Operational and Resilience Risk, Technology Resilience Senior Manager, USA

At HSBC, the health and well-being of our employees remains of utmost importance. Many of our roles are permitted to work from home (in states in which HSBC is licensed to operate) until further notice. Upon resumption of normal operations, this role may be performed at our Buffalo, New York office.

US Operational and Resilience Risk (ORR) is a sub-function of Group Risk. Its purpose is to ensure HSBC understands, and is in control of, its non-financial risk position. In addition, the function provides resilience risk stewardship to US businesses, functions and entities in which the US bank operates.

Technology Resilience is the risk of unmanaged disruption to any IT system within HSBC, as a result of malicious acts (i.e. cyber[1]attacks), accidental actions or poor IT practice (i.e. change control) or IT system failure (i.e. a core network switch failing).

The Technology Risk Senior Manager will serve as a specialist as part of HSBC's second line of defense Operational and Resilience Risk team. The role holder will contribute their expertise in information technology, operations, and cybersecurity controls to provide robust, credible, insightful and constructive oversight and challenge to first line of defense IT stakeholders. The role enables business-facing Operational and Resilience Risk teams to provide tailored expertise to risk owners.

The key accountabilities of the US ORR Technology Risk Senior Manager role include:
  • Risk Management Expert: Experienced specialist in information technology risk management, including cybersecurity principles, cloud strategies and IT operational processes.
  • Risk Taxonomy: Leads the design, socialization, and implementation of HSBC's Information Technology and Cybersecurity risk and control taxonomy.
  • Risk Appetite: Monitor US Resilience Risk Appetite and oversee first line of defense reporting to governance committees. Work with US ORR Business and Functions teams to ensure US businesses understand the impact of any Resilience Risk appetite breaches that require changes to controls, resources and business operations.
  • Risk Policy: Provide subject matter expertise and credible challenge on US Resilience Risk policy dispensations and risk acceptances.
  • Change and Event Incident Oversight: Direct guidance, oversight and challenge on key Information Technology and Cybersecurity Risk issues, material internal incidents, external events, and strategic bank change programs to ensure risks are quantified and appropriate actions are taken.
  • Risk Position and Challenge Papers: Deliver insightful and evidence-based papers pertaining to Information Technology and Cybersecurity Risk positions to US boards, Risk Management Meeting (RMMs), Control Environment Management Meeting (CEMMs), and related forums.
  • Regulatory Awareness: Apply expert guidance on HSBC's adherence to Information Technology and Cybersecurity Risk[1]related legislation and regulations from government organizations, regulators, and industry organizations.

Impact on the Business
  • Provide credible challenge across all information, technology, and cybersecurity risks within USA both enabling business growth while maintaining related risks within appetite
  • Responsible for the review of controls relating to information, technology, and cybersecurity risks
  • Review of internal and external events for their focus area, to disseminate the insight and learnings applicable to key Products and Services across the business
  • Oversee their focus area of 1LOD IT adoption of Standards, Processes and Procedures required to implement the Policy objectives
  • Maintaining on-going visibility of their focus areas' key initiatives and helping to prioritize RR oversight according to IT risk
  • Provide risk opinion, guidance and credible challenge to their focus area on dispensation requests
  • Provide credible challenge of scenario analysis activities for both capital adequacy and IT risk management purposes
  • Provide credible challenge of their focus area in the RCA process and the use of the RR Risk and Control Library to ensure relevant information, technology, and cybersecurity risks and controls are included in the RCA
  • Manage and maintain close oversight on all RR related incidents with a view to provide credible challenge that risk and impacts have been handled effectively
  • Feedback from stakeholders on quality and timeliness of specialist advice and guidance
  • Evidence of RR's contribution to an improving US control environment
  • Internal/External events reviewed and insight shared with 1LoD on time to a quality standard
  • Evidence of challenge, intervention and escalation of significant IT risk issues
  • Evidence of challenge, intervention and escalation of significant control issues
  • Evidence of contribute to Risk Management Scenario Analysis
  • Evidence of challenge of 1LOD risk assessment and respective remediation results in change / improvement

