Job Description

The Technology Risk & Information Risk Management Analyst, VP, role will be responsible for providing oversight, consulting and risk management assessment/support, and reporting functions relative to Comerica's Lines of Business (LOBs) and other divisions. This role will also be in accordance with utilizing their specialized skillset to engage with business partners and shared services stakeholders to provide consulting support to drive awareness and compliance with the Bank's enterprise risk management framework, policies and standards. This role will ensure independent risk assessments, oversight and consulting support to promote proactive risk identification, mitigation and remediation of risk, to ensure protection of customer's and the Bank's data and other assets.

Position Competencies

The successful incumbents have high technical proficiency, analytics and solution-oriented thinking; must have the ability to independently take on assignments, review and interpret data and analytics; must be solution-oriented, and capable of anticipating and meeting the needs of a demanding work load.

Position Responsibilities:

Execute Second Line of Defense (SLOD) risk management functions relative to Technology Risk, Information Risk/Security risk management by working with the LOBs and other bank stakeholders/divisions to risk review areas, related process, etc., providing credible challenge regarding risk assessments, controls, strategic direction and other activities pertaining to the LOBs and Comerica.
Ensure awareness of technology and information risk/security risks in the LOBs/Comerica and provide consulting support and direction to drive proactive risk identification, mitigation/remediation, and accurate, complete monitoring and reporting.
Ensure awareness of current technology, information risk/security risk management top line and emerging risks, industry best practices, controls and solutions.
Engage with Bank stakeholders/divisions to ensure awareness, documentation, and accurate reporting of identified and potential risks (i.e. top line and emerging risks) impacting Comerica LOBs/functions from a Technology Risk, Information Risk/Security Risk perspective.
Execute SLOD review, credible challenge to complete regulatory risk assessments in compliance with guidelines/requirements and/or certifications (i.e. PCI DSS, FFIEC, State Certifications, etc.).
Support development/documentation of required SLOD risk management functions/routines and controls, including deriving accurate and complete technology risk and information risk/security profiles.
Technology Risk, Information Risk/Security Risk Management reporting of noted risks, support mitigation/remediation plans/activities required to monitor risks, and support execution of SLOD functions w/business partners. Prepare related reporting to ensure enterprise/management/board level awareness of Technology Risk, Information Risk/Security Risk Management profiles at aggregate and disaggregate levels.
Maintain currency of professional risk management certifications, and ensure ongoing research and awareness of technology risk, information risk/security risk management platforms, tools, industry controls/frameworks, and provide related guidance, oversight and risk management support to the LOBs and other risk management partners.
Ensure timely completion of all required training/education courses, for Comerica employees. Also, continuous cross-training of colleagues, business partners and other stakeholders is expected, to ensure knowledge-sharing, awareness, and fostering of a proactive risk management culture, which includes compliance with Comerica's Enterprise Risk Management framework, policies, standards, assessment, tracking, and mitigation/remediation routines; and awareness of industry best practices.

Position Qualifications

Bachelor's Degree from an accredited university in Technology, Computer Science, or Business
8 years of experience in risk management in Technology, Information Security/Risk Management assessments, mitigation/remediation, and evaluation, recommendation and/or implementation of industry best practices, controls, and tools.
5 years of experience and demonstrated knowledge in relative to industry best-practices and frameworks (e.g. COBIT, ISO 31000, NIST SP 800-37).
One of the following certifications: Certified Information Systems Security Professional (CISSP), Certified Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or related certifications.