The Mission

The open position, Senior Risk Officer (ICT Risk & Internal Control Specialist), contributes to a broad range of activities under the responsibility of the Risk Management Department, with a dual focus on ICT risk and Internal Control matters, each representing a core area of responsibility.

In this capacity, the Senior Risk Officer plays a key role in ensuring the effective identification, assessment, monitoring, and reporting of ICT risks, supporting the organisation’s operational resilience and compliance with relevant regulatory frameworks, including, but not limited to, Solvency II, DORA, and GDPR. The role actively contributes to the enhancement of the ICT risk management framework and ensures ICT risks are appropriately embedded in the overall risk management strategy. Working in close cooperation with the IT Department and various Departments, the Senior Risk Officer helps ensure a coherent and consistent approach to ICT risk across the organisation.

The role also supports the design and oversight of the internal control system, extending beyond ICT-related aspects, and contributes to the risk reporting process to senior management, governing bodies, and the Group. Beyond these areas of focus, the Senior Risk Officer is also involved in other initiatives and risk assessments within the remit of the Risk Management function, in line with the team’s responsibilities and evolving priorities.

Main objectives of the role

Maintain and continuously improve the ICT Risk Management Framework, ensuring alignment with regulatory requirements and industry best practices.
Act as a driving force in strengthening the company’s Internal Control framework and promoting a strong Internal Control culture across all business areas.
Conduct ICT risk assessments, maintain the ICT risk mapping, and support integration of ICT risk into the overall risk landscape.
Lead risk analyses related to IT projects, infrastructure changes, and critical applications; coordinate mitigation plans with IT, IT Security, and other operational teams.
Monitor the effectiveness of first-level controls (ICT and non-ICT), provide expert guidance on risk mitigation and control improvements.
Perform second-level controls as defined in the Control Plan, including on non-ICT areas, and support the enhancement of first level controls across all departments.
Contribute to the management of ICT incidents by supporting root cause analysis, lessons-learned reviews, and follow-up on corrective and preventive actions.
Ensure appropriate ICT risk governance is in place, contribute to relevant committees, prepare risk reporting, and escalate key risks to senior management and governance bodies.
Monitor emerging ICT threats, regulatory changes, and market developments to strengthen the ICT risk management approach and ensure timely adaptation of the framework
Act as a key contact for business units on ICT risk matters, ensuring ICT risk considerations are embedded in key processes, projects, and change management initiatives
Support ICT risk awareness initiatives and contribute to training and communication activities
Support the oversight of key service providers (ICT and non ICT) to ensure resilience and risk management expectations are met
Actively contribute to the day-to-day activities of the Risk Management function, promoting a strong risk culture and continuous improvement across the organisation

Profile of our future teammate

Master’s degree in Risk Management, Information Technology, Information Security, or a related field.
Minimum 5/7 years of relevant experience in Risk Management, preferably with a strong focus on ICT risk and internal control in a regulated financial services environment (insurance or banking).
Solid knowledge of ICT risk and operational risk management frameworks, practices, and tools, as well as relevant regulations (e.g. DORA, Solvency II, GDPR) and standards (e.g. ISO 27001, ISO 27002).
Proven experience in designing, executing, and reviewing first- and second-level controls across various operational areas.
Ability to conduct structured risk assessments, analyze incidents, and propose effective and pragmatic mitigation measures.
Strong verbal and written communication skills; able to communicate risk-related matters clearly to both technical and non-technical audiences.
Proactive, with the ability to manage priorities autonomously while contributing to collective team objectives.
Ability to work effectively with cross-functional teams and to provide them with advice and guidance.
Fluency in French and English required; other languages considered an asset.
Professional certification in Risk Management, Internal Control, or Information Security considered an asset.