Associate, Specialist, IT Governance & Compliance, Technology and Operations

Business Function

Technology and Operations (T&O) enables and empowers the bank with an efficient, nimble and resilient infrastructure through a strategic focus on productivity, quality & control, technology, people capability and innovation. In Group T&O, we manage the majority of the Bank's operational processes and inspire to delight our business partners through our multiple banking delivery channels.

This includes conducting Risk Control Self-Assessments (RCSAs), identifying, monitoring, and mitigating risks, and ensuring adherence to both internal and regulatory policies. The specialist will oversee audits, compliance requirements, issue identification and closure, and support regulatory and internal reporting obligations. Strong coordination with Technology, Operations, Compliance, and other stakeholders is essential to maintain a resilient and well-governed Technology environment.

The IT Governance Specialist aspect of this role involves developing, implementing, maintaining, and monitoring adherence to the IT department's policies, procedures, and Standard Operating Procedures (SOPs). This includes preparing presentations and reports for various management forums. The role also contributes to IT risk management and IT vendor risk management, requiring an understanding of project management. The specialist will oversee the assessment and continuous monitoring of IT vendors and partners to identify, evaluate, and mitigate information security, compliance, and operational risks, ensuring adherence to internal policies, industry standards, and regulatory requirements.

Key Accountabilities/Responsibilities:

Technology Governance & Risk Management:

• Conduct and manage the full lifecycle of RCSAs, including control identification, testing, effectiveness assessment, and documentation.
• Identify, monitor, track, and mitigate Technology risks across applications, infrastructure, processes, and third-party engagements.
• Facilitate and sign-off risk acceptance proposals in accordance with internal policies.
• Review, monitor, and support remediation for Change Management, Incident Management, and Problem Management activities.
• Drive timely creation and execution of mitigation plans and ensure closure of risk items.
• Strengthen ongoing risk monitoring through proactive checks, stakeholder dialogues, and thematic risk assessments.
• Prepare comprehensive materials and presentations for key technology forums.

Audit & Compliance:

• Manage various audits including regulatory (RBI/SEBI/MAS), internal, statutory, and concurrent audits.
• Support requirements for certifications like PCI DSS and ISO.
• Front-end audit engagements by coordinating with auditors and preparing teams.
• Conduct proactive internal checks to assess readiness and validate evidence.
• Lead evidence collection, quality assurance, submission, and end-to-end closure of observations.
• Ensure accurate and timely reporting of audit statuses and action closure to senior stakeholders.
• Minimize repeat findings through structured remediation and control enhancements.
• Develop and implement IT policies and procedures aligned with organizational goals and industry best practices.
• Provide guidance and support to IT teams on governance and risk management.
• Identify and implement IT governance-related training needs.
• Stay updated on IT governance trends and industry standards.
• Conduct risk review and confirmation on new product initiatives/applications and for exception change requests.

Regulatory Compliance & Issue Identification:

• Proactively identify issues, control gaps, deviations, and process weaknesses through continuous monitoring and internal assessments.
• Track and monitor identified issues for timely and effective closure across Technology teams.
• Maintain accurate issue logs and update dashboards.
• Promote a culture of proactive risk detection and transparent reporting.
• Review new regulatory requirements/circulars and evaluate compliance needs, gaps, and monitoring of compliance actions.

Regulatory & Internal Reporting:

• Prepare and submit regulatory reports (e.g., RBI tranche reporting, Cyber Security KRO) and supervisory artifacts.
• Manage and track Key Risk Indicators (KRIs), perform trend analysis, and highlight emerging risks.
• Support internal risk reporting, including dashboards, governance packs, and periodic updates for senior management.
• Ensure accuracy, completeness, and timely delivery of all reporting commitments.
• Establish IT performance metrics and monitor KPIs to measure effectiveness of IT processes.
• Develop internal control checks and drive automation, AI, and data adaptation in governance and risk practices.

