Cloud Controls Engineer
Arlington Heights, IL

Job Description

This role is CCO Technology - Senior Technology Controls Manager - Cloud, and provides support to Global Cloud Services. The role holder will act as the CCO Technology - Cloud engagement lead for one of; AWS, Azure, or Google Cloud Platform.

A key contributor within the Global Chief Control Officer (CCO) Function that directly supports the Group's Chief Operating Officers (COO) within HSBC, one of the world's largest banking and financial services organisations. The purpose of the CCO function is to enable our colleagues within HSBC Operations, Services and Technology (HOST) to deliver a safe and secure service to all our customers, colleagues and the Bank itself.

This role will provides expertise in relation to Technology's management of its control environment within the context of the Operational Risk Management Framework.

Global Cloud Services at HSBC

Cloud First strategy

HSBC have adopted a "Cloud First" strategy in order to meet the growing market demand for speed to market, delivery flexibility and staying competitive in an increasingly challenging marketplace. The strategy is driven by a focus on business value, key focus areas being:

* Delivering improved capability - HSBC will be leveraging the Cloud Service Provider (CSP) technologies that HSBC would not have been able to provide internally at an equivalent speed, cadence, cost or quality.


* Increasing delivery flexibility - benefit from CSP elasticity and dynamic scaling of immediately available near infinite capacity, providing a cost effective edge in a rapidly changing and increasingly competitive market.


* Transforming our Cost Model - adopt a flexible on demand consumption based model, leveraging lower available pricing for commodity services freeing up funding to focus on higher value propositions.



Our Cloud First strategy has well established design principles, focussed on extracting the highest value from the cloud market with its associated resilience and security:

* Each major Cloud provider is playing a defined role within a multi-Cloud architecture.


* We are using geographical distribution for resilience and reduced latency, retaining control of the physical location of systems and data.


* Open standards and common technologies are prioritised to support contingency plans for key services.


* We are employing native Cloud services where appropriate to provide enhanced capabilities.


* We are protecting our data from attack and unauthorised access through market leading defence in depth, encryption and access management controls.



An integrated Global Cloud organisation

To support our 'Cloud First' strategy, we have established a "Global Cloud Services" (GCS) organisation within Group IT. GCS is led by Ian Haynes who reports into Dinesh Keswani (CTO) and then Darryl West (CIO).

Our multi-cloud model

We are engaged with multiple global Cloud providers - Google (GCP), Amazon (AWS) and Microsoft (Azure) to leverage their individual capabilities across geographic coverage and, to provide us with contingency options in the event of a failure of any one Cloud provider.

These are transformational times at HSBC as we build a market leading team in cloud adoption.

Principal Accountabilities

The primary objectives of the role is to:

* Oversee the end to end health of the Cloud control environment


* Operating as a Subject Matter Expert Role for the Risk Management Framework


* Lead audit (internal and external) and risk related regulatory engagement as the technology controls SME


* Instigate and manage initiatives to drive improvements to the Technology control environment including the effective design of material controls


* Partner with the Global Cloud Services team to create effective design, analysis and remediation of control measures


* Provide risk and controls consultancy, advice and guidance to the Global Cloud Services and GB/GF teams deploying to Cloud.


* Lead the application and critique of the Technology risk and controls framework


* Ensure the appropriate application of policies control standards and procedures


* Member of relevant governance forums, Audit and regulatory reviews etc.


* Advocate the desired behavioural changes across the CIO community required to mature the understanding and management of technology risk controls



Impact on the Business

Control Expertise

* Influencing, explaining and managing effective design, analysis and remediation of control measures


* Work with Technology to create an effective design and efficient operation of


* Accountable for the deployment of the Operational Risk Management Framework


* Responsible for identifying emerging risks and threats and deficiencies with deployed key controls


* Opine on control environment, form risk assessments, provide advice on remediation plans



Governance

* Implement robust governance in relation to risks and ensuring all stakeholders have visibility of key risks and remediation activity


* Ensure Technology remains within its risk appetite


* Work with Technology to design and deploy key controls, key control indicators, evidence requirements and tools to ensure control effectiveness


* Validate control measures include RCA, KRIs, KCIs, control operation, test approaches, reviews, audits, judgment based attestations, supplier audits, sampling of supplier procedures


* Engage the key stakeholders to promote positive behaviour and actively manage risk


* Work closely with Technology to develop and monitor risk remediation program activities and actions to ensure delivery within acceptable timelines


* Focusing on Technology top risks and threats, including new/emerging top risks, to ensure they are fully understood and that controls that mitigate these risks (key controls) are effective, efficient and where possible automated, rather than being comprehensive


* Responsible for embedding risk and control management framework



Customers / Stakeholders

* Work closely with senior level CIO/COO stakeholders and ensure visibility of key risks and remediation activity necessary to appropriately manage the Banks services and data in a Cloud computing environment


* Provide ongoing assurance to external regulators and auditors as to the rigour of the control environment managed by HSBC with key vendors and suppliers over the extended Cloud computing environment


* Partner with key core cloud migration project teams and stakeholders across Technology and business division to define the control requirements and provide ongoing assurance of controls effectiveness


* Present complex Cloud issues confidently and concisely to Technology and HOST stakeholders using non-technical easily understood language


* Partner with 2nd & 3rd LOD including IT Security, Operational Risk, Compliance, ISR, and Audit


* Face off to colleagues in 2nd and 3rd line of defence



Leadership & Teamwork

* Role model a positive internal risk and control culture across Technology teams and shape the climate, tone and environment in which people work


* Make considered decisions that protect and enhance HSBC values, reputation and business


* Lead the execution and remediation of thematic reviews / investigations / compliance reviews in response to internal or external events within Technology



Operational Effectiveness & Control

Apply and critique Risk & Control Framework by:

* Working with Technology to define and apply Technology Risk & Control standards and processes in order to drive consistency across Technology


* Partner with Technology to identify, measure, mitigate, monitor and report Technology's top risks (including new/emerging top risks)



Apply and critique definition and application of policies, control standards and procedures by:

* Working with Technology to influence definition of policies and control standards


* Implementing clear policy framework across dispensations and waivers


* To innovate and enhance the control framework and contribute towards reduction of findings noted in Audits, Internal Control reviews, 2LoD reviews, etc.


* Strong knowledge of Cloud technologies across one or more of AWS, Google Cloud Platform, MS Azure
* Demonstrable expert knowledge in operational risk management, internal control, or internal audit preferably within a banking operations and / or IT Function
* Proven project / process management experience with a solid delivery track record driving change
* Self-starter and effective collaborator
* Influencing across all levels and boundaries
* Navigating a matrix management structure
* Ability to present complex issues confidently and concisely to senior stakeholders using non-technical easily understood language
* Strong communication and interpersonal skills to a wide range of individuals and groups and at different levels of seniority
* Innovative and able to assess needs and propose solutions
* Ability to influence without direct management authority
* Previous management experience - notably building and developing teams
* Able to actively engage with senior stakeholders
* Ability to drill down to root cause and write/review clearly articulated risk documentation
* Certifications CISA, CISM, CISSP, CRISC, COBIT or ITIL desirable
* At least 5 years relevant experience preferably within a risk management related role
* Relevant working experience in Financial Services industry

EEO/AA/Minorities/Women/Disability/Veterans