Information Technology (IT) Risk Management, Dir.

Background:

The Federal Home Loan Bank of San Francisco ("Bank") is a cooperative, wholesale bank that provides liquidity to its members and helps meet community credit needs through credit products and services to member financial institutions over all phases of the economic cycle. The Bank's members include commercial banks, credit unions, industrial loan companies, savings institutions, insurance companies, and community development financial institutions headquartered in Arizona, California, and Nevada. The Bank is member focused; embraces accountability to meet commitments and uphold our governance, risk and control standards as a government sponsored enterprise; and values differences to foster an inclusive culture.

The role of the Director, IT Risk Management (ITRM) within the Enterprise Risk Management (ERM) is to support the Bank in continuing to mature and execute the Bank's IT Risk Management practices. Our goal is to provide an enterprise-wide risk framework and centralized oversight and governance for IT and Information Security (IS) activities, and to drive greater transparency and inform risk-based decision-making across the Bank. Additionally, the role will be responsible for executing the risk-based IT and IS assessment activities for the in-scope Business Units (BU), processes, and technologies/tools.

Success in this role entails working closely with the Risk, IT, and IS teams to socialize risk concepts and frameworks, and promote the organizations' risk culture. Additionally, this role must have the ability to adapt previous experience and industry leading practices to fit the Bank. The position also partners with functional and operational leadership in the development of risk mitigation plans, consistent with the Bank's ERM framework. The role will be an integral part of a risk management team that encourages creativity, leadership, and influence.

Primary Responsibilities:

Under the direction of the Senior Director, IT and EUC Risk Management, the essential responsibilities for this role will be the following:

• Help mature and execute an IT and IS risk management framework using industry leading practices (e.g., NIST CSF, COBIT, and Cloud Security Alliance) and take into consideration regulatory expectations.
• Review processes and controls against leading practices, industry frameworks, and regulations, identify gaps in design and execution, communicate issues and recommendations, and monitor remediation efforts.
• Drive common Process, Risk, and Control taxonomies for the Bank, including IT and IS, to improve operational efficiency.
• Leverage the Bank's ERM, ORM/ITRM frameworks and partner with IT and IS teams to execute IT and IS risk assessments - including Inherent Risk Assessments (IRA), Operational Risk Assessments (ORA), FedLine Advantage Assessment, AWS assessment, and other in-depth technology and process assessments - identify gaps, document action plans, and perform validation as appropriate.
• Assist in Operational integrated risk assessments by leading the technology aspects of the IRAs and ORAs for the in-scope BUs.
• Partner with the ERM/ORM teams and lead the effort to review and refresh ORM/ITRM Policy and Procedures, at a minimum, on an annual basis.
• Assist ERM leadership to update Risk Appetite Framework annually or as needed. Help define and enhance Key Risk Indicators (KRI) and their tolerances, generate or review metrics and Key Takeaways in the Enterprise Risk Report (ERR).
• Lead the investigation and documentation of IT and IS related Operational Events. Validate remediation actions when completed.
• Prepare and present IT Risk Management updates to Committees as appropriate
• Assist with communication and escalation of significant IT/IS risks and issues to the appropriate management, and monitor corrective actions to address issues, where needed.

In addition, this role may be asked to complete the following tasks:

• Assist the Enterprise Risk Officer and the Senior Director, IT and EUC Risk Management, in ERM strategy-implementation and improvement opportunities.
• Assist in regulatory and internal audit engagements, including collection of relevant documentation requested in internal and external exams.
• Work with the Risk Analytics team to help embed data-driven metrics and decisions within ERM.
• Work with the IT and IS teams on technology initiatives as appropriate, e.g., Artificial Intelligence tools adoption and Cloud transformation.
• Help assess enterprise and emerging risk issues, including assignment of risk ratings consistent with established policy standards.
• Other tasks under the direction of ERM/ORM/ITRM leadership.

Critical Competencies:

• Knowledge and working experience with ORM and ITRM Frameworks based on industry best practices and the three lines of defense model.
• A minimum of 7 years of experience in performing IT/IS/ORM risk assessments and control testing leveraging IT/IS Frameworks and Standards (e.g., FFIEC, NIST CSF, ISO, COBIT, ITIL).
• Knowledge of IT and IS risks associated with the System Development Lifecycle, Development. Operations, Agile Development Processes, Infrastructure, Security Operations/Engineering, etc.
• Knowledge of and experience with IT and IS tools, e.g., SailPoint, Splunk, Tenable, and CyberArk
• A team player who can comfortably work in a dynamic and fast-paced environment, ability to respond to changing circumstances, and ability to meet the hybrid working model requirements.
• Ability to interact with senior management while balancing multiple projects and other responsibilities.
• Regulatory experience with the Federal Housing Finance Agency is a plus.
• Strong attention to detail with a proactive approach to solving and preventing problems.
• Excellent organization, project management, and prioritization skills.
• Excellent interpersonal skills to work in a team environment and to influence and interface with a broad range of stakeholders at all levels, internal and external.
• Certified Information Systems Auditor (CISA), Certification in Control Self-Assessment (CCSA), Certified Information Systems Security Professional (CISSP), Certified Internal Auditor (CIA), or other risk management discipline certification.
• Ability to take ownership of projects and deliver high-quality results.

SALARY RANGE: $175K - $210K

The Federal Home Loan Bank of San Francisco is committed to the principles of equal opportunity in employment (e.g., employees, applicants) and in contracting (e.g., suppliers, vendors) regardless of race, color, religion, sex, national origin, disability status, genetic information, age, sexual orientation, gender identity, status as a parent, or any other characteristic protected by law. We are committed to cultivating a workplace free of unlawful discrimination, harassment, and retaliation, and are dedicated to fostering vibrant communities by serving as a reliable source of liquidity and resources for affordable housing and economic development.

Salary ranges reflect the base salary that the Bank reasonably expects to pay for a given role and is not inclusive of annual incentive award opportunities, retirement benefits or the value of other health and welfare or other ancillary benefits. We consider many factors when determining base salaries such as individual background and experience, the competitive environment, education, particular skill set(s), and industry and institutional knowledge.

The Bank is committed to offering all team members challenging and engaging work with market competitive pay, retirement, and benefit offerings. In support of this commitment, the Bank routinely engages in market competitive benchmarking surveys and analysis to ensure our team members continue to be paid fairly and competitively.