Information Security Risk Manager

  • Competitive
  • Edinburgh, Scotland, United Kingdom
  • Permanent, Full time
  • HSBC Bank plc
  • 18 May 19

Information Security Risk Manager

Role Title: Information Security Risk Manager
Business: Risk Management
New or Existing Role - Existing
Grade: GCB4

Role Purpose

  • To operate at a global / regional or country level as required to manage the overall relationship between ISR and the GB / GF / HTS (Non-IT), providing ISR representation on key committees and assisting the GB / GF / HTS (Non-IT) to remain within their risk appetite.

Key Accountabilities
Impact on Business
  • Liasing with Global/Regional/Country Heads of the GB/GF(s), the Global/Regional/Country BRCM(s) and BIROs to provide updates on information risk and follow up on risk mitigation
  • Assisting the GB / GF / HTS (Non-IT) in defining their information risk appetite
  • Maintaining on-going visibility of GB / GF / HTS (Non-IT) key initiatives and helping to prioritise ISR oversight according to risk
  • Increasing the understanding of information risks within the GB / GF / HTS (Non-IT) by explaining these in plain/business terms and helping them to ensure that these are kept within their risk appetite by recommending mitigating actions
  • Maintaining oversight of Information Risks in the GB / GF / HTS (Non-IT) by reviewing RCAs, MSIIs, Internal Audit findings, BRCM reviews and any other ISR related KRIs to establish risk themes and provide advice on remediation
  • Provide risk opinion and guidance to the GB / GF / HTS (Non-IT) on dispensation requests.
  • Manage and maintain close oversight on all ISR related incidents with a view to provide assurance that risks and impacts have been handled effectively
  • Supporting the GB / GF / HTS (Non-IT) in the RCA process and the use of the ISR Risk and Control Library to ensure relevant information security risks and controls are included in the RCA.
  • Liaising with all Function Heads within ISR

Customers / Stakeholders
  • The role will involve extensive liaisons with senior management in the relevant GB / GF / HTS (Non-IT) and across SR and ISR functions.
  • Building and deepening relationships with key stakeholders at all levels, including Global/Regional/Country Heads of GB/GF
  • Guiding GB / GF / HTS (Non-IT) senior management on understanding and defining a risk appetite
  • Representing ISR on key Risk Management Committees

Leadership & Teamwork
  • Work closely with GB / GF / HTS (Non-IT) management to aid them to manage information security risks within the GB / GF / HTS (Non-IT)
  • Collaborating effectively with SMEs from across the ISR function to understand and monitor the Information Security Risk position within the GB / GF / HTS (Non-IT)

Operational Effectiveness & Control
  • Effectiveness: To work with all areas of ISR locally and globally to develop an engagement framework that allows ISR as a global function itself to:
  • Reduce duplication of effort and ensure best use of scarce ISR resource
  • To have single / globally aligned frameworks
  • To have single / globally aligned risk model
  • To drive efficiency and practical implementation of global process
  • To standardise and globalise were feasible and manageable without losing coverage for regional or local processes
  • Control: Establish processes to ensure compliance with all internal and external regulations

Major Challenges
  • Building an effective working relationship with the GB / GF / HTS (Non-IT) management
  • Ensuring that Information Security Risk is given appropriate focus by the GB / GF / HTS (Non-IT)
  • Building a network of contacts across SR / ISR in order to be able to provide effective consultancy to the GB / GF / HTS (Non-IT)
  • Embedding and optimising the new GB / GF ISR function into the new Global ISR Target Operating Model by extensively reviewing and improving existing processes

Role Context
  • The ISR function and this role is transforming in response to four main drivers:
  • Bank's realignment around Global Businesses and Global Functions
  • Deployment of the Lines of Defence Model
  • Need to become more efficient and standardized
  • Need to become intelligence led to effectively keep pace with ever increasing and sophisticated cyber threats.

Role Dimensions
  • The role is not expected to have any direct budgetary or line management responsibility

Management of Risk
  • The roleholder is expected to adhere to all relevant FIM policies and operational risk guidelines
  • Assist the GB / GF / HTS (Non-IT) to understand information security risks and formulate and implement effective plans and controls to manage the risks

Observation of Internal Controls
  • Maintains HSBC internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators


Knowledge & Experience / Qualifications
  • Have expert and extensive Information Security Risk and Operational Risk knowledge to face off appropriately to the different risk managers in the Group and also external parties.
  • Understanding of the Risk characteristics of key products and channels
  • Be able to implement a vision and strategy for risk capability across the global functions and communicate to key stakeholders including those at C-level and get their buy-in
  • Have significant gravitas that will be obvious to all parts of HSBC, which will enable face off to senior SR managers and GB / GF stakeholders in order to win their confidence and help influence their decisions
  • Knowledge of all major areas of a Global Bank that can span retail, commercial or investment banking products and processes
  • Have excellent communication skills to be able to build relationships with key internal & external stakeholders and be able to implement strategy and vision
  • A change agent who is not afraid to change the status quo in order to drive Group strategy
  • Experience in dealing with complex matters by adopting a pragmatic approach, identifying core requirements from both a security and a business perspective and translating them into simplified activities that address the problem
  • Transformation and change programmes experience
  • Experience in Information Security Risk management processes
  • Professional related security qualifications preferable such as CISM and CRISC
  • Business fluency in English
As a business operating in markets all around the world, we believe diversity brings benefits for our customers, our business and our people. This is why HSBC is committed to being an inclusive employer and encourages applications from all suitably qualified applicants irrespective of background, circumstances, age, disability, gender identity, ethnicity, religion or belief and sexual orientation.

We want everyone to be able to fulfil their potential which is why we provide a range of flexible working arrangements and family friendly policies. overview