Chief Control Office (CCO) serves as a subject matter expert within the First Line of Defense supporting the Businesses, Functions and HOST. The areas of focus for this role are Policy and Governance, Risk Appetite, Core Operational Risk Management, Oversight, Use and Embeddedness, and Reporting, as detailed further in this document.
Impact on the Business
The Senior Manger CCO is responsible for supporting the Chief Control Officer with directing and managing the integration of Core Operational Risk Management activities and providing feedback on the embedding of the Operational Risk Management Framework activities within and throughout their respective area within business, function or HSBC Operations Services and Technology (HOST). The Senior Manager CCO may also be accountable Core Operational Risk Management activities with respect to specific operational risk categories, including FCC, Compliance, Business Continuity, Information Security, Privacy, Fiduciary, Fraud, SOX, Product Due Diligence and Third Party Risk Management (Vendor) as required.
Business/Function/HOST Specific Responsibilities
The responsibilities under this role for each of the areas of focus are as follows.
Policy and Governance:
Provide feedback on proposed operational risk policy for the business/function/HOST and likely impacts.
Provide advice to Risk owners and Control Owners regarding operational risk policy dispensations. Provide guidance to Risk Owners and Control Owners in adhering to the ORMF (Operational Risk Management Framework) and operational risk policies.
Provide feedback on the embedding and use of the ORMF and the operational risk policies to Operational Risk and to the Risk Stewards.
Ensure and participate in appropriate and effective operational risk governance within the business/function/HOST.
Core Operational Risk Management:
Engage with relevant Risk Stewards to contribute to a standard Risk and Control Library for the business/function/HOST, as requested by a Risk Owner/Control Owner.
Co-ordinate the RCA process on behalf of Risk Owners and Control Owners as requested, examples prompting co-ordination may include trigger event monitoring, stakeholder engagement, meeting organization and outputs.
Risk Stewards will be engaged as required.
Provide expert advice to the Risk Owners and the Control Owners in the completion of risk and control assessments, including identifying material operational risks and controls.
Develop and execute control monitoring plans as requested by Control Owners, work with Risk Owner to identify and oversee completion of remediation actions.
Provide expert advise to Risk Owners in the completion of scenario assessments.
Use key indicators set by Risk Owners and Control Owners to facilitate control monitoring.
Contribute to the effective identification, assessment and root cause analysis of material internal risk events, advising and constructively challenging Risk Owners and Control Owners on resolution.
Perform analysis of material external risk events, as requested, advising and constructively challenging Risk Owners and Control owners on impact and mitigation.
Track and provide advice on the completion of management response actions, ensure timely and accurate recording in the operational risk management system, ORION.
Promote operational risk awareness, including training and communications for the Business/Function/HOST.
Ensure adequate CCO resources with appropriate capabilities are in place to provide required support.
Review and take actions to improve the quality of inputs in the Group's operational risk management system.
Oversight, Use and Embeddedness:
Customers / Stakeholders
Support the respective business/function/HOST as per the activities outlined in the areas of focus for this role including Policy and Governance, Risk Appetite, Core Operational Risk Management, Oversight, Use and Embeddedness, and Reporting.
Leadership & Teamwork
Lead and develop an effective team through communication, performance management, development plans and reward/recognition practices.
Promote an environment that supports diversity and reflects the HSBC brand.
Operational Effectiveness & Control
Ensuring that all roles and responsibilities of the CCO as defined in the Global Risk FIM and as outlined in the Business/Function/HOST Specific Responsibilities are applied to FCC, Compliance, Fiduciary, Product Due Diligence, Vendor SOX, Security, Privacy Business continuity and Fraud.
Ensure CCO team is properly trained in fraud risk awareness and facilitate reporting of confirmed/suspected fraud.
Complete other responsibilities, as assigned.
Supports the business/function/HOST in its management of operational risk appetite, ensuring business/function/HOST operates in compliance, with operational risk framework and standards
Build relationships and interact with US Operational Risk team and other 'second line of defense' teams, Global CCO, and others for operational risk and internal control matters.
Daily discretion with assigned authority. Decisions beyond assigned authority are referred to higher levels of management for approval.
Officer in Charge (OIC) for Chief Control Officer in small functions, as required by virtue of delegation.
Management of Risk
The physical demands/work environment described above are representative of those that must be met by an employee to successfully perform the essential duties of the job. Reasonable accommodations may be made to enable individuals with disabilities to perform essential duties.
Physical Demands/Work Environment: Very good working conditions. Little or no physical demands. Minimal handling of light materials. The physical demands/work environment described above are representative of those that must be met by an employee to successfully perform the essential duties of the job. Reasonable accommodations may be made to enable individuals with disabilities to perform essential duties.
Financial Crime Compliance (FCC) and Regulatory Compliance (RC)
The CCO activities are to advise the Risk Owners and Control Owners in the risk assessment process, to advise on the mitigation process, to perform risk-based monitoring of control effectiveness in order to validate the control assessment. As with other Risks and the associated controls, these CCO activities pertain to specific FCC and RC risks and controls. The CCO monitors timely resolution of issues and actions pertaining to FCC and RC.
In addition to the Risk and Control Assessment process (RCA), the Regulatory Compliance function outlines the CDSA (Compliance Detailed Self-Assessment). The CCO works with the business/function/HOST to determine that the controls which are in place and mitigate the risk of the pre-determined RC obligation.
For FCC and RC training-- the CCO tests the compliance of the first line of defense in the timely completion of mandatory training. The jobholder will remain current with all FCC and RC specific required training.
The job holder will be aware of and will pro-actively apply their knowledge of the Global Anti-Money Laundering (AML), Sanctions and Anti-Bribery and Corruption (ABC) Policies, Regulatory Compliance Policies, supporting US Guidance, and Line of Business Procedures in line with the core activities of the CCO. The jobholder will make informed decisions in accordance with the core principles of HSBC's Financial Crime Risk Appetite and Policies, and pro-actively escalate appropriately instances of deviation, whether evidenced through ongoing testing or control monitoring.
Minimum of a Bachelor's degree with 10 years equivalent experience. Substantial experience in Banking, risk management and / or internal audit; Audit, Risk, Compliance or Finance professional designation preferred
Sound verbal and written communication skills that promote and enable openness with staff, management, internal partners, and external parties
Uphold compliance with all relevant internal and external rules, regulations and procedures; engage others to act responsibly and minimize operational risk and internal control issues
Demonstrate a sound holistic and technical understanding of pertinent business areas and Group requirements as detailed in Group Standards Manuals, Functional Instruction Manuals (FIM), and local standards
Sound judgment, keen sense of urgency, and high level of professional and personal integrity