IT SDLC Risk and Control Officer

Role Description

SMBC is seeking a Functional Control Officer (FCO) who has a strong understanding for IT Governance and Controls and is interested in building a career at a fast growing and reputable Bank.

The successful candidate will focus on the IT control framework embedded in the development and delivery of system and software solutions (Software Development Lifecycle Management) and help design and implement controls to support adherence to the Bank’s policies. In addition, you will validate control remediation efforts and verify, through testing and periodic reviews that these controls meet their design, are operating effectively and sustainably.

The Functional Control Officer will be responsible for managing compliance and operational risk associated with key Information Technology (IT) Programs in SMBC Americas Division (AD). They will be responsible for managing compliance with the required controls related to the corresponding Information Technology Programs. Including but limited to Change Management, Incident Management, SDLC, Service Continuity, Program and Project Management, IT Operations, or IT Asset Management. 

This role will report to the Head of IT Governance & Controls in the Americas Division.  

Role Objectives: Delivery

• Strong understanding of Governance, Risk and Compliance (GRC) practices to support Information Technology’s adherence to authoritative frameworks (FFIEC, COBIT, NIST, ISO etc.) and U.S. regulatory expectations.
• Be the subject matter expert for IT Governance and Controls for the Secure Software & Systems Development Lifecycle, ensuring proper design, implementation and testing of controls for all phases of a Secure SDLC.
• Collaborate with the Secure SDLC process owner and stakeholders to identify continuous improvement opportunities in Controls, Processes and Procedures.  
• Ability to proactively identify self-identified issues (SIIs) and support IT staff in remediation activities to improve operational efficiency.
• Familiarity with controls testing program delivery, including conducting walkthroughs, developing control test scripts, and supporting design and operating effectiveness testing.
• Support Risk and Control Self-Assessments (RCSAs) for Information Technology Risks and Controls that support business departments.
• Regular review of Policy Relevant Documents (PRDs) for annual revisions and amendments to address identified gaps in coverage or roles and responsibilities.
• Collaborate with key stakeholders across the 2LoD (Operational Risk) and 3LoD (Internal Audit) for adherence to the Operational Risk Management Framework and remediating Audit Control Remediations and regulatory findings.
• Leverage experience in key IT programs (e.g., Change Management, Incident Management, Software Development and Lifecycle Management) to recommend process improvements and best practices as part of BAU responsibilities.
• Conduct periodic status meetings with AD management and/or Group Company primary contacts, including senior management, to provide updates, ascertain remediation status and address any remediation concerns.

Qualifications and Skills

• 5-10 years of Information Technology experience, with focus on experience in the financial services industry
• 5-10 years of experience in a 1LoD role or other risk management and audit roles.
• 5-10 years of experience working with common risk management frameworks, including RCSAs, control testing programs and maturity assessments
• Strong understanding of SDLC methodologies (Agile, Waterfall) and associated Control areas.
• Knowledge of Secure Coding Standards, (e.g. SSDF), Software Testing Strategies and DevSecOps practices.
• 5-10 years of experience in developing and/or reporting Key Risk and Performance Indicators.
• Experience working within SDLC, Program and Project Management, and IT Operations (Capacity Management, Configuration Management, etc.) a plus.
• Experience in IT Audit and/or IT Risk (with active CISA and/or CRISC certification a plus)
• Experience working with IT teams to strengthen their adherence to organizationally defined IT controls.
• Experience executing control testing, reporting, and tracking control remediation
• Ability to influence responsible parties (including senior management) working in the 1st, 2nd, and 3rd lines of defense in conversations regarding AD IT Control compliance and remediation activities
• Have strong verbal and written communication skills.
• Ability to demonstrate a self-motivated and disciplined approach to learning and working.
• Ability to work in a team environment and demonstrate leadership skills when needed.
• Possess a highly developed sense of personal accountability and follow-through with an ability to effectively prioritize multiple personal tasks, projects, and goals.

Additional Requirements