Manager, Enterprise Risk Management

Reports To: Group Head of Risk

Job Purpose

The Manager, Enterprise Risk Management (ERM) plays a strategic role in embedding a risk-aware culture and ensuring effective risk oversight across the organization, with a strong focus on cybersecurity, third-party/vendor risk, and cloud security. The incumbent will lead the design, implementation, and continuous improvement of the ERM framework in alignment with the organization’s objectives, regulatory requirements (e.g., MCMC, Bursa Malaysia, Securities Commission, NACSA), and global standards such as ISO/IEC 27001, ISO 31000, and NIST. This manager will ensure a comprehensive approach to identifying, assessing, and mitigating risks at both corporate and operational levels. The role focuses on protecting TIME's financial stability, enhancing profitability, and increasing operational efficiency.

Key Responsibilities

ERM Framework & Risk Governance

• Develop, implement, and maintain a robust ERM framework aligned with ISO 31000 and COSO ERM, tailored to the unique operational, cyber, and regulatory risks of the telecommunications industry.
• Integrate information security and IT risk management based on ISO/IEC 27001 and NIST Cybersecurity Framework (CSF).
• Facilitate periodic review and approval of the risk appetite statement, risk policies, and governance structure.

Risk Identification, Analysis & Reporting

• Lead enterprise-wide risk assessments encompassing strategic, operational, financial, technology, supply chain, cyber, regulatory, sustainability, reputational risks and others.
• Maintain the enterprise risk register and develop heatmaps, dashboards, and reports for Senior Management, Risk Management Steering Committee, Board and regulatory bodies.
• Establish and monitor Key Risk Indicators (KRIs) and early warning systems.

Cybersecurity & Cloud Security Risk Management

• Partner with IT and Security teams to identify, assess, and mitigate cyber risks related to network infrastructure, customer data, and cloud environments
• Support the implementation and auditing of the ISO/IEC 27001 - Information Security Management System (ISMS) and other related certifications such as ISO 27017, ISO 27018, ISO 9001, CSA Star, PCI-DSS, SOC 2 Type II and NRA.
• Participate in tabletop exercises and simulations for cyber incident response and disaster recovery.

Third-Party/Vendor Risk Management

• Develop and manage the third-party/vendor risk management framework, including risk assessments, due diligence, contractual risk clauses, and ongoing monitoring.
• Work closely with procurement, legal, and IT teams to assess vendor security postures, especially for cloud and managed service providers.
• Maintain a vendor risk register and ensure proper documentation and compliance with risk treatment plans.

Regulatory Compliance & Audit Support

• Ensure compliance with relevant local regulations and frameworks such as MCMC guidelines, PDPA, NACSA, Securities Commission and Bursa Malaysia’s risk management requirements.
• Support internal and external audits, regulatory reviews, and certification activities (e.g., ISO 27001 audits).
• Be the focal person for risk assessment enquiries from customers/clients.
• Liaise with regulators and industry bodies on risk matters, as necessary.

Awareness, Training & Risk Culture

• Promote a strong risk culture by delivering training, workshops, and communications to enhance awareness of enterprise, information security, and third-party risks.
• Advise business units and project teams on risk identification, assessment, and mitigation strategies.

Qualifications & Experience

• Bachelor’s degree in Risk Management, Business Management, Engineering, Accounting & Auditing, Information Technology, or Law and Regulatory.
• Professional certifications highly desirable: ISO/IEC 27001 Lead Implementer/Auditor, CRISC, IRM, CIA, PARIMA, RIMS in Risk Management, Financial Risk Management, or Risk Modeling.
• 6–10 years of experience in risk management, information security, or GRC, preferably within the telecommunications or technology sector (other Industry applicants may apply too)
• Experience with risk management platforms, dashboards, and reporting tools.

Skills and Competencies

• Strong analytical and investigative skills with the ability to evaluate complex risk scenarios.
• Excellent communication, facilitation, and stakeholder management skills.
• High attention to detail and integrity in handling sensitive information.
• Ability to work cross-functionally, manage ambiguity, and influence decision-making.
• Up-to-date understanding of telecom infrastructure, regulatory compliance, cybersecurity threats, and emerging technologies (e.g., 5G, IoT, SD-WAN).

*Only shortlisted candidates will be notified