Technology Risk and Controls Lead - Regulatory and Industry Risk Assessments

Job Description :

We are seeking a Regulatory Assessment Lead with a deep background in audit, regulatory, and industry assessments to join our growing Technology Risk and Controls organization.

As a Regulatory Assessment Lead in Cybersecurity and Technology Controls, you will evaluate the firm's technology control environment against applicable regulatory requirements and industry standards. You will translate complex regulatory obligations and provide subject matter expertise and technical guidance to technology-aligned process owners, ensuring that implemented controls comply with regulatory requirements and industry standards.

This role serves as the primary assessment lead, interfacing with internal auditors, compliance and risk teams, technology stakeholders and business product teams to drive complex assessments. The role ensures the firm's continuous compliance with key regulatory and industry standards, including CRI Profile, Swift CSP, CHAPS CRM, HKMA CRAF, and Japan CSSA.

The successful candidate will provide strategic direction and expert leadership in audit readiness and assessment practices, while driving continuous improvement in the firm's control posture. Strong knowledge of risk management principles and practices will enable you to deliver innovative solutions and lead a diverse team in a complex and evolving regulatory environment.

Job responsibilities

• Lead end-to-end delivery and drive efficient and effective execution of assessments, ensuring the firm's technology control environment meets applicable regulatory obligations and industry standards.

• Communicate issues and observations identified from our assessments to relevant stakeholders, including root cause analysis and resolution recommendations.

• Provide subject matter expertise in regulatory assessments, ensuring that the organization adheres to applicable regulations and industry standards such as CRI Profile, Swift CSP, CHAPS CRM, HKMA CRAF and Japan CSSA.

• Partner with LOBs, global risk and control functions, cybersecurity and technology teams to conduct control assessments, ensuring compliance with regulatory requirements and alignment with the Firm's policies, standards and procedures.

• Build and sustain trusted relationships with Location CISO, Regulatory Engagement Management team, LOB technologists, CCOR (Compliance Conduct and Operational Risk), and Internal Audit to facilitate cross-functional collaboration and drive progress toward shared goals.

• Collaborate with global teams to ensure consistency of assessment methodologies, tooling, and reporting standards across regions.

• Manage and mentor junior team members, fostering a culture of excellence, continuous learning, and regulatory awareness within the APAC assessments practice.

Required qualifications, capabilities, and skills

• Bachelor's Degree in Management Information Systems, Cybersecurity or related disciplines.

• 5+ years of experience or equivalent expertise in technology risk management, information security, technology audit or related field with a focus on assessments in the financial services industry.

• Demonstrated experience leading regulatory assessments, control evaluations, or technology audits in a large organization.

• Strong understanding of industry risk frameworks (CRI Profile, ISO 27001, etc.) and practical experience with regulatory and industry requirements, including Swift CSP, CHAPS CRM, HKMA CRAF and Japan CSSA.

• Proficient knowledge of control evaluation of technology risk domains including cybersecurity, data governance, IT resilience, third-party risk management and change management.

• Experience with payments environment and familiarity with payments-specific regulatory standards and cybersecurity control requirements.

• Strong analytical, problem-solving, and critical thinking skills, with the ability to manage multiple priorities and deliver high-quality outputs under tight deadlines.

Preferred qualifications, capabilities, and skills

CISA, CISM, CRISC, CISSP, or similar industry-recognized risk and risk certifications are preferred.