Customers / Stakeholders
  • Influence and provide direction to the 1LOD and ORR Business & Functions team to ensure they fulfil own roles and responsibilities and manage information, technology, and cybersecurity risk according to the Group's frameworks and within stated appetite
  • Build and maintain relationships with external partners, regulators, industry bodies and others to keep up to date with developments
  • Manage relationships with wider ORR team
  • Evidence of timely specialist guidance and support to generalists on the management of resilience risks · Compliance with regulatory requirements
  • Positive stakeholder feedback

Leadership & Teamwork
  • Challenge and influence to ensure specialist advice and guidance is understood and followed
  • Work in conjunction with ORR Business & Functions team and the wider RR Specialist team
  • Support diversity and reflect the HSBC brand and organizational values.
  • Evidence of specialist advice provided and incorporated
  • Evidence of effective team work across the region and countries
  • Positive 360-degree feedback.

Operational Effectiveness & Control
  • Partner with ORR Business & Functions team and 1LOD to identify, measure, mitigate, monitor and report information, technology, and cybersecurity risks
  • Partner with ORR Business & Functions team regarding Implementation of country Internal Audit and ORR recommendations and directions for the improved use of the Risk Framework related to the specialist area.
  • Evidence of risk identified, measured and reported on to the 1LoD
  • Evidence of audit outcomes and alignment to risk framework related to the specialist area

Major Challenges
  • Operating with influence and gravitas across all Lines of Defenses within Global Businesses/Functions and Legal Entities within USA, in relation to the management and oversight of information, technology, and cybersecurity risk
  • Providing clear delineation between accountable activities under operational and resilience risk
  • Maintaining a commercial understanding without compromising standards of internal control and organizational risk appetite in a growing and successful business.

Role Context

Reporting to Head of Operational and Resilience Risk, Technology and Digital, USA, the role holder will maintain close working relationships with the wider ORR team, locally, regionally and globally.

HSBC serves the needs of retail, corporate and institutional clients delivering innovative and integrated financial solutions. The Risk function discharges oversight on the management and monitoring of financial and non-financial risk by the businesses and their support functions.

The importance of non-financial risk and control has increased in recent years and is now the most influential subject for senior management, boards, and regulators. An organization's ability for effective identification, measurement and mitigation of non-financial risk will have a significant impact on the achievement of strategic objectives.

The role has influence over a wide group of stakeholders and employees across the organization.

Management of Risk

Responsible for ensuring awareness of the ORR risk impact associated with the role and must act in a manner that takes account of ORR risk considerations.

Observation of Internal Controls

You will adhere to and be able to demonstrate adherence to HSBC internal control standards. This is achieved by adherence to all relevant procedures, keeping appropriate records and, where appropriate, by the timely implementation of internal and external audit points, including issues raised by external regulators.

Role Dimensions
  • Work closely with all components of the ORR Team.
  • Build effective relationship internal and external to ORR
  • Enhance control understanding across HSBC's Products and Services in USA
  • The responsibility for non-financial risk spans the USA. You may also be responsible for local entity management for other team members outside of your direct reports, according to HSBC local entity management requirements.


Qualifications - External

Employment eligibility to work with HSBC in the U.S. is required as the company will not pursue visa sponsorship for these positions
  • Subject matter expertise in one or more resilience technology risk categories (i.e. cloud technology), including understanding of industry best practices, frameworks, and regulatory guidelines
  • Fluid understanding of risk management principles, including experience with policy development, control definition, and application of controls in a business content
  • Ability to serve as trusted advisor and challenger of first line of defense stakeholders
  • Strong written communicator with demonstrated analytic skills
  • 6-10 years experience in related technology role(s)
  • Bachelor's degree and/or professional certificate in related discipline
  • IT, IT security, an/or risk management certifications preferred (including CISPP, CISA, CISM, CRISC)

Key Capabilities
  • Providing Expert Advice and Robust Challenge
  • Delivering Risk Steward Policies

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.