at BMO Financial Group in Chicago, Illinois, United States
Job Description
This opportunity will allow you to work on exciting projects within operational non-financial risk and have direct visibility to top leaders within our organization. If you have Third-Party risk management experience especially Third-Party cyber / tech risk and/or cloud risk management experience, consider applying to this dynamic opportunity. Working within a dynamic team, and with engaged 1st and 2nd line subject matter experts (SMEs), you will be responsible for supporting and overseeing Third-Party Risk Management practices at BMO with a focus on Third-Party cyber security and tech risk management practices. Skills and experience in identification, analysis, monitoring and reporting of risks (especially cyber/tech risks) posed by vendors are key to succeeding in this role and we look forward to hearing about your experience in this area.
Mandate:
As part of the 2nd line of defense, this role supports the following primary accountabilities of the Enterprise Third-Party Risk Management team:
+ Provide strategic input into business decisions as a trusted advisor
+ Make recommendations to senior leaders on strategy and new initiatives, based on an in-depth understanding of the business/group.
+ Develop, implement, and maintain the Third-Party Risk Management Framework and other related requirements used across the enterprise to ensure Third-Party Risks are appropriately identified, assessed, managed, monitored, and reported.
+ Provide oversight and 2nd line effective challenge to ensure the Third-Party Risks, especially Third-Party Cyber Security, Cloud and Technology risks are being identified, assesses, managed, and reported in accordance with applicable Regulatory and Governance requirements
+ Act as subject matter expert on relevant Third-Party regulations and policies
Responsibilities:
Provide thought leadership in development of sound Third-Party Risk Management practices
+ Promote and support BMO’s risks culture and operational resilience ensuring employees understand their accountabilities for risk-taking activities as they relate to Third-Party Risk, promoting an environment of open communication and effective challenge
+ Support development of Third-Party Risk Appetite Statements and related metrics for the Enterprise, ensuring compliance with Risk Appetite Framework;
+ Support development and implementation of relevant policies, standards, directives, frameworks and requirements relating to management of Third-Party Risk
+ Provide input on development of Third-Party Cyber Security and Technology related frameworks, processes, and practices
+ Research and provide thought leadership on current and emerging methodologies to quantify Third-Party Risk (and other non-financial risks)
+ Support 1st and 2nd Lines to appropriately identify, assess, measure, and manage Third-Party Risk across their portfolios
+ Collaborate with all risk experts and stakeholders to ensure appropriate coverage and scrutiny of Third-Party Risk (especially Third-Party Cyber Security and Technology Risks) across all risk registers, libraries, forums, and committees
+ Support remediation of Audit and Regulatory issues and findings relating to the design of the Third-Party Risk Management policies, standards, frameworks, and requirements
Provide 2nd line oversight and effective challenge to ensure sound management of Third-Party Risk
+ Provide oversight to ensure that Third-Party Risk across the Enterprise remains within the established risk appetite, and that internal controls are appropriately designed and implemented, and are operating effectively
+ Support development, enhancement and implementation of oversight methodologies that rely on data analysis, data aggregation, trend analysis to monitor the control environment related to Third Parties
+ Support development and implementation of testing methodologies to maintain oversight over Third-Party risk-taking activities, with specific focus on Third-Party Cyber Security and Technology Risks
+ Provide input and effective challenge to ensure projects, initiatives and other change activities appropriately consider Third-Party Risks
+ Provide input and effective challenge over Key Risk Indicators used to monitor Third-Party Risks
+ Provide input and effective challenge to ensure that issues and operational risks events relating to Third-Party Risks are appropriately remediated within set timelines
+ Provide subject matter expertise and guidance on specific operational risk events, recommending solutions for management of Third-Party Risks that are commensurate with the materiality and complexity of the event
Provide effective 2nd line oversight and effective challenge to ensure sound Operational Risk Management within the Procurement
+ Understand industry trends and regulatory requirements relating the Vendor Management, and articulate 2nd Line of Defense positions on these (to share with Senior Leadership and 1st Line Risk Experts of these functions)
+ Provide thought leadership and subject matter expertise on all Operational Risk Categories (AML, Legal, Compliance etc.) for Procurement
+ Provide oversight and 2nd line effective challenge to ensure all operational risks within the Procurement functions are appropriately managed
+ Ensure Operational Risks from risk taking activities within Procurement functions are identified, assessed, measured, managed and reported within a consistent framework of robust internal controls
+ Support development of, and provide effective challenge over development of Process, Risk and Control Libraries for Procurement
Provide subject matter expertise and unique insights
+ Work with Cyber and Technology Risk Management subject matter experts to provide subject matter expertise on Third-Party related elements relating to these risks
+ Gather, assemble and analyze internal and external data to drive unique insights to identify risks, and recommend improvements TPRM management programs
+ Develop and implement relevant parameters for reporting of the Third-Party Risk profiles for individual operating groups and the Enterprise
Relationship Management and Internal Integration
+ Develop and maintain effective relationships with 1st and 2nd line business partners involved in management and oversight of Third-Party Cyber and Technology Risks
+ Build collaborative relationships with Operational Risk Officers, and other risk management groups and subject matter experts across the organization
Promote effective working relationships with Regulators
+ Anticipate and prepare for emerging regulatory developments, and support maintenance effective relationships with regulators
+ Promote communication of regulatory engagement standards and best practices
+ Participate in industry groups to influence development of regulatory requirements
Qualifications:
+ Undergraduate university degree, and Graduate degree or Professional Designation
+ 7-10 years of relevant experience in financial services or supply chain management in other industries
+ In-depth knowledge of Third-Party Management lifecycle and related risk management standards, methodologies, and practices.
+ Experience related to Third-Party Cyber Security and Technology risk management, risk reporting, controls testing, and policy development is an asset
+ Industry recognized qualifications/certification in Cyber Security and Technology Risk Management (CISSP, CISA, CISM, CRISC and/or CTPRP) is an asset
+ Experience in oversight of Vendor Cyber and Technology Risk is an asset
+ Sound knowledge of multi-jurisdictional regulatory environments and trends related to Third-Party Risks
+ Experience with policy writing, data analysis or risk reporting is an asset
+ Experience with business intelligence tools e.g. Microsoft BI is an asset
+ Exposure to retail/wholes
