Head of Risk and Governance

**Key Responsibilities:
**Drive strong Operational Risk Management practices**
- Proactively manage the risk in the Division/Department to reduce the likelihood or impact of negative impact events.
- Risk management is through the proactive identification of risks facing the unit. Identification techniques range from the formal use of risk management tools (such as Risk Control Self-Assessment) through to the informal recognition of control weaknesses from day-to-day management of a unit. The role holder should ensure that the Division/Department has the appropriate level of knowledge and understanding to ensure that material risks are identified. The role holder also has the responsibility to ensure that identified risks are assessed to determine if they are unique to their area or have wider upstream or downstream implications for the group.
- Risks identified require measurement using the Group’s methodology, rating each of the risks as High, Medium or Low. The role holder should provide guidance to staff who are rating risks to ensure risk ratings agree with definitions in the Group’s methodology.
- Where residual risks require mitigation, action plans should be developed to address the risk permanently where possible. Role holder has the responsibility to ensure action plans are appropriate, prioritized, sustainable and that action plans are closed by the committed due date.
- Responsible to report risks to the Head of Division/Department in a timely manner so that Heads of Division/Department have a clear view of the overall control effectiveness of their unit.
- Execute the operational risk framework of the bank in a robust and disciplined manner so as to achieve sound risk management practices and reporting.
- Operational risk framework includes the following tools but not limited to:
Risk Control Self-Assessment

Operational Event and Loss Data Management

Control Effectiveness Testing

Control Issue Management

New Product Approval

Operational Risk Committees

Key Risk Indicators
- Develop and maintain a robust process to ensure accuracy, completeness, timeliness and quality of data recorded in risk system of record.
- Proactively partner and engage with the second line of defence to achieve an optimal outcome of risk management for the CIMB Group.
- Assist with the coordination of the second line of defence challenge activities.
- Provide constructive feedback to the Operational Risk Department on improvements to the framework.

**Promote and maintain regulatory Compliance**
- Build and execute the compliance risk framework within the Division/ Department in a robust and discipline manner so as to achieve sound compliance risk management practices and reporting.
- Support and lead the Division/Department in relation to proactive identification and management of compliance risk.
- Engage with the business units on compliance and control initiatives with an objective of educating the business to proactively manage their risk and controls by leveraging on the compliance tools:

- Risk Control Self-Assessment
- Control Issue Management
- Loss Event Data Management
- Provide support and advice to the first line of defence in understanding and mitigating the expectation of the regulatory guidelines/circulars/notification.
- Assist the first line of defence in formulating the compliance framework and all regulatory risk associated to the business e.g. to review new/amended regulatory guidelines
- Assist in identification of key risks and remediation of risks relative to new initiatives e.g. submission of proposals, review of marketing materials
- Proactively identify areas with ineffective controls and work with the relevant stakeholders to enhance overall control environment to mitigate compliance risks.
- Conduct gap analysis to identify business risk and control assessments to ensure compliance with applicable regulations.
- Ensure efficient and effective compliance risk management practices are adhered to the required standards and processes e.g. timely reporting in the MSCR, analysis on the root cause of breaches
- Work together with all risk control functions to ensure emerging risks are appropriately addressed and captured in the Compliance Risk Framework
- Maintain tracking of remediation efforts related to review findings and other activities, as and when necessary.

**Champion the risk culture**
- Facilitate strong partnerships across various stakeholder groups, determine best methods of communication and establish escalation model.
- To ensure an alignment of tasks between the 3 lines of defence to minimize overlap or gaps arising during execution of role and responsibilities.
- Compile and analyse risk data for themes and trends; raise awareness of emerging risks in the industry and recommend mitigation measures.
- Ensures that every business and support unit within the Division/Department has a DCORO and the appointment is properly executed via GHR.
- Track and maintain an updated list