IT Risk and Control Assurance Advisor




IT Infrastructure/support

Project description:

Division: Group Security and Business Resilience
Discover the challenging world of IT risks and controls, in the context of the group’s technology services, i.e. its mission critical production and project delivery services. The group is operating in an increasingly regulated environment and is engaged in an enterprise risk management framework transformation programme which must be rolled out across the whole organization, including to IT.


The IT Assurance & Testing Team

Within the IT Risks, Controls and Assurance domain, you will be part of the IT Assurance & Testing team responsible to:

Develop and validate the assurance and assessment plan for rotational and risk-based assurance engagements.

Execute the assurance plan and any specific assurance service requests from IT management, by assessing, in relation to the identified risks, the control adequacy and the control operating effectiveness.

Maintain the adequate documentation to support the assessment conclusions.

Report to and interact with the relevant stakeholders, including IT management, on the assessment results

Advise the relevant stakeholders on the improvements required for both risk and control definition.

Assist in the monitoring and reporting on the progress of remediation actions resulting from assessments.

Be a driver for continuous improvement of the quality and the maturity of the controls environment

Contribute to increase the risk culture and risk awareness in IT through assessing the maturity level of the “risk & control mind-set” within IT

Provide support to internal / external auditors (e.g. access to assessments, documentation and evidence as required) and to other testing of IT controls (e.g. testing by Compliance or external auditors)

The IT Assurance & Testing Team is working closely with the IT Risk profile and IT Controls Teams, field experts and different management levels in the IT divisions across locations (mainly in Belgium but also in France and the UK), as well as with the second and third lines of defence (respectively Risk Management and Internal Audit).

Your part of the deal
1). Your day-to-day responsibilities:
Provide an independent assurance to key stakeholders on the design adequacy and operating effectiveness of the IT internal control system.

Contribute to an adequate understanding the IT residual risk profile (for comparison with the risk appetite)

Contribute to a reduction in the number of unexpected observations raised by auditors (by identifying the most severe weaknesses prior to further examination by 2nd and 3rd lines of defence and external auditors)

Contribute to the single IT control environment covering all IT divisions, by assessing and reporting on the IT control maturity versus key controls, policies, procedures and standards relevant to IT.

Contribute to the design, preparation and delivery of the appropriate risk & control reporting as required by the management, business entities and second and third lines of defence.

Ensure clearance of the assessment findings with 1st line management

Contribute to an up-to-date risk and control assessments dashboard

Adopt the Risk Champion role towards the IT first line of defence, balancing providing guidance on the risk framework and maintaining the necessary independency.

2). Your responsibilities in the group Risk transformation:

Provide a key contributing role to embed the IT Risk Control Framework in the full IT organization (1500 people)

Actively participate in the Risk Transformation: as part of the IT Assurance & Testing you will support the implementation of the necessary changes and work in a continuous improvement mind-set (e.g. development and maintenance of sampling strategies, assessment checklists, evolution of the assessment reporting, adoption of Risk Champion role, new corporate risk tooling, embedding or automation of controls in IT processes.

Take part in the assessment and improvement of the IT risk education programme, in order to increase the Risk culture, awareness and mind-set in IT and help the IT first line to translate it into concrete behaviours.

Occasional traveling to London and/or Paris may be required (frequency not higher than once a month per location).

Technical skills:

University degree or equivalent experience (education in computer science or engineering is a plus)

Fluent knowledge of English (verbal, writing, presentation). French and/or Dutch is a plus

Experience in the IT delivery and / or operational activities, in IT risk and control environment or equivalent experience

Critical mind-set and ability to challenge and influence middle management and IT experts

Strong risk mind-set: you aspire to a culture of excellence

Strong leadership and communication skills, both on the field, in the team or with management: you are a keen team player and coordinate work amongst people from different areas or divisions. A good relationship builder with strong diplomacy skills

You are a highly motivated self-starter and quick learner and you are able to work proactively in a challenging environment with conflicting or competing priorities

Strong analytical and risk assessment skills. You know how to break down complex risk situations into manageable pieces and to address logical links and dependencies. You can distinguish essential information and summarise it accordingly. You see how information is linked and you recognise common patterns in elements that seem unrelated at first

Experience in large multi-platform based IT environments, such as IBM Mainframe and distributed systems

Process-minded and good knowledge of the key principles of the IT related frameworks such as COBIT, ITIL, Agile and PRINCE2 is a plus (no certification is required)

Contact person:

Contact name: Julien de le Vingne