Technology - Data Risk Oversight Advisor

Position resides within the Technology and Cybersecurity Risk Oversight department, and is responsible for the delivery of data and technology second line risk management services in line with area policies, industry standards, and management expectations. The role will maintain a primary focus on data risk oversight, including governance, data quality, lineage, MDM, records retention, and related data management practices implemented at an enterprise level. Through a strong understanding of data and technology risk, the position is responsible for advising line and senior leadership as it relates to the data and technology operational risk of the businesses/functions that it supports. It is expected to do so collaboratively, drawing on team/stakeholder relationships and other risk partners, as applicable. The position will be responsible for keeping apprised of the evolving landscape of the data and technology risk management environment and proactively influencing internal personnel accordingly.  

• Independently and continuously evaluate the area's management of key processes for the effective and efficient mitigation of data and technology operational risk. In a risk-based and collaborative manner, ensure underlying elements of the risk management framework accurately reflect the data and technology operational risk environment.  Identify gaps or deficiencies and ensure remediation activities address the risk.  Escalate through the governance structure up to and including senior management / governance committees, as appropriate.  Lead initiatives to analyze various elements of said framework.
• Leverage existing hands-on experience in data and/or technology roles and knowledge of industry frameworks utilized by the organization or broader industry, such as DCAM, DAMA DMBoK, NIST, FFIEC AIO, and ITIL to provide guidance and build trusted partnerships with internal staff and third parties.
• Prepare and support with levels of oversight and guidance appropriately detailed reports/presentations for/to management relating to and providing opinions on, the state of and/or concerns with the data and technology operational risk environment of the business function.
• Appropriate management of the data and technology risk activities in the area for which you oversee (findings/validations, remediation plans/updates, closure and closure validation).
• Prepare and present materials/presentations to senior managers.
• Actively participate in designated risk committees and other meetings, serving as the second line of defense representative in any discussions.  Ensure the communication of relevant concerns or positions taken to appropriate management.
• With minimal oversight, serve as an active liaison to assigned business units (BUs).   Have working relationships with line management and key personnel to ensure two-way communication on issues and concerns.  Escalate significant and/or unresolved risk-related matters to Department management.
• Assist with oversight of data and technology Risk Control Self Assessments (RCSAs) and other risk management reporting; this includes gap and delta assessments.
• Engage with assigned oversight areas; understanding the technology, overseeing and advising project/product work prior to implementation leveraging experience and expertise, risk management practices, existing risk register and validation of controls.
• Identify and assess emerging risks and risks associated with new products/ services/ markets/ channels or changes to existing products/ services/ markets/ channels.
• Responsible for fieldwork (analysis, investigations, incidents, KRI/KPI metrics breaches, etc.) where some of this may be supported by team Risk Specialists.
• Participate in remediation efforts related to internal and/or external audits and third-party in-depth assessments of data/technology business line efforts and risk management activities.
• Adhere to applicable operational risk controls and frameworks in accordance with Company or regulatory standards and policies and standards.
• Develop and produce complex and ad hoc departmental reports, spreadsheets and project work related to oversight of data and technology risks.
• Understand and adhere to the Company’s risk and regulatory standards, policies and controls in accordance with the Company’s Risk Appetite.  Identify risk-related issues needing escalation to management.
• Promote an environment that supports belonging and reflects the M&T Bank brand.
• Maintain M&T internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators as applicable.
• Complete other related duties as assigned.

The individual will be responsible for documenting engagement activities, areas of concern, and measuring the potential risk to the organization as it relates to the organization’s risk appetite.  This may include issuance of findings, review of remediation plans and validation of closure evidence.  The position has a strong understanding of the business or functions it supports and may have indirect responsibility over junior members within the team, who will develop their skill sets under the guidance or direction of this individual.

No direct management but may provide guidance to analysts and specialists.

• Bachelor's degree and a minimum of 5 years’ relevant work experience in technology, cybersecurity, risk, audit, compliance, or other relevant function., OR in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience.
• Demonstrated advanced knowledge of technology and/or cybersecurity risk principles
• Proficient computer skills (including spreadsheet and word processing software), analytical skills, working knowledge of applicable laws, written and verbal communications.

• Prior experience working in oversight of, or within, Chief Data Office departments at financial institutions
• Strong knowledge of financial industry best practices for data management, including implementation of DCAM and DMBoK frameworks
• Demonstrated ability to perform various risk assessment and identification practices, and ability to critically analyze the appropriateness of risk mitigation and response measures by the business.
• Formal education in Data Science, Information Technology, Computer Science, or related field.
• Applicable certification aligned to a function or domain such as Certified in Risk and Information Systems Control (CRISC®), Certified Data Management Professional (CDMP), Certified Information Systems Auditor (CISA), or IT Infrastructure Library (ITIL).
• Proficient level of critical thinking and able to lead problem solving
• Excellent communication and interpersonal skills
• Experience partnering with leadership to design solutions
• Excellent ability to strategically seek critical information, and apply to specific processes
• Prior experience prioritizing competing priorities and quickly changing landscape, and delivering results aligned with priorities
• Proficient persuasive communication skills to gain buy-in of others