People sitting at table all looking in the same direction
Back to search results

Compliance & Operational Risk Manager - Information Security

Charlotte, North Carolina;

Job Description:

Specific Job Description

The Operational Risk and Compliance oversight will have a broad focused across the areas of; threat prevention, network & infrastructure security, application security, patch management, data loss prevention and incident management. The position will engage with subject matter experts within the Global Information Security organization, with a focus on detecting, remediating and preventing operational risk across the organization, including; self-inspection programs; standards, policy and rule governance; and program execution in support of the Bank of America Risk Framework. Coverage includes activities associated with:
Monitoring – identify, analyze, and provide informed risk challenges on current and emerging trends within the cyber security threat landscape. Monitor key metrics and programs. Participate in governance routines, review of information and key reports / metrics and appropriately challenge.
Assessment – lead assessment activity related to current and evolving security risks that have the potential to impact the company and/or its customers. Influence and challenge senior executives related to control environments. Evaluate the performance, capability and/or coverage of processes, risks & controls and determining the scope and prioritization of risks, processes and controls to review and test.
Testing - Create and review test results and open issues as appropriate upon test failure.

• Create and manage a global coverage plan which defines the scope and focus of the second line’s risk management activities.
• Helps establish, monitor and report on enterprise risk tolerance metric(s) that are translated and connected to relevant business metrics (Key Risk Indicators).
• Monitor regulatory environment and participate in industry forums to identify areas of focus and conduct benchmarking.
• Create and maintain a regulatory inventory, communicate regulatory changes to and engage the FLU/CF in assessing impacts of regulatory changes for enterprise area of coverage.
• Develop and maintain relevant policies or review relevant FLU / CF policies to ensure they reflect regulatory and operational risk requirements.
• Advise and direct business leaders through the FLU/CF C&OR officers to ensure that regulatory requirements are addressed in their respective procedures and controls so that their daily activities operate in a compliant manner.
• Conduct and contribute to annual and targeted risk assessments.
• Review and analyze aggregate results of FLU/CFs’ Risk and Control Self-Assessments (RCSA) for EAC-specific themes and trends.
• Create and manage monitoring and testing coverage plans and related metrics.
• Monitor and test the effectiveness of the FLU and CF’s processes and compliance and operational risk controls.
• Identify, aggregate, report and escalate risks, issues and control enhancements and ensure the C&OR officers for the FLU/CF are aware of issues.
• Review and analyze internal and external losses related to their area of coverage for enterprise-wide themes; escalate concerns or loss exposures as appropriate.
• Lead or contribute to Scenario Analysis activities to provide a forward-looking estimate of hypothetical operational losses.
• Execute governance and management routines.
• Identify regulatory training needs, provide subject matter expertise to support development of training curriculum, and inspect FLU/CF.
• Advise Risk peers and business leaders in preparations for and participation in regulatory exams and audits. Prepare and participate in EAC-specific exams and audits.
• Inspect that gap closure plans and commitments made regarding actions in response to Matters Requiring Attention (“MRAs”) and other actions are completed.
• Escalate regulatory relations concerns to EAC C&OR Executive.
• Ensure Compliance and Operational Risk “owned” issues (i.e., Internal Audit, Regulator and Self-Identified issues) are addressed appropriately and timely.

The EAC Compliance & Operational Risk Manager plans, drives and reviews team deliverables to support consistent quality of activities, processes and outputs. This role may contribute as a manager responsible for providing leadership direction to attract, assess, develop, motivate and retain a team, or may act as an individual contributor.

Provide coverage through risk reviews and assessments to identify opportunities to reduce risks related to information security. 
• Technology experience – Network security, application security, database security, IDS configuration and monitory, and supervisory control/data acquisition security
• Review and challenge security controls and processes.
• Use subject matter expertise and broad technology experience to provide insight and risk mitigation influence related to businesses processes
• Conduct forward looking assessments to identify new/emerging info security risks.
• Effective communication.
• Information Security and Risk related certifications (CISSP, SANS, CRISC or CPSM)
• Ability to present technical information to non-technical persons

Required Skills and Qualifications:
7+ years in technology, operational risk and/or information security, of which at least 3 years must include direct experience in operational risk management and/or information security. Broad technical background with understanding of information security technologies, concepts and controls.
• 2+ years’ experience with information security technology
• Demonstrated knowledge of application and infrastructure architecture
• Strong ability to self-direct work and area of focus and to established appropriate timelines and execution.
• Excellent written and verbal communication skills
• Broad knowledge across many functional business areas
• Ability to translate complex process, application and technology control gaps into risk
• Ability to identify issues and control weaknesses
• Relationship management skills and ability to interface confidently with associates of all levels, including senior executives
• Ability to influence at all management levels in a complex organization
• Ability to align against a strategic priority and organize and deliver results

General Job Description

The Enterprise Area of Coverage (EAC) Compliance & Operational Risk (C&OR) Manager is a subject matter expert on specific processes, controls, laws, rules and/or regulations that have enterprise-wide applicability, affecting two or more Front Line Units (“FLU”) or Control Functions (“CF”). This role is responsible for the execution of the Compliance and Operational Risk Programs (“CORM Program”), the Global Compliance Enterprise Policy (“GC Policy”) and the Operational Risk Management – Enterprise Policy (“ORM Policy”) for these enterprise). The EAC C&OR manager identifies, escalates and mitigates risks in a timely manner in alignment with the CRM and ORM Programs and the GC and ORM Policies. The role engages with FLU/CF leaders globally through the FLU/CF compliance and operational risk officer (C&OR) teams to independently advise those leaders on effectively managing the risks related to their area of coverage. By executing the CORM and Policies, the EAC C&OR Manager identifies themes and trends, conducts analysis for new and emerging risks and recommends approaches to mitigate these risks. Activities this role performs for their area of coverage include but are not limited to:

Global Risk Management is seeking a technical Information Security Risk professional to provide Operational Risk and Compliance oversight across Global Information Security.  The role will play a critical role in the overall coverage of Global Information Security and will provide technical coverage on critical GIS process and controls across the enterprise. The role requires experience and expertise with information security technologies, concepts, tools and controls. The role requires the ability to escalate, debate and challenge significant risks as appropriate.


1st shift (United States of America)

Hours Per Week: 


Learn more about this role

Full time


Manages People: No

Travel: Yes, 10% of the time


Talent Acquisition Contact:

Referral Bonus: