Third Party Risk Management Officer

Business Area Overview

RISK Operational Risk Management (RISK ORM) CIB belongs to the second line of defence of BNP Paribas Corporate and Institutional Bank (CIB). It belongs to the Risk Function (RISK) of BNP Paribas (RISK) and is placed under the responsibility of the Chief Operational Risk Officer (CORO) for CIB.

The department has responsibility for independently challenging and supervising the Operational Risk management of CIB activities (Global Banking, Global Markets, Securities Services, IT, Operations, Functions) on a worldwide scope. This is achieved through: framing operational risk methodology for CIB and disseminating of risk management culture across CIB; assessing the adequacy of the CIB operational risk management set-up; controlling effectiveness of CIB control environment; contributing to the detection, anticipation and response to risks; alerting CIB and RISK stakeholders on any significant risk issue; providing a consolidated view on CIB operational risks profile.

As the second line of defence (2LoD) for Information and Communications Technology (ICT) risks and Third Party (TPRM) risks (which are operational risks), RISK ORM has the responsibility to identify the key technology and third-party risks of the Bank and to influence Business, Functions and technology partners to make sound risk management decisions, working with the main Businesses and Functions teams.

Key Responsibilities:

The candidate will be responsible for supporting the RISK ORM CIB TTR TPRM Risk Manager in the development and implementation of the EMEA Third Party Risk Management (TPRM) program, including ICT and non – ICT third parties, and performing the following main missions, assessing Third Party risks and providing advice to the BNP Paribas Business Lines (BL):

Framework: to assist the RISK ORM CIB TTR TPRM Risk Manager in the review, analysis and challenge of the CIB EMEA TPRM risk management framework and in particular the Group Policy pertaining to Outsourcing Risk Management and the Risk Management of External Suppliers, consistently with RISK ORM CIB TPRM guidelines, and validate any exemption to these norms & standards.

Risk Identification & Assessment: to assist the RISK ORM CIB TTR TPRM Risk Manager to challenge and verify on the first line of defence (1LoD) CIB EMEA risk identification, ensure the consistency of potential incidents quantification, conduct independent TPRM risk assessment (incident review, post mortem analysis), and validate closure of permanent control actions (controls implemented by 1LoD).

Risk Treatment & Decision: to assist the RISK ORM CIB TTR TPRM Risk Manager in overseeing the risk treatment process (risk acceptance, risk transfer, risk remediation) performed by CIB EMEA (BNP Paribas Entities and their Departments), jointly participate to co-decision Committees (e.g. NAC/TAC or similar) and/or share opinion on the TPRM risks exposure with RISK ORM CIB TPRM Management and 1LoD Management. Oversight the action plans defined to mitigate risk and to implement the Internal Audit, Regulators and other resolution authorities conclusions and recommendations.

Testing: to assist the RISK ORM CIB TTR TPRM Risk Manager in the preparation / contribution  to the development of RISK ORM CIB EMEA TPRM independent testing controls, in the execution of independent testing plans, Risk and Control Self-Assessment independent re-testing, challenge on 1LoD controls and oversight/perform 2LoD tests when required and support the wider RISK ORM community globally in defining better maturity models for independent testing.

Plan: to assist the RISK ORM CIB TTR TPRM Risk Manager in the identification of the main Third Party risks priorities and support the definition of the approach to perform the work aligned with BNP Paribas framework, manage relationship with stakeholders, and ensure deliverables agreed.

Risk Reporting, Monitoring & Alert: to support BNP Paribas Management and the RISK stakeholders on incidents and crisis management (e.g. security events); to alert RISK ORM CIB TTR TPRM Risk Manager on critical points for attention to be raised to RISK ORM CIB and Senior Management.

Awareness / Training / Animation: to assist the RISK ORM CIB TTR TPRM Risk Manager in promoting and driving awareness on TPRM in EMEA; to assist in organising risk meetings, forums and committees with community members.

Skills & Experience Required:

The successful candidate will have exposure to implementing risk management programs in Global organisations, with good knowledge of technology, risks, architectures and related tools. Prior Third Party Risk experience (Outsourcing, Vendor management, IT, Cyber, etc.) and exposure to the Financial Services industry is a must. Experience with GRC tools and other risk management information systems is preferred. 

Negotiation, Conflict Management and Presentation skills are necessary. Experience interacting with regulatory agencies is a plus.

Specific requirements:

• 4+ experience specifically in third party and technology risk assessments.
• Bachelor degree in Information Technology, Information Security, Business or Risk Management (or equivalent professional qualification).
• Team player – focus on the success of the whole team. Working well both with others, as well as individually.
• Excellent stakeholder management skills.
• Experience in Outsourcing risk management, Third Party Risk Management, Technology risk, Information Security or an Audit role
• Good listening and analytical skills – being able to come to a thoughtful and business focused conclusion quickly.
• Ability to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of customers;
• Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits.
• Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate.
• Adapting personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done.
• Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well.
• Being rigorous and thorough – especially when logging and tracking issues through to conclusion.
• Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management.
• Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business.
• Ability to express views clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.

Competencies:

• Understanding of the banking industry’s regulatory requirements for managing of third parties (e.g., EBA Guidelines on Outsourcing arrangements, FCA Sysc 8).
• Experience working with legal and procurement teams as part of contract design to include key provisions for Outsourcing and Supplier Risk Management.
• Good knowledge of Information Security, Business Continuity, and IT Audit methodology and concepts.
• Ability to perform Supplier Risk assessments through on-site visits and reviewing SSAE16s/SOC1/2.
• Ability to articulate risk management concepts in business language.
• Excellent written and verbal communication skills.
• Proficient with Microsoft Office Suite.
• Prior experience documenting tool requirements to support risk management.
• Ability to travel to supplier sites and perform assessments as necessary.
• Proven ability to manage issues through to resolution; skilled at making judgment calls.
• Ability to successfully multitask and complete difficult assignments within deadlines which may have short lead times.
• Industry certifications (e.g. CISA) or willingness to obtain the same.
• Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework.
• Multilingual capability (English and/or French) is preferred.

Conduct:

• Be a role model, supporting and fostering a culture of good conduct.
• Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks.

Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.