Job Description
KEY RESPONSIBILITIES:
A. IT Risk Governance & Framework Implementation
- Implement and maintain the IT Risk Management Framework in line with the Bank’s Enterprise Risk Management (ERM) framework and Group standards.
- Maintain an updated IT Risk Register, identifying emerging threats, control weaknesses, and residual risks.
- Ensure alignment of IT Risk activities to the Risk Appetite Statement, Basel II/III, ISO 27001, NIST, and COBIT frameworks.
- Facilitate periodic IT risk assessments, scenario analysis, and control self-assessments across all IT domains.
- Drive IT Risk awareness and capacity building across the Bank.
B. IT Risk Monitoring, KRIs & Reporting
- Define and track Key Risk Indicators (KRIs) for critical IT processes, including cybersecurity, system availability, change management, and data protection.
- Prepare monthly and quarterly IT Risk Reports for Management Risk Committee (MRC), Board Risk Committee (BRC), and Group Risk.
- Escalate breaches of IT risk appetite and ensure timely mitigation.
C. Incident, Cyber, and Operational Resilience Management
- Coordinate the incident management process, ensuring prompt logging, investigation, root cause analysis (RCA), and closure of IT incidents.
- Support the activation and escalation under the Cybersecurity Incident Response and Recovery Plan (CIRRP).
- Work closely with IT, Information Security, and BCM teams to ensure effective response and post-incident reviews.
- Maintain oversight of Business Continuity (BCP) and Disaster Recovery (DR) testing outcomes and ensure alignment to the bank’s Resilience Framework.
D. Third-Party & Project Risk Oversight
- Conduct IT risk assessments for new systems, digital channels, APIs, and major IT projects.
- Evaluate and monitor third-party/vendor IT risks, including due diligence, data privacy, service continuity, and exit strategies.
- Participate in Change Advisory Board (CAB) sessions to ensure risk considerations are embedded before deployment.
E. Regulatory, Audit & Group Alignment
- Ensure compliance with Bank of Uganda, Data Protection, and Group Information Security standards.
- Coordinate responses to internal audits, external audits, and regulatory inspections, ensuring timely closure of findings.
- Maintain strong engagement with Group IT Risk and Group Information Security to align local initiatives with Group frameworks.
F. Emerging Risk, Reporting & Awareness
- Identify and assess emerging technology risks, including AI, cloud, fintech partnerships, and open APIs.
- Conduct periodic risk reviews, thematic analysis, and technology risk stress testing.
- Champion awareness sessions on cyber hygiene, information security, and IT risk governance across business units.
MINIMUM POSITION QUALIFICATION REQUIREMENTS
a) Academic & Professional
| Particulars | Detail | Specific Field or Qualification | Need Type |
| Education | Bachelor’s degree | Information Technology, Computer Science, Information Science, Information Systems, Information Security or related disciplines | Required |
| Professional Qualifications | CRISC, CISM, CISSP, CISA, ISO 27001 Lead Implementer & related professional qualifications | Added Advantage | |
| Master’s degree | IT, MBA, Computer Science, Risk & related disciplines | Added Advantage |
b) Experience
| Detail | Area | Minimum No of Years |
|---|---|---|
| Experience Area 1 | Information Risk /or IT Security and/or IT Audits | 4 |
| Experience Area 2 | Information Risk Reviews and Vulnerability Assessments Experience | 3 |
| Experience Area 3 | Red Team Exercises and/or Penetration Testing Experience | 2 |
| Experience Area 4 | Stakeholder management | 2 |
| Experience Area 5 | Report writing | 2 |
