VP, Technology Risk Management

Position Overview

This role is responsible for leading second-line oversight of enterprise-wide Information Technology Risk Management (ITRM). The position encompasses governance and strategic alignment of IT and cybersecurity functions, oversight of IT operations, change and configuration management, and the broader governance, risk, and compliance (GRC) landscape. The individual will collaborate closely with first-line technology risk teams to provide independent challenge and guidance on control design, implementation, and risk mitigation strategies across major IT and cybersecurity initiatives.

The role also includes evaluating the effectiveness of IT and IS controls through substantive testing and contributing to the continuous improvement of risk management practices and frameworks.

Key Responsibilities

Serve as a second-line advisor and challenger to first-line IT and cybersecurity teams on risk and control matters.

Oversee the implementation and maintenance of IT risk management practices across operational, security, and change management domains.

Support the enterprise adoption and integration of GRC platforms, promoting consistent usage and reporting across stakeholders.

Provide subject matter expertise on IT risk management, tailoring guidance to specific business platforms and operational contexts.

Contribute to the development of enterprise IT risk appetite statements and ensure alignment with business objectives.

Produce regular reports on IT risk posture, control effectiveness, and emerging risk themes for senior leadership and governance bodies.

Review and assess IT and cybersecurity control frameworks, documentation, and compliance reporting.

Analyze audit findings, regulatory feedback, and client assessments to identify systemic risk issues and recommend solutions.

Establish monitoring mechanisms to ensure adherence to IT risk policies, standards, and frameworks.

Conduct independent testing of IT general controls and application controls to validate design and operational effectiveness.

Advise on remediation strategies for control gaps and non-compliance areas.

Provide ongoing governance and strategic direction for IT risk management across the organization.

Engage with cross-functional leaders in areas such as disaster recovery, infrastructure, data governance, vendor risk, and change management to inform risk oversight.

Build and maintain strong relationships with business units to support risk-informed decision-making for new initiatives and projects.

Maintain and update second-line owned IT and cybersecurity policies and standards through periodic reviews.

Qualifications

Education:

Bachelor's degree in Information Technology, Computer Science, Cybersecurity, or a related field preferred.

Professional certifications such as CISA, CRISC, or equivalent are highly desirable.

Experience:

Minimum of 5 years in IT risk management, cybersecurity audit, or related roles within regulated industries.

At least 3 years of experience in IT control testing or audit functions.

Strong understanding of IT GRC frameworks and control environments.

Familiarity with regulatory expectations and industry standards, particularly those relevant to financial institutions (e.g., FFIEC, FDIC, CFPB).