Senior Manager, Technology Risk Management - Questbank

About The Position

Requirements

• University degree in Computer Science, Information Systems, business, or related discipline, or equivalent directly related experience.
• Minimum of 7 to 10 years of specialized technology risk, cyber risk, IT governance, or IT audit experience.
• Three years of experience across other risk disciplines (e.g., operational, business continuity, third-party).
• Industry experience in financial services / fintech.
• Experience within a second line of defence risk function, preferably technology and/or cyber risk.
• Comprehensive knowledge of technology and cyber risk management frameworks, tools, and methodologies (e.g., COBIT, NIST CSF, ISO 27001, ITIL, RCSAs, KRIs, control testing, and risk appetite).
• Working knowledge of emerging domains including data governance, data integrity, and AI/ML risk management practices.
• Demonstrated ability to provide effective review and challenge of IT and cybersecurity control design and operating effectiveness, including cybersecurity testing (e.g., vulnerability scans, penetration tests).
• Ability to build customized, right-sized, end-to-end IT governance and risk solutions scaled to complexity and risk levels.
• Strong working knowledge of financial institution regulation (OSFI including Guidelines B-13, E-21, and B-10).
• Understanding of banking, mortgage, and investment operations.
• Working knowledge of adjacent risk areas, including operational risk, fraud risk, business continuity, third-party risk, and compliance.
• Proficiency in data analytics and business intelligence tooling (e.g., Tableau or Power BI).
• Proficiency in Google Workspace (Docs, Slides, Forms, and Sheets).
• An entrepreneurial, proactive self-starter who is comfortable operating autonomously, sees the big picture, and does not operate in silos.
• Strong critical thinker able to gather, synthesize, document, and present information to both technical and non-technical audiences in a succinct and organized manner.

Nice To Haves

• Advanced education or professional qualification(s) preferred (e.g., CISA, CRISC, CISM, CGEIT, or a recognized risk designation).
• Experience working with regulators is highly valued.
• Experience overseeing or governing outsourced technology services is considered an asset.

Responsibilities

• Lead the design, execution, and oversight of 2LOD technology and cyber risk assessments.
• Conduct risk-based control testing and validate IT and cybersecurity controls.
• Critically evaluate and challenge the first line's management of technology and cyber risk, including data integrity and AI governance.
• Analyze technology performance, risk metrics, and control effectiveness against established standards and regulatory requirements.
• Produce technology and cyber risk reporting for the Operational Risk Management Committee (ORMC) and support onward reporting to executive management, the CRO, and the Board.
• Operate within and contribute to the continuous improvement of the 2LOD Technology and Cyber Risk Management framework, policy, and standards.
• Apply the 2LOD operating model for technology risk in Questbank's outsourced environment.
• Propose technology and cyber risk appetite statements and integrate KRIs and thresholds into the annual Risk Appetite Statement (RAS).
• Operate limit-breach escalation protocols and continuously monitor technology and cyber risk against KRIs and tolerance levels.
• Provide independent oversight and challenge of the first line's management of technology and cyber risk, including control design and operating effectiveness, cybersecurity testing results, residual risk exposure, and IT business continuity and disaster recovery arrangements.
• Manage the day-to-day technology and cyber risk lifecycle, including risk event intake, RCSAs, control testing, issue tracking, and risk acceptances.
• Engage the first line early on new products, material changes, and strategic initiatives with technology or cyber risk implications, delivering 2LOD review and challenge through the Initiative Risk Assessment (IRA) process.
• Provide risk-based 2LOD oversight of the cybersecurity incident response process, ensuring lessons learned inform controls and reporting.
• Provide independent 2LOD oversight of data integrity practices and emerging AI governance, including review and challenge of first line controls and AI system governance.
• Support compliance with applicable regulatory requirements (e.g., OSFI Guidelines B-13, E-21, B-10) and anticipate regulatory changes.
• Champion the alignment of technology and cyber risk management methodologies with related 2LOD risk types.
• Build cross-functional relationships with product, technology, business teams, and external service providers.
• Elevate the organization's technology and cyber risk capability through training and promoting risk awareness.
• Advance the use of automation and analytics for efficient 2LOD oversight.

Benefits

• Health & wellbeing resources and programs
• Paid vacation, personal, and sick days for work-life balance
• Competitive compensation and benefits packages
• Competitive incentive (bonus) program for Full-Time Permanent roles