT environment. Tracking and analysing the results of the KRI and presenting these to the Management team.
13. Monitoring costs against budget, along with monitoring where spend in IT is incurred. Monitoring the balance in spend between Maintenance, Development and Growth and providing quarterly/ six monthly feedback. Can be tracked in the form of a KRI.
14. Understanding, monitoring and reporting on the Enterprise or Systems Architecture environment.
15. Monitoring Governance in the IT environment.
16. Monitoring of the QA testing and Development environment. Ensuring that processes and controls are in place and adhered to.
17. Monitoring and report on critical suppliers to the IT environment.
18. Monitoring and reporting on WesBank Critical Applications and systems through the use of an IT monitoring plan approved by the CIO/ CTO and CRO/ Head of Ops Risk. Plans must be documented and agreed/ signed off upfront annually.
19. Timeous preparation, discussion and distribution of reports for WesBank Risk Committee; Combined Assurance Forum, IT EXCO, IT Sub-Risk Committee and respective Group Committees.
20. Monitoring and reporting on the IT Procurement environment and contract/ SLA management annually at minimum.
21. Participating, monitoring and reporting on vulnerability testing and management.
22. Monitor action taken by management to meet deadlines agreed with Internal Audit and escalate expired deadlines to Management.

Some generic areas of risk to be monitored and reported on in the IT risk environment are:

1. Change Management
2. Incident Management & Investigation – Code Blue, Red
3. IT Project management
4. Access Management, Access requests, approval and review, including 3rd party access management
5. Archiving & Restoration
6. DR Provisioning, System recovery, Testing, Replication
7. Software license management
8. Patch Management
9. Server commissioning, de-commissioning, maintenance, monitoring.
10. Network device management & Security
11. Network configuration & protection management
12. Network and Perimeter security
13. Internet and Intranet  Application
14. Virus, Malware, Spyware management
15. Operating System Management
16. Database Management
17. Data Governance

Deliverable for the Project Office

1. Understanding of the WesBank EPO environment is critical. Understanding of WesBank EPO strategic objectives and imperatives.
2. Identifying and building working relationships with key internal and external stakeholders for the EPO environment.
3. Evaluating EPO processes and actions against the strategic objectives of the EPO business unit.
4. Conducting the risk assessment process within all areas of the EPO department, this specifically includes risk identification; analysis and evaluation.
5. Reporting and Monitoring on the overall Governance process in the Project office.
6. Implementation and maintenance of the operational risk process and tools in the Project Office.
7. Where risks or weaknesses in controls are identified, items must be escalated to ensure that corrective action is taken.
8. Where action is not forthcoming these matters must be tabled at the IT Sub-Risk Committee in WesBank for discussion. If the risk is not addressed, these matters must be escalated to the Head of Operational Risk or the CRO.
9. Implementation of Group Policies; Frameworks; Methodologies and Guidance Notes.
10. Introduction of best practises that reduce risk or improve process efficiency in the WesBank, EPO risk environment.
11. Monitoring of project budget against actual expenditure.
12. Ensuring that project management processes are documented and detailed, for example gateway reviews.
13. Establish KRI relevant to the EPO environment. Tracking and analysing the results of the KRI and presenting these to the Management team.
14. Ensuring that a tested and valid BCP is in place for the business.

How to Apply

Click here to apply online

Applications accepted until: 20th of Sep, 2013