The IT Risk Manager is a senior-level position responsible for establishing and overseeing the enterprise-wide IT risk management framework for Massy Group.  Reporting to the Group Chief Risk Officer (CRO), this role serves as the second line of defense, providing independent oversight of IT and cybersecurity risks across all subsidiaries. The IT Risk Manager ensures consistent governance and alignment of Portfolio and Line of Business (LoB) risk practices with group standards and global best practices such as NIST CSF, ISO/IEC 27001, and data protection regulations.

DUTIES AND RESPONSIBILITIES

1. IT Risk Framework & Governance 

• Develop and maintain a comprehensive IT Risk Management Framework for Massy Group in alignment with the enterprise risk management strategy and leading industry frameworks (e.g. NIST CSF, ISO 27001).

• Define the Group’s IT risk appetite and policies, ensuring subsidiaries adopt minimum standards and controls that fit their contexts. 

• Act as policy custodian and ensure governance structures (committees, reporting lines) support the three-lines-of-defense model, with clear delineation of first line (IT leads for Portfolios/LoBs) vs. second line (Group oversight) responsibilities.

2. Risk Assessment & Monitoring

• Oversee regular IT risk assessments across all business units, identifying threats, vulnerabilities, and impacts on critical assets. 

• Aggregate Portfolio and LoB risk findings into an enterprise-wide risk register with unified taxonomy. 

• Define and track Key Risk Indicators (KRIs) and performance metrics to continuously monitor the Group’s risk posture. 

• Ensure that emerging risks (e.g. AI-related vulnerabilities, cloud security gaps) are proactively identified and evaluated, keeping the conglomerate ahead of new threat trends. 

• Leverage scenario analysis (for cyber-attacks, system outages, data breaches) and stress-testing to gauge the organization’s resilience under various risk scenarios.

3. Governance Committees & Reporting 

• Organize regular committee meetings of the Group level IT/Cyber Security Risk Committee, which includes Group leadership and Portfolio and LoB IT leads, CIOs/CISOs. 

• Organize regular committee meetings with agendas focusing on critical topics (e.g. ransomware resilience, third-party risk, regulatory compliance updates). 

• Foster open communication among subsidiary teams to share risk insights and best practices. 

• Prepare clear, executive-level IT risk reports and dashboards for the Group CRO, Board Audit and Risk Committee, and senior executives, highlighting key risks, incidents, trends, and mitigation status. 

• Ensure timely escalation of significant risk issues or control gaps and provide well-informed recommendations to support risk-based decision making at the highest levels.

4. Incident Response & Resilience

• Oversee the conglomerate’s cyber incident response preparedness and IT resilience strategies. 

• Ensure each subsidiary has robust incident response plans and business continuity/disaster recovery (BCP/DR) plans aligned with group standards. 

• Coordinate Group-level support during major cybersecurity incidents, providing guidance and cross-organizational communication. 

• Lead post-incident reviews for significant events, ensuring that lessons learned (for example, from a ransomware attack) are documented and that remediation actions are implemented across all affected units. 

• Champion resilience measures (such as regular disaster recovery drills, backup and restore tests, and ransomware recovery playbooks) to improve the organization’s ability to withstand and quickly recover from disruptions.

5. Compliance & Policy Adherence

• Monitor compliance with relevant laws, regulations, and standards across all jurisdictions in which the Group operates. This includes global data protection and privacy laws, industry-specific regulations (e.g. financial sector guidelines, energy sector critical infrastructure rules), and emerging requirements, ensuring the IT risk program meets these mandates. 

• In conjunction with legal and compliance team, track regulatory changes and evolving legal obligations, advising leadership on necessary adaptations to policies or controls. 

• Liaise with internal and external auditors on risk-related audits and coordinate responses and remediation for any findings, striving for no major audit issues related to IT risk governance. 

• Develop group-wide IT risk policies and minimum control standards and verify that Portfolios and LoBs implement and comply with these policies (allowing for justified exceptions or tailored controls where necessary).

