Sr Director, Information Risk Officer
About the Position
The Information Risk Officer Senior Director will have accountability of providing oversight and credible challenge of Freddie Mac’s information risk program which includes information security, cybersecurity, data risk management, identity and access management, and physical security functions. This role is created in alignment with the Second Line of Defense (SLOD) risk structure for Enterprise Risk Management (ERM). As part of the Second Line of Defense (SLOD), this role assures the planning and execution of oversight and independent challenge of the First Line of Defense risk management function, consistent with the Freddie Mac’s vision, values and risk appetite.
The successful candidate will report to the VP, Head of Domain Risk Group and Enterprise Risk Officer for Information, Technology, Third-Party, Fraud, and Business Resiliency.
Strategy, Framework, and Policy Development
- Ensure that the strategic thinking and thought process is included in the design and implementation of the information risk management program and capabilities, including the risk methodology across Freddie Mac to manage risk efficiently and effectively in conjunction with corporate strategic objectives.
- Drive and execute information risk oversight agenda as part of the risk transformation objectives, across governance, enterprise and divisional policy, standards, procedures, risk assessment and treatment, testing, and metrics & reporting.
- Design and establish the information risk policy and the related risk policies and standards associated with information security, identity and access management, data risk management, and physical security at enterprise level. At the same time, review divisional policy and procedures for alignment and adherence.
- Understand industry trends and best practices: engage with the industry and broader ecosystem to understand industry trends, create business cases for best practices and implement changes.
Assess & Mitigate BR Risk
- Work across the three-lines of defense to ensure information risk is properly mitigated.
- Develop and establish the risk profile and reporting requirements regarding information security, cybersecurity,
- identity and access management, and
- Conduct independent risk reviews of the technology function as it relates to business resiliency management and recommend corrective actions.
- Provide leadership and direction across enterprise for proper planning, execution and escalation for business resiliency risk across all businesses and divisions.
- Be key partner with the 1st-line business resiliency program team to mature risk management capabilities
- Partner with operational risk leads to evaluate specific BR risks, controls, issues, and/or risk responses and support the divisions’ evaluation of BR risk
- Mitigate technology risk as it relates to business continuity planning – sustainability, change management and disaster recovery.
- Lead oversight of enterprise wide BR initiatives and programs
- Serves as a key member of the technology and risk leadership teams and related risk committees
- Leads relevant BR interactions with regulatory bodies.
- Provide regular updates to key stakeholders on the overall enterprise resiliency risk posture and recommendation for improvement. Prepare necessary information to facilitate management discussion and decision making. This may include Board presentation.
- Communicate with stakeholders at all levels, across businesses and divisions, to achieve effective communication and sufficient stakeholder input and buy-in.
Team Management & Leadership
- Evaluate the existing team, retain and motivate the group, attract outside talent and improve the overall quality of the team
- 12+ years of experience in risk, control and governance disciplines
- 7+ years of experience in business continuity planning and disaster recovery
- Must have developed an enterprise-wide business resiliency framework that defines the metrics used for reporting and monitoring, sets the thresholds, and determines the escalation process in the event risk tolerances are breached.
- Experience developing processes to identify and evaluate technology risks and control self-assessments.
- Proven independent oversight of all technology risk management standards including any key risk indicators, risk limits and approval authorities
- Ensure enterprise-wide technology risk is a fundamental element of the strategic planning process. Work closely with senior management and the board in defining and communicating strategies, exposures and risk across the company to ensure adequate business continuity and resiliency planning.
- Experience operating within the three lines of defense model.
- A self-starter with a ‘can-do‟ attitude; a driver and implementer who possesses the poise and ability to act calmly and competently in high-pressure, high-stress situations. High emotional intelligence as well strong abilities to influence those outside his/her organization.
- Strong resilience, ability to lead through ambiguity, and persistence to move ahead regardless of barriers.
- Proven ability to build positive, collaborative relationships at all levels of the enterprise and across a diverse set of functions. Able to develop strong relationships and influence multiple stakeholders to gain alignment and buy-in on key issues will be critical for success.
- Skilled in project management as well as work plan development and implementation; astute in strategic planning, budgeting, and allocation.
- A team builder with a track record of attracting, developing, and retaining high-performing talent
- An undergraduate degree is required; a master’s degree is preferred. Professional certifications (CRISC, CIA, CISA, CISP, etc.) beneficial.
- Typically has 15+ related experience and 8+ years management experience.Keys to Success
- Ensure smooth transition of leadership to maximize continuity, stability and controls throughout the organization.
- Quickly and genuinely establish trust and credibility with key stakeholders and business partners across the enterprise.
- Assess, determine priorities and execute crisply on the necessary changes to mature the 2nd-line risk management function and reduce operational risk as it relates to business continuity planning and disaster recovery.
- Further develop and enhance a high-performance culture with accountability throughout the organization; mentor, develop, coach, and improve team engagement.
- Establish and facilitate a coordinated effort across the divisions’ risk organizations, including Information Technology division.
- Be a key partner with businesses in mobilizing Business resiliency risk program and drive the 2nd-line oversight activities in this space.
Top 3 Personal Competencies:
- Leadership – Set and execute upon a clear vision, strategy, and/or goals
- Partnership – Build trust and strong partnerships through my own and my team’s actions
- Seek and Embrace Change – Continuously improve work processes rather than accepting the status quo
Interested in applying to this career opportunity?
Please email Taylor Frank, [email protected], and include Sr Director, Information Risk Officer in the subject line.
About Freddie Mac
Today, Freddie Mac makes home possible for one in four home borrowers and is one of the largest sources of financing for multifamily housing. Join our smart, creative and dedicated team and you’ll do important work for the housing finance system and make a difference in the lives of others. Freddie Mac is an equal opportunity and top diversity employer.