IT Risk Oversight Specialist

About This Opportunity

At Meridian our aspiration is to integrate our purpose into everything we do for people, the planet, and communities. We believe that our greatest opportunity is to create opportunity and meet people where they are.

The IT Risk Oversight Specialist is a member of Meridian Credit Union’s Risk Management Team. The IT Risk Oversight Specialist is responsible to build, own, and manage an IT risk oversight program providing analysis, independent oversight reporting, and overall second line oversight and effective challenge of Meridian’s IT Governance and Information Security programs. The role will act as a trusted business advisor to internal partners with respect to IT risk management best practices, processes, and procedures.

Key Responsibilities

IT risk oversight:

• Lead/participate in all internal and external IT Audit and assessment activities. This includes working with the IT Governance and InfoSec team to develop, communicate, and maintain an annual audit plan and schedule, working with executives, senior management, IT subject matter experts, and third-party auditors and assessors.
• Work with Internal Audit Services and External Auditors on planning and executing audit engagements, including independent control testing as appropriate.
• Monitor and track IT Audit management commitments and remediation activities to ensure commitment dates are met.
• Oversee the centralized tracking of internal IT & InfoSec documentation to meet regulatory objectives (e.g. COBIT, ISO), ensuring all documentation required for audit and assessments are maintained and kept updated on required cycles.
• Develop, maintain, collect, challenge, and oversee metrics related to 1st line activities.

Oversight of IT Governance and InfoSec function:

• Create and maintain second line of defence oversight role, program, responsibilities, and processes related to IT Governance and InfoSec’s management of IT and Information Security risks.
• Partner with IT Governance and InfoSec to actively contribute to the development of IT risk policies, frameworks, and mandates.
• Monitor IT and Information Security measures and key risk indicators and review and challenge IT Governance and InfoSec's functional designs, data, and processes.
• Assess the adequacy of IT and Information Security risk appetite and recommend updates.
• Participate in risk policy and metrics development and maintenance.
• Report on Meridian’s compliance with Policies, risk appetite, etc. to Meridian management and Board of Directors.

Enterprise-wide risk programs:

• Support Risk Leadership in the management and execution of several enterprise-wide risk programs that have a strong focus on IT risk elements, including:
• Enterprise Risk Management (“ERM”) programs, including quarterly ERM assessments, risk appetite setting/monitoring, and initiative risk assessments.
• Operational Risk Management Framework;
• Business Continuity Management Program, including elements of the Crisis Management Team (“CMT”) and Computer Security Incident Response Team (“CSIRT”); and
• Scenario analysis, including inputs to the Internal Capital Adequacy Assessment Process (“ICAAP”)
• Assist with the completion of Risk and Control Self-Assessments (“RCSA”) for IT and related departments.
• Support and manage the broader IT risk management programs of all Meridian subsidiaries as required.

AI and Data oversight

• Support Risk Leadership to develop/maintain the framework through which AI and Data risks are identified and assessed by the 2nd line.
• Maintain close relationships with Enterprise Analytics & Data team to provide oversight of AI and Data risk management programs.
• Oversee and provide reporting to management and the Board of Directors on the overall status of AI and Data risk management as needed.

Knowledge, Skills, And Abilities

• Experience related to IT governance/risk functions.
• Working knowledge of industry IT frameworks, such as COBIT and ISO 27001 & 27002.
• Knowledge of FSRA and OSFI regulation on IT and Information Security.
• Strong verbal communication and training skills with ability to facilitate a mix of technical teams and Senior Management.
• Strong interpersonal skills; able to interact independently (with minimal supervision) and competently with all levels of management, staff, and vendors.
• Ability to develop and maintain strong internal and external relationships.
• Strong written communication skills with ability to write clear, easy to understand work (policy, procedures, plans, and technical documentation).
• Strong analytical and methodological skills with attention to detail
• Strong t