Operational and Resilience Risk, Data Resilience Senior Manager, USA

US Operational and Resilience Risk (ORR) is a sub-function of Group Risk. Its purpose is to ensure HSBC understands, and is in control of, its non-financial risk position. In addition, the function provides resilience risk stewardship to US businesses, functions and entities in which the US bank operates.

Technology Resilience is the risk of unmanaged disruption to any IT system within HSBC, as a result of malicious acts (i.e. cyber-attacks), accidental actions or poor IT practise (i.e. change control) or IT system failure (i.e. a core network switch failing).

The Technology Risk Senior Manager will serve as a specialist as part of HSBC's second line of defence Operational and Resilience Risk team. The role holder will contribute their expertise in information technology, operations, and cybersecurity controls to provide robust, credible, insightful and constructive oversight and challenge to first line of defence IT stakeholders. The role enables business-facing Operational and Resilience Risk teams to provide tailored expertise to risk owners.

The key accountabilities of the US ORR Technology Risk Senior Manager role include:
  • Risk Management Expert: Experienced specialist in information technology risk management, including cybersecurity principles, cloud strategies and IT operational processes
  • Risk Taxonomy: Leads the design, socialization, and implementation of HSBC's Information Technology and Cybersecurity risk and control taxonomy
  • Risk Appetite: Monitor US Resilience Risk Appetite and oversee first line of defense reporting to governance committees. Work with US ORR Business and Functions teams to ensure US businesses understand the impact of any Resilience Risk appetite breaches that require changes to controls, resources and business operations
  • Risk Policy: Provide subject matter expertise and credible challenge on US Resilience Risk policy dispensations and risk acceptances
  • Change and Event Incident Oversight: Direct guidance, oversight and challenge on key Information Technology and Cybersecurity Risk issues, material internal incidents, external events, and strategic bank change programmes to ensure risks are quantified and appropriate actions are taken
  • Risk Position and Challenge Papers: Deliver insightful and evidence-based papers pertaining to Information Technology and Cybersecurity Risk positions to US boards, Risk Management Meeting (RMMs), Control Environment Management Meeting (CEMMs), and related forums.
  • Regulatory Awareness: Apply expert guidance on HSBC's adherence to Information Technology and Cybersecurity Risk-related legislation and regulations from government organisations, regulators, and industry organisations
  • Influencer: Build and maintain relationships with key business and operational stakeholders, serving as a credible challenger regarding HSBC's Information Technology and Cybersecurity Risk treatment.

Impact on the Business
  • Provide credible challenge across all information, technology, and cybersecurity risks within USA both enabling business growth while maintaining related risks within appetite
  • Responsible for the review of controls relating to information, technology, and cybersecurity risks
  • Review of internal and external events for their focus area, to disseminate the insight and learnings applicable to key Products and Services across the business
  • Oversee their focus area of 1LOD IT adoption of Standards, Processes and Procedures required to implement the Policy objectives
  • Maintaining on-going visibility of their focus areas' key initiatives and helping to prioritize RR oversight according to IT risk
  • Provide risk opinion, guidance and credible challenge to their focus area on dispensation requests
  • Provide credible challenge of scenario analysis activities for both capital adequacy and IT risk management purposes
  • Provide credible challenge of their focus area in the RCA process and the use of the RR Risk and Control Library to ensure relevant information, technology, and cybersecurity risks and controls are included in the RCA
  • Manage and maintain close oversight on all RR related incidents with a view to provide credible challenge that risk and impacts have been handled effectively

Customers / Stakeholders
  • Influence and provide direction to the 1LOD and ORR Business & Functions team to ensure they fulfil own roles and responsibilities and manage information, technology, and cybersecurity risk according to the Group's frameworks and within stated appetite
  • Build and maintain relationships with external partners, regulators, industry bodies and others to keep up to date with developments
  • Manage relationships with wider ORR team

Leadership & Teamwork
  • Challenge and influence to ensure specialist advice and guidance is understood and followed
  • Work in conjunction with ORR Business & Functions team and the wider RR Specialist team
  • Support diversity and reflect the HSBC brand and organisational values.

Operational Effectiveness & Control
  • Partner with ORR Business & Functions team and 1LOD to identify, measure, mitigate, monitor and report information, technology, and cybersecurity risks
  • Partner with ORR Business & Functions team regarding Implementation of country Internal Audit and ORR recommendations and directions for the improved use of the Risk Framework related to the specialist area.

Major Challenges
  • Operating with influence and gravitas across all Lines of Defences within Global Businesses/Functions and Legal Entities within USA, in relation to the management and oversight of information, technology, and cybersecurity risk
  • Providing clear delineation between accountable activities under operational and resilience risk
  • Maintaining a commercial understanding without compromising standards of internal control and organisational risk appetite in a growing and successful business.

Role Context
  • Reporting to Head of Operational and Resilience Risk, Technology and Digital, USA, the role holder will maintain close working relationships with the wider ORR team, locally, regionally and globally.
  • HSBC serves the needs of retail, corporate and institutional clients delivering innovative and integrated financial solutions. The Risk function discharges oversight on the management and monitoring of financial and non-financial risk by the businesses and their support functions.
  • The importance of non-financial risk and control has increased in recent years and is now the most influential subject for senior management, boards, and regulators. An organisation's ability for effective identification, measurement and mitigation of non-financial risk will have a significant impact on the achievement of strategic objectives
  • The role has influence over a wide group of stakeholders and employees across the organisation.

Management of Risk
  • Responsible for ensuring awareness of the ORR risk impact associated with the role and must act in a manner that takes account of ORR risk considerations.

Observation of Internal Controls
  • You will adhere to and be able to demonstrate adherence to HSBC internal control standards. This is achieved by adherence to all relevant procedures, keeping appropriate records and, where appropriate, by the timely implementation of internal and external audit points, including issues raised by external regulators.


Employment eligibility to work with HSBC in the U.S. is required as the company will not pursue visa sponsorship for these positions
  • Subject matter expertise in one or more resilience technology risk categories (i.e. cloud technology), including understanding of industry best practices, frameworks, and regulatory guidelines
  • Fluid understanding of risk management principles, including experience with policy development, control definition, and application of controls in a business content
  • Ability to serve as trusted advisor and challenger of first line of defense stakeholders
  • Strong written communicator with demonstrated analytic skills
  • 6-10 years experience in related technology role(s)
  • Bachelor's degree and/or professional certificate in related discipline
  • IT, IT security, an/or risk management certifications preferred (including CISPP, CISA, CISM, CRISC)

Key Capabilities
  • Providing Expert Advice and Robust Challenge
  • Delivering Risk Steward Policies

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.