Role purpose

The GCIO Chief Control Office (CCO) team plays an important role in enabling the bank to operate within its risk appetite by ensuring efficient and effective risk and control management. We do this by providing operational risk and control expertise, specialist technical knowledge and a deep understanding of the businesses and functions we serve. Key activities include implementation and oversight of the Groups Risk Management Framework, ongoing and targeted controls assessments, implementing and maintaining robust risk governance, and championing a proactive risk culture. GCIO CCO works closely with partners across all lines of defense and is responsible for maintaining positive relationships with our regulators and external partners.

Main activities:

• Review Technologies CyberSecurity (TCS) Global Risk Appetite Statement (GRAS) and Key Control Indicators (KCIs), assess risk impact, and align stakeholders to deliver the compliance trajectory for the Latin America Region (LAM) technology estate.
• Monitor LAM Technology consumed position, identify remediation owners, and drive required control uplifts to reach target compliance.
• Act as a trusted adviser to senior management on operational risk management (risk assessments, control environment, issues management).
• Partner with Regional Risk Owners/Business Risk Teams to communicate control effectiveness, key issues, and remediation timelines.
• Keep senior management informed on policy changes and operational risk-related projects impacting their area.
• Lead thematic reviews and read-across activities across control domains to identify systemic risks and recurring issues.
• Support risk & controls governance submissions and management reporting.
• Support sustainable issue closure, including quality closure evidence and formal concurrence for Very High / High / Medium issues.
• Ensure issues and events are proactively captured in Helios with robust detail (impact assessment, success criteria) and clear control linkages.
• Drive consistent responses to Internal and External Audit and coordinate cyclical regulatory reviews, including horizon scanning for emerging regulatory expectations.

Requirements

• Solid and proven hands-on experience with one or more or the control capabilities in the Technology and Cyber Risk domain either directly or as a 1/2/3 Line Of Defense control management function.
• Solid and proven hands-on experience and subject matter expertise in management, of operational risk, non-financial risk and/or technology and information security risk.
• Previous experience across IT, Operations, Risk Management, and / or Audit roles requiring management of diverse risk types is desirable.
• Previous experience of identifying, defining and solving problems that have impact on your work or the wider business. Ability to present complex issues concisely to senior partners using non-technical language.
• Active industry recognized certificates such as CRISC (mandatory)
• Active industry recognized certificates such as CISA, CISSP, CCSP etc. (or anything related to ISACA methodology is desirable)
• Financial Services or other highly regulated industry experience/exposure is preferred including experience dealing with regulatory bodies and engagement
• Strong managerial skills, written and verbal communication skills to influence and challenge stakeholders, analytical, problem-solving, organizational, lateral thinking and interpersonal skills.
• Experience working with local, regional and global stakeholders and an understanding of global standards of quality
• Business Proficiency in English. Fluent in both oral and written English is mandatory.

HSBC is an equal opportunity employer committed to building a culture where all employees are valued, respected and opinions count. We take pride in providing a workplace that fosters continuous professional development, flexible working and, opportunities to grow within an inclusive and diverse environment. We encourage applications from all suitably qualified persons irrespective of, but not limited to, their gender or genetic information, sexual orientation, ethnicity, religion, social status, medical care leave requirements, political affiliation, people with disabilities, color, national origin, veteran status, etc., We consider all applications based on merit and suitability to the role.