Head of Risk Orm, Wm Apac

What is this position about?

RISK Operational Risk Management (RISK ORM), created early 2021 to oversee operational risks within the mandate of the RISK function, is organized, under the responsibility of the Group Chief Operational Risk Officer (Group CORO), around 3 Poles: RISK ORM Framework, RISK ORM Technology & Transversal Risks and RISK ORM Network.

The Head of RISK ORM, WM APAC, whose missions align with the overall missions of RISK ORM, reports locally to the Chief Risk Officer (CRO), WM APAC and globally to the Head of RISK ORM, WM GAIM, while maintaining an effective collaborative link with the Head of RISK ORM, APAC Region.

The Head of RISK ORM, WM APAC represents the 2nd line of defense for WM APAC entities, including WM ISPL, with regards to all operational risks within the mandate of the RISK Function in APAC, including but not limited to operational controls of major WM APAC IT & Operation processes, credit processes, the technological risks (e.g. fraud risks, outsourcing risks, cyber risks) and personal data protection risks, etc.

To achieve his/her missions, the qualified incumbent also coordinates and collaborates with RISK ORM WM GAIM and RISK ORM APAC Region transversal experts (ICT, Third Party Risk Management, Fraud and Data Protection, etc.) to secure the best usage of resources depending on the topics and locations.

What would be your typical day at BNPP Paribas look like?

Primary Roles and Responsibilities

Under the authorities of the CRO WM APAC, the Head of RISK ORM, WM GAIM, and a close collaborative relationship with the Head of RISK ORM, APAC Region, the Head of RISK ORM, WM APAC has primarily the following responsibilities:
1) Supervise the deployment of the operational risk management framework of WM APAC (including WM ISPL). This includes in particular:
a. Pilot the change by putting in place the major transformation programs, especially those linked to a recommendation from the Supervisor or to compliance with a regulatory provision (e.g. Control Monitoring Program, Third Party Risk Management, operational resilience, Cyberfraud Program, Cyber Program, Data Leakage Protection Program);
b. Ensure that operational risk regulations, norms, guidelines and methodologies are understood and implemented over time within WM APAC (e.g., Risk and Control Self -Assessment [RCSA] and Incident check & challenge);
c. Carry out and supervise second line controls;
d. Carry out and supervise Independent analysis;
e. Entrench the use of Group operational risk management tools (e.g., 360 RiskOp) and related reporting;
f. Ensure, as far as operational risks are concerned, an appropriate ORO resources allocation across the Entities of the perimeter (including WM ISPL);
g. Implement the decisions taken in terms of operational risks by the CRO of WM APAC, the CRO of WM GAIM, the APAC CRO or the Head of OROs of WM GAIM;
h. Ensure that the decisions made by the CRO of WM APAC, the CRO of WM GAIM, the APAC CRO or the Head of OROs of WM GAIM in terms of operational risk are well-applied within the Entities (including WM ISPL);
i. Define and implement risks/stakes adapted information flow to inform the management, especially in regard to alerting the CRO of WM APAC, the APAC CRO the Head of OROs of WM

GAIM or the Head of the RISK ORM APAC on notable events and the related potential remediation actions;
j. Participate to the crisis management following an operational incident.

2) Build, in the framework of the associated Governance (e.g.: internal control committee of WM APAC in the presence of the CEO of WM APAC), to the attention of the CRO of WM APAC, the CEO of WM APAC, the Head of OROs of WM GAIM, and the Head of RISK ORM, APAC Region, a vision of the operational risk profile of WM APAC (containing technological risks and including WM ISPL), including in particular:
a. An opinion, based notably on 2nd level controls and independent analysis carried out by the second line of defence, of the robustness of the system put in place by the first line of defence

(organization, procedural corpus, identification of processes and associated risks, robustness of the control framework put in place, incident management, feedback, taking into account

permanent control actions and general inspection recommendations, processing of exemptions, etc.), which may, if necessary, lead to permanent control actions;
b. A qualitative and quantitative monitoring of historical incidents, including in particular an analysis of the most important of them and supervision of the associated action plans, concerning the following risks:

- Fraud, including cyber-Fraud
- Safety of people and properties
- Deterioration of assets
- Outsourcing, including IT outsourcing
- Business continuity
- Technological risks: cyber-attacks, data integrity risks, ICT change risks (Projects and IT organisation, vulnerability management, identity & access management,), risks linked

to Cloud, digital assets & emerging technologies, data l