ERM Director of Technology Risk

Eastwest Bank is seeking a Technology Risk Director to oversee technology and information security within the bank's second line of defense. The role involves developing a risk management framework, monitoring risks, and influencing stakeholders. Responsibilities include leading a continuous monitoring program, assessing control effectiveness, and providing guidance on technology initiatives. The position requires strong relationship management skills and a deep understanding of technology risk and controls.
About the position

The Technology Risk Director at East West Bank will play a pivotal role within the bank's second line of defense, focusing on technology and information security activities across the organization. This position is responsible for developing and implementing a comprehensive risk management framework specifically tailored to Technology Risk. The individual will be tasked with incorporating and monitoring risk and control considerations throughout the organization, identifying regulatory, legal, and compliance risk exposures related to various products, solutions, environments, and frameworks. The role demands a deep understanding of technology risk and controls, along with exceptional relationship management and communication skills to effectively influence stakeholders at all levels. In this capacity, the Technology Risk Director will lead the establishment of a continuous monitoring program for Technology Risk, ensuring independent identification, assessment, monitoring, and reporting of risks across the bank's technology environment. The director will also establish an effective engagement model with the first line of defense to assess control effectiveness and strengthen the overall control environment. This includes defining clear roles and responsibilities between the first and second lines of defense, influencing control owners to build consensus on risk mitigation strategies, and providing oversight on key strategic technology initiatives. The director will serve as a Subject Matter Expert on Technology and Cybersecurity Risk in various committees and working groups, fostering positive relationships with internal clients, staff, peers, and senior management. Timely communication and escalation of key and emerging risks will be critical, as will conducting robust reviews of enterprise-wide technology controls assessments. The role also involves providing guidance and risk sign-off on technology risk management for enterprise projects, new products, services, and major technology infrastructure changes. Additionally, the director will identify key risk management requirements from regulators and industry best practices to create aligned policies and programs that reflect the bank's risk appetite and strategic objectives.

Responsibilities
• Lead establishment of second line of defense continuous monitoring program on Technology Risk.
,
• Lead independent identification, assessment, monitoring, and reporting of Technology Risk across the company's technology environment.
,
• Establish effective engagement model with the first line of defense to assess control effectiveness and monitoring activities to strengthen the control environment and reduce risk.
,
• Establish target operating model on Technology Risk and define clear roles and responsibilities across first line of defense and second line of defense.
,
• Influence control owners and other stakeholders to build consensus on risk mitigation and remediation strategies.
,
• Provide oversight and guidance on key strategic Technology initiatives and assess impact of these initiatives on the company's control environment.
,
• Serve as the Technology and Cybersecurity Risk Subject Matter Expert on assigned committees and working groups, while developing a positive working relationship with internal clients, staff, peers, and senior management.
,
• Ensure that key and emerging risks are communicated and escalated in a timely, accurate manner and within established governance frameworks.
,
• Conduct and manage robust review and challenge process for enterprise-wide technology controls assessments, including evaluating evidence of existing controls, identifying significant control deficiencies, assessing adequacy of proposed remediation to address deficiencies, and monitoring remediation to closure.
,
• Provide guidance, support, and risk sign-off on technology risk management of enterprise projects, new products and services, and major technology infrastructure changes.
,
• Identify key risk management requirements from federal and state regulators, as well as industry best practices, to create policies and build programs that are aligned to the Bank's risk appetite and strategic plan.
,
• Perform other duties and special projects as assigned.

Requirements
• Bachelor's degree plus 15+ years of direct, related experience in Risk Management, Internal Audit, Information Security or Technology.
,
• Strong written and verbal communication skills to confidently interact across all levels of organization such as management, executives, regulators, and board of directors.
,
• Advanced knowledge of general banking operations, including deposit operations, loan administration, treasury management and/or other commercial banking products and services.
,
• Outstanding written and verbal business and cybersecurity communication skills.
,
• Highly organized and efficient; ability to balance and manage multiple projects concurrently.
,
• Demonstrated strategic and tactical thinking, along with decision-making skills and business acumen.
,
• Advanced knowledge of applicable regulatory and legal compliance obligations, rules and regulations, industry standards and practices.
,
• Advanced knowledge and experience with frameworks and specific regulatory guidance, including ISO, COBIT, FFEIC, GLBA, NIST.

Nice-to-haves
• Certified Information Systems Auditor (CISA), Certified Information Systems Security Auditor (CISSA), or Certified Information Security Manager (CICM) certifications desired.
,
• CISO, deputy CISO, head of information technology/information security audit, head or lead information security risk management professional a plus.

Benefits
• Opportunities for advancement