Manager, Operational and Technology Risk

Mox is built by and for the ones who aspire to live life to the fullest – we call them Generation Mox! The name Mox reflects the endless opportunities we can create, - Mobile eXperience; Money eXperience; Money X (multiplier), eXponential growth, eXploration… it’s all up for us to define together.

Everything at Mox – from our products, features, to rewards – is designed based on customer research, tailor made for your needs. We care about what customers care about, especially in data security and privacy. Data ethics is core to everyone here at Mox.

Mox rewards you with an array of banking and lifestyle benefits. Who says banking can’t be fun?

Who are we looking for?
The Mox Operational, Technology and Cyber Risk (OTCR) organization is instrumental in protecting and ensuring the resilience of the digital bank's data and IT systems by managing operational, technology and cyber risk across the enterprise.

This role reports to the Head of Information and Cyber Security (ICS) Risk. The successful candidate will manage the second line control environment to protect the Bank by keeping abreast of market trends and regulatory requirements.

·       Support the design of the Bank’s second line of defence in managing Operational, Technology and Cyber Risk and implement an Operational and Technology Risk Type Framework (OTRTF) and Information and Cyber Security Risk Type Framework (RTF) tailored to the Bank.

·       Drive the implementation of the OTRTF and ICS RTF by facilitating and supporting the compliance by product lines and other stakeholders.

·       Cooperate with Legal, Compliance and other risk framework owners to ensure compliance with the policies and standards of the Bank and regulatory requirements.

·       Oversee and challenge first line of defence on their risk-taking activities.

·       Act as second line to ensure Operational, Technology and Cyber Risk management processes such that risks are effectively identified, assessed, mitigated, monitored, and reported in a timely manner.

·       Implement control processes, sampling and testing to ensure compliance with the Bank’s control standards as well as facilitating the monitoring/collection of any key control or risk indicators.

·       Continuously improve the operational efficiency and effectiveness of Operational, Technology and Cyber Risk processes, driving standardisation and automation through process re-engineering.

·       Investigate complaints and risk events/incidents and coordinate with relevant parties to perform root cause analysis and risk assessments.

·       Provide advice and support to risk owners to implement effective preventive measures and monitoring plans for compliance and risk management. 

·       Record and maintain operational risk events/incidents.

·       Participate in firmwide Operational, Technology and Cyber programs such as business continuity program, disaster recovery operations, impact analysis and awareness/training program for different business streams.

·       Represent the Bank on internal and external Operational, Technology and Cyber risk forums/sessions.

·       Perform risk assessment for: 1) new products and services; and 2) the continuous monitoring of existing platforms and infrastructure.

·       Establish and review appropriate Operational, Technology and Cyber risk tolerance thresholds and follow-up actions. Validate the accuracy of risk appetite metrics and risk ratings as well as process designs to meet policy requirements.

·       Over 5 years’ aggregate industry experience in Operational Resilience, Technology, Information and Cyber Security and Third-Party Risks - mandatory

·       Experience with ICS, Technology, Third-Party and Operational Resilience regulations (preferably HKMA and SFC).

·       Educational background in Computer Science, Information Security, or Engineering.

·       Familiarity with the three lines of defense risk model.

·       Strong knowledge of cyber security frameworks, information security principles, architecture, and cryptography.

·       Familiarity with NIST cyber security framework, NIST information security principles, ISO/IEC 27000-series is preferred.

·       Experience in the following areas is important: Information Security, Cyber Security, Technology Risk Management, Cloud Security, Third Party Risk Management, Operational Resilience.

·       Experience in the following areas is desirable: Network and application security, data loss prevention, data encryption, identity and access management, vulnerability management, business continuity program and disaster recovery operation.

·       Proficiency in MacOS environment.

·       Professional Certifications such as CISSP, CISM, CRISC, CISA or equivalent. 

·       Good written and oral communication, and reporting skills.