Associate / Associate Director, First Line Risk

This is a risk management role predominantly covering Information Security domain (including Cyber Security) and Business Continuity. However, it also touches other non-tech domains such as Third Party risk, Privacy risk, Risk and Control framework, Regulatory compliance review and staff awareness. The candidate will be responsible for providing oversight and advisory in risk-related matters. This role will be the point of contact and provide guidance for matters relating to the above-mentioned domains within the region. One of the key tasks is to coordinate with various stakeholders (global/local) for implementation of global initiatives within the bank. Preparing MIS/Information packs/Reports on a regular basis and presenting the same to senior management.

Information Security and Cybersecurity Management

• Implement Global/Regional Information Security Policies, Standards, Processes & Procedures.
• Systems Security Risk and Compliance Management.
• Execute security assessments (system, business partner, infrastructure, regulatory, other) in line with Rabobank security baselines and relevant technology and cyber regulatory requirements. Assess the residual risk and identify remedial actions. Ensure adherence to global industry standards (NIST, ISO) by participating in the group maturity assessment exercise.
• Coordinate and facilitate system penetration tests.
• Support the security monitoring on a routine basis by covering Data Leakage Prevention (DLP) controls.
• Liaise with the Security Operations Centre (SOC) on security incident and event management, oversight on vulnerability management & accountable for incident response/recovery if necessary.
• Execute both automated and manual system access recertification.
• Validation role in Operational processes (e.g., Firewall rule change reviews, Production data extraction requests, Robotic automation, etc.).
• Supervise IT changes and represent security functions in the change board.
• Participation in cybersecurity projects, enhancements; providing security advisory (i.e., definition of technical solutions to specific security requirements; identifying specific security implications).
• Review and assess new, extension and closure of IT findings.
• Facilitate the IT risk acceptance approval. Evaluate the risk and advise on action plans for non-compliant items.
• Support internal/external and audit requests from the first line risk perspective.
• As the secretary, coordinate and facilitate the Asia CIOO In Control meeting.
• Prepare and present IT, Cyber and Business Continuity Risk Profile to relevant forums and committees for management oversight.
• Monitor and provide regular reporting on security risk and compliance (e.g., IT KRI/KPI, IT Risk Dashboard, Global COO In Control Meeting, Asia quarterly in control, etc.). Provide challenge and escalation as a Subject Matter Expert where necessary.
• Monitor and follow up on open findings under Asia COO domain to ensure closure within the timeline.
• Capable of producing quality MIS/information packs/reporting for senior management.

Regulatory Compliance and Change:

• Monitoring regulatory changes with regards to Technology, Cyber Security and Business Continuity and recommend respective changes and enhancements to the Global/Regional Policies, Standards, Processes, Procedures and Risk and Control framework.
• Remain up to date with Global Policies and Standards; ensure that changes are well understood and align with the regulatory requirements.

Risk and Control Activities:

• Represent as Risk and Control Partner for COO domain. Participate actively in the dynamic risk identification and assessment in conjunction with IT and Operations team.
• Assist with the continuous embedding of the Operational Risk Management framework for Technology, Cyber security and Business Continuity Risk and Control within the Technology and Business Continuity function, in collaboration with the First Line teams and Head Office.
• Perform Control Self-assessment (CSA) testing of the Technology, Cyber Security and Business Continuity controls.
• Promote security, cyber and business continuity awareness within the region.
• Design training and security awareness campaign for IT teams and colleagues.

Business Continuity Management (BCM):

• A member of Damage Assessment Team (DAT) representing Business Continuity domain.
• Act as BC Coordinator (key advisor) for business continuity management and operational resilience in Asia. Linking pin between Asia and Global BCM team.
• Perform oversight of departments' Business Impact Analysis (BIA) and Business Continuity Plan (BCP) annual review. Ensure they are reviewed and up-to-date.
• Supervise IT Disaster Recovery (DR) activities and Business Continuity (BC) exercises.
• Facilitate tabletop/simulation exercises (Cyber, operational resilience) and present the results to senior management.
• Accountable for resilience and risk reporting to head office.

• Minimum of 5 to 10 years' experience in the Information Risk and Security field.
• Experience in Information Security in a financial industry with regional coverage is preferred.
• Involvement in Business Continuity activities would be a plus.
• Holder of professional certification such as CISSP, CISA, CISM, CRISC or equivalent.
• Understanding of banking business and technology environment, application and process.
• Proficiency in deck design for making effective presentations to senior management.
• Understanding of industry standards such as NIST, ISO 27001, etc.
• Strong understanding of requirements from Asian regulators such as MAS, HKMA, CBIRC/PBOC and RBI.
• Demonstrable experience of leveraging best practice and industry standards.
• Understanding of systems development practices and lifecycle management.
• Understanding of IT Governance within an organization including its components, benefits and practices.
• Understanding of the operational processes and technology challenges within the financial industry.
• Ability to deliver clear and effective communication between organizational functions, business units and branches, locally and globally.
• Knowledge of Microsoft 365 platform.
• Microsoft Power Platform (Power BI, Power Apps, Power Automate).
• Proficient in use of SharePoint.
• Understanding of common cloud strategies including architecture and resilience.
• Experience with GRC tool such as Archer.
• Understanding of various security tools such as SIEM, PIM, WAF, Vulnerability scanning & reporting.
• Understanding of the relevant outsourcing and third-party management in MAS and HKMA.

Diversity & Inclusion

At Rabobank Asia, we:

Believe a diverse and inclusive workplace is the foundation of our performance.

Embed diversity in everything we do on a daily basis, whether it be our hiring, culture, development opportunities or our policies.

Value differences in our people which is represented in terms of gender identity, age, sexual orientation, religion, ethnicity, disability, background, education, expertise or character.

Embrace people from all walks of life to build a strong, creative, innovative and dynamic workforce that is reflective of the diversity of our community.

Treat everyone equally so that everyone can be themselves, and each individual feels respected and valued on the basis of who they are.

This is our standard application process. It may vary by role.

Step 1: You Apply

Thanks for applying You will always receive a confirmation of your application by email. We review all the CVs and covering letters that we receive. We will let you know as soon as possible if we invite you for an interview.

Step 2: Interview

We invite you for one or more (online) interviews. We want to know if you fit the role and the team. You probably have many questions for us too. For some positions, we may also ask you to complete an assignment or assessment.

Step 3: Our Offer

Are you the new colleague we are looking for, and do you also feel happy with us? Congratulations You will receive a good offer from us. Before you start, we conduct a legal screening to ensure that our employees do not pose a risk to us and our customers.

Step 4: Welcome

Welcome to Rabobank We look forward to seeing you and can't wait to work together.