Head of IT Risk & Governance

Job Overview

The Head of IT Risk & Governance reports to a Co-Head of IT (the Head of Enterprise IT) and is responsible for leading enterprise-wide information technology risk assessment and mitigation activities. The individual in this role will work closely and collaboratively with business leaders and compliance teams to develop, implement, and ensure adherence to policies, procedures and controls. 

The individual in this role will work closely with senior leadership to communicate identified risks and ensure our internal controls are optimally aligned with business goals. They will set out to proactively identify technical risks (both quantitively and qualitatively) and prioritize mitigation activity based on potential impact.

The position will be responsible for policy development related to all aspects of the technical environment. It will oversee all technical aspects of our third-party oversight program, including vendor onboarding, and will work closely with compliance teams in evolving continued diligence processes.

This position will play a key role in enterprise risk management, working closely with the Chief Compliance Officer and risk owners to ensure identified technical risks are understood and mitigated, as appropriate. It will also review opportunities to onboard tooling as needed to support the enterprise risk program. 

Responsibilities:

• Responsible for the identification, assessment and management of technical risk across IT systems and services

• Works closely with business and IT leaders to ensure risk are understood, managed and mitigated aligned with our current risk posture

• Coordinate and communicate technical risk related events to senior leadership

• Create, maintain and implement policies related to IT risk management (vulnerability management, access and identity management, etc.)

• Collaborate with IT and Business stakeholders to enhance firm wide data governance program (classification, retention, and handling)

• Collaborates closely with business leaders to identify and discuss technical risks and their potential impact on day-to-day operations

• Develop and report on key risk metrics and performance metrics

• Collaborate with Compliance to oversee third-party IT risk assessments and with business leaders to discuss and address identified weaknesses (e.g. SOC-1, tabletop exercises, etc.)

• Work closely with Cyber Security team to ensure our controls to identify, respond and remediate threats is aligned to current threat landscape

• Standardize the incident management process to cover incident review, root cause analysis, and oversee implementation of mitigating controls

• Create, develop and maintain operational risk documentation

• Play an active role in responding to client inquiries regarding all technical risk related matters

Qualifications:

• Broad technical knowledge and expertise covering the conduct of business matters, corporate governance matters, cyber security and regulatory risk

• History of implementing technical risk frameworks which consist of acceptance, transference, avoidance and reduction of risk

• Proven experience directly managing, and being accountable for, IT risk (identification, assessment, mitigation)

• Demonstrated success effectively influencing and collaborating with technical and business teams as well as senior leadership

• Understanding of MITRE or similar attack frameworks

• Strong presentation and written and verbal communication skills, including communicating with senior leadership

• Experience with SOC 1, SOC 2, and other control-based reviews

• ITIL certifications or equivalent work experience

• Experience implementing controls aligned to industry standard frameworks (NIST, ISO 27001)

We maintain a friendly, team-oriented environment and place a high value on professionalism, attitude and initiative.