Operational Risk, Technology Risk Oversight Officer, Vice President (Hong Kong)

  • Competitive
  • Hong Kong
  • Permanent, Full time
  • Morgan Stanley
  • 20 Aug 17

See job description for details

Company Profile

Morgan Stanley is a leading global financial services firm providing a wide range of investment banking, securities, investment management and wealth management services. The Firm's employees serve clients worldwide including corporations, governments and individuals from more than 1,200 offices in 43 countries. As a market leader, the talent and passion of our people is critical to our success. Together, we share a common set of values rooted in integrity, excellence and strong team ethic. Morgan Stanley can provide a superior foundation for building a professional career - a place for people to learn, to achieve and grow. A philosophy that balances personal lifestyles, perspectives and needs is an important part of our culture.

Department Profile

Operational Risk Department (ORD) works with the business units and control groups to help ensure Morgan Stanley has a transparent, consistent and comprehensive program for managing operational risk, both within each area and across the firm globally. Operational risk is the risk of financial loss or other potential damage to the firm’s reputation due to inadequate or failed internal processes, people, systems, or from external events. This group designs, implements and monitors the company-wide operational risk program.

Operational Risk refers to the risk of financial or other loss, or potential damage to a firm’s reputation, resulting from inadequate or failed internal processes, people, systems, or from external events (e.g., fraud, legal and compliance risks or damage to physical assets). The Firm may incur operational risk across the full scope of its business activities, including revenue-generating activities (e.g., sales and trading) and control groups (e.g., information technology and trade processing). Given the nature and breadth of operational risk, operational risks are managed at multiple levels e.g. Firmwide, as well as Regional, Business Unit, Infrastructure Group, Control Function and Legal Vehicle.

The Firm has developed an Operational Risk Management Framework to identify and assess significant operational risks and ensure appropriate mitigation actions are undertaken. The Framework is deployed across Business Units, Infrastructure Groups and Control Functions globally, regardless of Region or Legal Entity. The Framework is based upon a “Three Lines of Defense” model:

• 1st Line: Business Units/Infrastructure Groups - Own their operational risk & are responsible for its management

• 2nd Line: Oversight by Independent Risk Management and Control Functions - Partner with Business Units and Infrastructure Groups to anticipate, mitigate and report on operational risk

• 3rd Line: Independent Assessment by Internal Audit - Provides independent, assessment, validation and evaluation

ORD operates as part of the 2nd Line of Defense, providing independent governance and oversight of operation risk management across the Firm.

Position Description

Morgan Stanley has an opening for a Vice President for the Technology Risk Oversight team within ORD. Technology Risk Oversight is the practice of monitoring risks related to the confidentiality, availability and integrity of the Firm’s systems and information including associated processes and controls. The successful candidate will be responsible for helping execute independent oversight and monitoring of risks and controls around the Firm’s technology and security along with relevant thought leadership.

Primary Responsibilities:

• Identify and evaluate risks related to the systems and information supporting Firm activities

• Assess, through inspection, observation, or re-performance whether controls are designed and implemented effectively so as to verify that risks are mitigated to targeted levels

• Review completeness and execution of relevant procedures and assess assurance mechanisms for how effectively they identify weaknesses or failures of key controls

• Work with 1st line of defense risk and control owners in assessing inherent and residual levels risks based on structured risk framework

• Provide team and department management with an independent view of the risks pertaining to the Firm’s systems and information based on the risks assessment control assurance activities.

• Maintain and or oversee relevant policies and procedures related to technology and security processes executed by 1st line of defense

• Participate in relevant governance, steering, and working group committees

• Review metrics and escalation reports to monitor risk and control-related developments, issues and trends

• Review technology and security risk issues as well as internal and external incidents in order to help inform the 2nd line of defense independent view of the overall technology and security risk posture of the Firm and its underlying legal entities

• Work with 1st line of defense management in discussing and resolving control gaps, risk trends, risk issues and incidents

• Work with 1st line of defense management in preparing lesson learned analysis of operational risk incidents

• Provide monthly and quarterly risk reporting

• Provide quarterly updates on relevant top operational risks and emerging risks

• Provide challenge to 1st line of defense assessments of their risks and controls

• Provide guidance to 1st line of defense on evolving technology and security risk landscape

• Coordinate with ORD colleagues who cover Business Units and Infrastructure Groups in discussing impact of technology and security risks on business and support processes

• Participate in Operational Reviews such as the Incident Review Meetings and Analyses

• Participate in scenario analysis workshops to assess risk impacts

• Monitor industry developments in the management of technology and security risk

• Build and maintain strong positive relationships with the broader risk community in 1st line of defense

• Work with key stakeholders to evaluate policy exception requests and prepare for senior management review


• Bachelor’s Degree minimum

• 10-15 years’ worth of technology and or security risk related work experience, preferably in the financial services industry

• Experience in Technology (IT) Risk Management and or Technology (IT) Audit including Information Security, and or Cyber Security

• Experience with relationship management

• Strong interpersonal skills in order to work in a team oriented environment

• Excellent communication skills, both verbal and written; ability to produce concise and effective presentations tailored to technical and non-technical audiences

• Strong project management and organization skills

• Ability to multitask and prioritize

• Ability to work under pressure and to tight deadlines

• Flexible and self-motivator

• Strong analytical and problem-solving skills;

• Proficiency in MS Office and related applications (e.g. Word, Excel, Powerpoint)*LI-SC2