Information Technology Risk Manager

Work Arrangement : Hybrid – 3 days per week in office

Overview :

We are seeking a Manager, Technology Risk and Controls to join the Global Corporate Technology team and lead the 1A function. Reporting to the Assistant Vice President, Shared Services, this role will partner with key stakeholders across a designated portfolio to support the execution of annual technology risk management initiatives. The Manager will also play a key role in incoming audits, managing the technology controls program, and driving remediation efforts for identified risks.

Key Responsibilities :

• Deliver a holistic view of technology risks by establishing and maintaining governance frameworks and technology risk management processes.
• Develop and maintain frameworks to monitor and track KPIs / KRIs, audit findings, and policy / standard exceptions.
• Collaborate with technology teams to create and execute remediation plans, ensuring ineffective controls are addressed within agreed timelines.
• Prepare and deliver portfolio-level reports, providing visibility into risk posture for stakeholders including 1B, 2nd, and 3rd line teams.
• Guide teams in designing and implementing controls to mitigate operational and information security risks.
• Monitor compliance with internal policies and standards; manage exceptions in accordance with established risk frameworks.
• Conduct risk reviews of key initiatives using internal assessment tools.
• Act as a subject matter expert in areas such as information security, IT operations, resiliency, and technology delivery.
• Support regulatory and internal audit compliance activities, including SOC 2, ISO 27001 / 27017, and ICOFR.

Qualifications :

• 8+ years of progressive experience in technology risk, information security, or technology audit.
• Minimum 5 years of leadership experience managing technology or risk teams.
• Proven ability to challenge status quo and drive operational improvement across people, processes, and technology.
• Strong capability to assess and articulate security risks in a business context.
• Degree in Risk Management, Information Security, Computer Science, or Business Technology.
• Certifications such as CRISC, CISA, CISM, or CISSP are considered assets.
• Strong knowledge of regulatory compliance (e.g., OSFI) and frameworks such as COBIT, NIST, and ISO standards.
• Solid understanding of the 3 Lines of Defense model and experience working across those layers.
• Excellent organizational skills with the ability to manage multiple priorities under pressure.