Risk Awareness & Culture:

• Drive a strong risk-aware culture across Technology, promoting proactive identification, early escalation, and transparent communication.
• Conduct regular training sessions, awareness programs, and workshops on Technology Risk, compliance, and audit preparedness.
• Partner with leaders to embed risk-first thinking into operations, project governance, and decision-making.
• Foster continuous learning from incidents, audits, and thematic assessments.
• Encourage accountability for controls, risk ownership, and adherence to standards.

IT Risk Management including Vendor Risk Management:

• Conduct periodic IT risk assessments to identify vulnerabilities and recommend controls.
• Lead IT vendor risk management initiatives, ensuring adherence to requirements.
• Maintain, update, and report vendor inventory.
• Ensure adherence to regulatory and internal requirements for IT vendors, including inventory management, periodic review, risk assessment, SLA monitoring, contracting, onboarding, and offboarding.

Project Management:

• Ensure all IT projects align with organizational strategy, regulatory compliance, and security standards.
• Optimize IT investments.

Documentation:

• Develop and maintain a repository of technology risk policies, frameworks, procedures, and compliance documentation.
• Create and implement checklists for data gathering for various reporting and compliance initiatives.
• Maintain updated Terms of Reference (TOR) for internal governance forums and current copies of regulatory directives.
• Develop training and awareness materials on regulatory requirements and Tech Risk Culture.

Collaboration and Communication:

• Collaborate with cross-functional teams to meet Tech risk deliverables within deadlines.
• Ensure effective communication and collaboration across technology teams and stakeholders.
• Drive initiatives to enhance Tech Risk culture and foster proactive actions regarding Tech Risks.

Required Experience:

• 5-8 years of relevant experience in IT Risk Management, Technology Audit, Compliance, or related roles.
• Strong understanding of RCSA, risk frameworks, and incident/change/problem management processes.
• Hands-on experience managing regulatory, statutory, internal, and concurrent audits.
• Experience with issue management, control testing, evidence management, and audit readiness.
• Strong analytical skills to synthesize risk information for leadership.
• Familiarity with regulatory reporting (RBI/SEBI/MAS) and Technology-specific reporting standards.
• Strong understanding and practical experience in IT Governance and ITParty Risk Management principles and best practices.
• In-depth knowledge of regulatory requirements including MAS, RBI, SEBI.
• Strong hands-on experience in vendor risk management practices.
• Strong analytical, problem-solving, and communication skills to engage with stakeholders.
• Ability to identify control gaps and find solutions to mitigate them.
• Drive automation and adaptation to new technologies for effective monitoring and governance risk oversight.
• Experience with audit planning and reporting.
• Ability to work independently and meet given timelines.

Education/Preferred Qualifications:

• Bachelor's degree in IT, Computer Science, Engineering, or related field.
• Preferred: Master's in Technology/IS or MBA.
• Certifications like CISA, CRISC, CISM, CISSP, ISO Lead Auditor are beneficial.
• Graduation in BE IT/Computers/Electronics, B.Sc - Computers, M.Sc - Computers.
• Post-Graduation in PGDIT, MCA, MBA, CA.

Core Competencies:

• Strong analytical and problem-solving capabilities.
• Ability to engage with senior stakeholders with clarity and confidence.
• High attention to detail, discipline, and adherence to regulatory rigor.
• Ability to manage multiple priorities and meet strict timelines.
• Strong collaborative mindset with a risk-aware work ethic.
• Strong communication and interpersonal skills.
• Change / Innovation Orientation.
• Intelligence & Diligence: Ability to meet demanding deadlines.
• Detail oriented yet comfortable in a dynamic environment.
• Good attitude and a team-player.

Technical Competencies:

• Strong understanding of IT controls, risk frameworks, audit methodologies, and regulatory standards.
• Proficiency in data analytics and use of automation/AI tools for risk and compliance monitoring.
• Knowledge of ITGCs, application controls, access/privilege management, and infrastructure governance.
• Familiarity with GRC tools, audit management platforms, and compliance systems.
• Prior experience (5 to 8 years) in risk management/governance/compliance in the banking industry.