Operational Resilience & Risk Manager

Tompkins Community Bank•City of Ithaca, NY

12d

About The Position

The Resilience & Risk Manager leads the company’s Business Continuity & Operational Resilience Program, ensuring critical services remain available during disruptions and that information security risks stay within defined tolerances. This role partners with business leaders, IT teams, and Information Security team members to strengthen resilience, security, and regulatory compliance across processes, technology, and third-party relationships. You will be highly capable of creating sound and comprehensive documentation, and reports for senior management to demonstrate the posture and effectiveness of the program, as well as offer additional recommendations to further enhance the program ensuring information security risk is within defined tolerances and company appetite. You will ensures alignment with FFIEC, NYDFS Part 500, GLBA, SOX, and industry frameworks such as ISO 22301 and NIST.

Requirements

Bachelor’s degree in Computer Science, Information Systems, or related field.
7+ years in IT and/or Information Security; 3+ years in financial services.
Hands-on experience with Business Continuity, Disaster Recovery, and Operational Resilience programs.
Strong understanding of information security risk analysis, banking systems, and regulatory frameworks.

Nice To Haves

Certifications: CISSP, CISM, CBCP, ISO 22301 Lead Implementer, Security+, PMP.
Experience with GRC platforms (LogicGate), cyber resilience planning, and regulatory exam preparation.

Responsibilities

Own and manage the enterprise-wide Business Continuity & Operational Resilience Program, including governance and reporting to senior leadership and risk committees.
Coordinate and lead Disaster Recovery planning, annual testing, and scenario-based exercises, including post-mortem reviews and continuous improvement.
Conduct Business Impact Assessments (BIAs) and impact tolerance assessments for critical services, mapping dependencies across people, processes, technology, and third parties.
Develop and maintain crisis communication plans and ensure readiness for regulatory reporting during major incidents.
Align resilience strategies with regulatory requirements and industry standards (FFIEC, NY DFS, ISO 22301, NIST CSF).
Produce audit-ready documentation, metrics, and KPIs demonstrating program effectiveness and maturity.
Collaborate with Third-Party Risk Management to assess vendor resilience & risk.
Review technology architecture and design for resilience controls, integration dependencies, and cyber resilience measures.
Integrate threat intelligence and emerging risk analysis (cloud, AI, geopolitical) into resilience planning.
Support InfoSec governance activities and system administration for resilience and risk tracking.
Participate in incident response, regulatory reporting, and executive-level crisis management.
Promote awareness through training sessions, tabletop exercises, and education initiatives.
Maintain expertise in operational resilience trends, regulatory changes, and best practices.