Technology Third Party Operational Resilience Lead

Role Description

Operating in a highly competitive environment and overseeing several thousand Third Party Supplier engagements, GCIO Vendor Management – Resilience and Risk is a critical function that is responsible for assuring effective risk and resilience management across our supply chain.

This role is essential for advancing HSBC's Operational and Technology Resilience goals, ensuring the delivery of reliable services to customers. It involves engaging with diverse and senior stakeholders to deliver resilient outcomes and ensuring that key technology partners are resilient and adhere to regulatory and internal standards.

We are seeking a highly capable SME who has expertise in both Third Party Operational Resilience and IT Service Management (ITSM) domains. The successful candidate will be instrumental in enhancing Third Party Operational Resilience delivery and oversight, including through the implementation of technology control resilience requirements, and help to shape this newly formed function to deliver exceptional service and build strong relationships across GCIO’s Third Party management and broader business and technology service management communities.

Third Party Operational Resilience Responsibilities

• Oversee mapping and lineage between Technology Third Parties (including subcontractors / nth parties) and Technology Services, Important Business Services (IBS), Critical Operations (CO), and Critical or Important Functions (CIF) ensuring accurate identification, classification and consumption of Important Technology Third Party services.

• Oversight of Third Party Operational Resilience Vulnerability Assessment process for Important Technology suppliers and management of assessment output (including vulnerability determination and socialisation). This includes data collection, analysis, thematic reviews, and supporting key stakeholders in meeting their responsibilities.

• Manage and lead engagement with core stakeholder groups (Business Service Owners, Technology Business Service Leads, Entity OpRes Leads, IT Service Owners, Supplier Managers, etc.).

• Conduct Quality Assurance across processes, including analyse of data from multiple systems and offline sources to ensure Technology owned activities are accurate and meet expected standards.

• Consolidate information across Service Chains (Business Processes, Technology Assets, Third Party Services) to enable accurate and effective decision making and action execution.

• Act as key point of contact for Operational Resilience queries relating to Technology Third Parties.

• Ensure GCIO is compliant with all applicable regulatory and HSBC internal Operational Resilience requirements.

• Manage ad-hoc requests, including those from Regulators and Second & Third Lines of Defence.

• Support dedicated programmes of work and continuous improvement, such as uplifting Important Technology Third Party services to improve resiliency and enhancing processes and tooling.

• Play a core role in operational resilience continuity planning and testing, including through uplift of robust business continuity, disaster recovery and exit plans.

IT Service Management Resilience Control Responsibilities

• Act as a key central point of contact to consult with and provide Subject Matter Expertise to Supplier facing colleagues, supporting them in reviewing and analysing responses provided by Third Parties against technology resilience control requirements throughout the service lifecycle.

• Ensure analysis and identified gaps in compliance are clearly documented to provide a consumable and coherent view of the Third Party resilience position for stakeholders across various levels of seniority and ITSM proficiency, in order to agree required uplift with the Supplier.

• Support with external discussions and, where required, lead on engagement directly with Third Parties driving effective communication of analysis to establish and jointly agree uplift plans to embed resilience, utilising effective influencing skills to drive the right outcomes.

Essential Skillset/Experience

• Subject Matter Expert with proven ability to drive, challenge, align and guide complex stakeholder groups to assure resilient outcomes.

• Demonstrable experience in Supplier / Vendor management, and understanding of end-to-end Third Party Management processes and Technology supplier portfolios

• Understanding of the broader regulatory environment in the financial services or similarly heavily regulated sector, including specifically detailed understanding and knowledge of core Third Party Resilience regulations:

o PRA SS1/21 Operational resilience: Impact tolerances for important business services

o PRA SS2/21: Outsourcing and third party risk management

o Digital Operational Resilience Act (DORA)

o EBA Guidelines on outsourcing arrangements

o Hong Kong Monetary Authority (HKMA) Supervisory Policy: OR-2 on Operational Resilience

• Strong understanding of Third Party Risk frameworks and processes, including subcontracting / nth party management and key risk domains such as cybersecurity, business continuity, and data risk.

• Clear understanding of Technology services and core areas of technology resilience.

• Proven experience in IT Service Management with deep knowledge of ITIL principles and Technology controls across solution design and implementation, recovery from disruption and the operational environment.

• Ability to be highly effective within a risk and control management environment.

• Relevant certifications would be advantageous (such as ITIL v4).