6. Third-Party & Supply Chain Risk Management

• Establish a robust third-party IT risk management framework at the Group level to assess and oversee risks stemming from vendors, suppliers, and outsourcing partners. Ensure that  across the Group, all critical IT vendors and service providers are vetted for security and resilience (e.g. via standardized risk questionnaires, audits, or certifications) and that contracts include appropriate IT risk and security clauses. 

• Monitor supply chain cybersecurity risks and concentration risks, acknowledging that a compromise at one vendor can cascade across multiple businesses.  

• Ensure that the Portfolios/LoBs perform due diligence on their IT suppliers and share significant third-party risk issues with the Group. 

• Develop group-wide standards for vendor risk tiering, ongoing monitoring (e.g. security ratings, SLA compliance), and incident response involving third parties.

7. Training, Awareness & Culture 

• Ensure that Portfolios/LoBs have consistent baseline training for all employees on topics like phishing prevention, data protection, and good security hygiene. 

• Work with the IT and security teams in the Portfolios/LoBs to tailor additional training for technical staff and management (for example, workshops on cloud security best practices or emerging threats). 

• Act as a champion for a culture of transparency and continuous improvement in risk management, encouraging reporting of incidents or near-misses and celebrating risk management successes. 

• Through communication and example, build trust so that business units actively engage with the Group on risk issues rather than siloing them.

8. Strategic Alignment & Continuous Improvement

• Work with IT leadership (CIOs/CISOs) to align risk management efforts with major technology initiatives – such as cloud transformations, digital innovation projects, or AI deployments – so that security and risk are embedded in strategic change.

• Stay abreast of the evolving threat landscape and technological advancements: for example, tracking trends like ransomware-as-a-service, AI-enabled attacks, zero-trust architecture adoption, and developments in security automation. 

• Continuously benchmark the Group’s IT risk practices against industry standards and peers (participating in industry forums or working with external advisors as needed) to identify gaps or opportunities for improvement.

• Drive innovation in risk management techniques and tools, advocating for investments in areas such as advanced threat detection, GRC (Governance, Risk & Compliance) platforms, or improved data analytics for risk, to strengthen the Group’s overall cyber resilience.  

JOB COMPETENCIES 

• Excellent communication and interpersonal skills, with the ability to engage and influence diverse stakeholders 

• Excellent written skills for preparing reports, presentations, and engaging with stakeholders.

• Attention to detail, critical thinking, and the ability to work both independently and collaboratively in a fast-paced environment.

• Strategic thinking with the ability to balance short-term goals and long-term sustainability objectives.

• Data driven mindset with experience in impact measurement and analytics. 

• Ability to work exercise good judgment, initiative and discretion.

• Highly detail-oriented and organized.

• Strong analytical skills.

TECHNICAL SKILLS

• Hands-on or oversight experience in areas such as: risk assessment methodologies and tools;  network and infrastructure security; cloud computing and cloud security controls, application security and SDLC controls; data protection; identity and access management; incident response and forensics; disaster recovery and backup strategies; and security monitoring (SIEM, threat intelligence). 

• Knowledgeable about current and emerging threat vectors such as ransomware, phishing/social engineering, AI-driven attacks, and the mitigation strategies for each. 

• Experience with evaluating new technologies and digital initiatives for risk (e.g. introducing AI or IoT in the business) is a strong plus.

QUALIFICATIONS AND EXPERIENCE

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, Risk Management or a related field is required. A Master’s degree in Business Administration or Information Security, or relevant postgraduate qualifications, is highly advantageous. 

• Continuous professional education in risk management or cybersecurity (e.g. specialized courses, certifications) is a plus.

• At least 7 years’ experience in IT risk management, information security, or IT governance, including several years in a management or senior risk oversight role. 

• Experience in managing IT risks within large, complex organizations across multi-site locations is an advantage