WHAT DOES AN INFORMATION RISK MANAGER DO?

Published: Aug 29, 2025 - The Information Risk Manager drives data privacy objectives by managing regional privacy activities, conducting assessments, and ensuring compliance with global privacy frameworks. This role provides advisory support on risk mitigation, data protection techniques, and vendor management while overseeing incident investigations and system compliance reviews. The manager also advances privacy by design principles, strengthens information lifecycle governance, and ensures effective controls through audits and enterprise-wide training initiatives.

A Review of Professional Skills and Functions for Information Risk Manager

1. Information Risk Manager Duties

  • Team Management: Managing team plans, overseeing the activities of Security Risk Analysts
  • Vendor Management: Manage 3rd party security vendors, playing a key part in the procurement process
  • Risk Evaluation: Identifying and evaluating cyber risks and developing relevant methods for remediation
  • Risk Reporting: Maintaining the risk register whilst having the ability to clearly and concisely articulate risks to key stakeholders (technical and non-technical)
  • Executive Communication: Prepare Board and Executive-level materials
  • Governance Oversight: Performing Information Security Governance activities
  • Risk Assessment: Conducting BAU Cyber Risk Assessments
  • Policy Development: Authoring information security policies and standards
  • Contract Review: Supporting contract reviews and driving compliance around third-party security due diligence activities
  • Culture Awareness: Driving a culture change of understanding and awareness around cybersecurity risks throughout IT and the business

2. Information Risk Manager Details

  • Risk Observation: Observe the global technology risk and control assessments to review the key risks and gaps identified, and to track and report on management corrective action plans
  • Risk Advisory: Provide technology risk advice to Global Information Services and Divisions to improve risk-based decision-making
  • Oversight Challenge: Develop an oversight and effective challenge to the 1st Line of defense within the GWAM segment, their exceptions and risk acceptance procedure
  • Compliance Monitoring: Monitor the compliance with the information risk appetite (and associated thresholds) for Global Information Services and Divisions in conjunction with the GWAM Business Unit partners and Operational Risk Management
  • Incident Investigation: Participate in the investigation of material technology or information risk loss events (and related incidents) to assess potential systemic weaknesses and ensure appropriate corrective action is implemented
  • Data Analysis: Conduct the “so what analysis” over profiles and risk dashboards for Global Information Services and the GWAM segment, aligned with enterprise and operational risk reporting
  • Strategic Planning: Participate in short-term planning and enabling long-term strategies that will mature IRM, ensuring the practices keep pace with both internal drivers (company strategy and goals) and external drivers (technology, regulations, threats and vulnerabilities)
  • Regulation Awareness: Stay abreast with evolving information and technology risks, new regulations, laws and requirements for information risk, information security, cybersecurity, information protection and privacy across jurisdictions and coordinating company compliance
  • Relationship Building: Maintain and champion enduring relationships with internal customers and peers
  • Emerging Risks: Provide adequate advice to Global Information Services and GWAM around emerging technology risk topics by carrying out research, and serve as an advocate for TRM domain standard methodologies
  • Audit Review: Review and correlate the GWAM IT audit findings and their action plans, along with the various types of risk assessments and incidents
  • Control Testing: Work with Internal Audit Services and outside consultants to perform independent assessments and perform sample control testing

3. Information Risk Manager Responsibilities

  • Risk Mitigation: Partner with Business Units to identify, analyze and mitigate security risk, internal and third party, associated with activities executed throughout the enterprise
  • Team Leadership: Act as team lead across information security risk management activities including internal and third-party risks
  • Risk Supervision: Supervise teams responsible for assessing, managing, and monitoring internal and external security risk
  • Security Consultation: Provide security consultation for new and ongoing enterprise initiatives
  • Policy Development: Consult on defining security policies and best practices
  • Security Awareness: Educate and build awareness of security requirements across the organization
  • Compliance Improvement: Improve compliance with security standards and policies across enterprise teams
  • Control Monitoring: Participate in testing and monitoring of security and privacy controls executed by enterprise teams
  • Project Leadership: Lead security enhancement projects focused on new or changing technologies
  • Security Reporting: Publish executive-level security reporting across governance, risk, and compliance activities

4. Information Risk Manager Job Summary

  • Audit Execution: Plan and execute the day-to-day activities of IT audit and assurance engagements
  • Task Delivery: Complete tasks and deliverables to a high quality standard as part of the audit, working to an agreed plan, budget and quality
  • Progress Reporting: Keep senior IRM members informed of significant developments and progress on the engagement
  • Staff Coaching: Coach junior staff on engagements and provide proper feedback
  • Tool Utilization: Identify and use the most appropriate IRM technology tools to complete and document audit work
  • Scope Management: Assist with scoping, financial management, delivery risk management and the initial review of deliverables
  • Finding Communication: Identify and communicate IT audit findings to senior management and clients
  • Performance Improvement: Help identify performance improvement opportunities for assigned clients
  • Fieldwork Management: Conduct fieldwork and manage small project teams to deliver value-added assurance services to clients
  • Network Building: Develop internal networks and maintain excellent relationships with colleagues across KPMG, in particular in the wider Consulting, Audit and Advisory areas
  • Culture Promotion: Promote a collaborative culture, encouraging constructive working relationships with the audit team and others

5. Information Risk Manager Accountabilities

  • Risk Support: Support the IT teams to ensure risks and controls are recorded and managed appropriately
  • Change Oversight: Chair the Change Approval Board
  • Resilience Framework: Responsible for assisting with the design and maintenance of the business's operational resilience framework with a focus on IT components
  • Risk Monitoring: Monitoring and reporting on IT risk appetite statements and tolerances for the CIO to report to Exco and Board
  • Due Diligence: Working with potential/new/existing clients on IT, Cyber and Data due diligence assessment and annual reviews
  • Action Tracking: Track and progress in all IT risk-related actions, including Risk assessments, Internal Audit, External Audit and Business Continuity actions
  • Target Management: Working with action owners across IT to ensure agreed targets are met and the Risk Management system is maintained
  • Risk Reporting: Develop and deliver effective risk reporting and management information, including updating and maintaining the IT Risk Matrix
  • Control Implementation: Implement the IT Controls matrix across IT
  • Procedure Maintenance: Responsibility to update and maintain IT Standard Operating Procedures
  • Risk Assessment: Completing IT risk assessments and providing findings to the senior executive team
  • Expert Guidance: Providing subject matter expertise around IT risk and control frameworks, being the first point of contact for all risk and control queries
  • Assessment Coordination: Coordinate the Risk Assessment process, providing coordination and support for delivering treatment plans
  • Risk Training: Identifying training requirements across the wider IT community and delivering Risk training
  • Meeting Facilitation: Facilitate and lead meetings with the CIO and Senior IT managers to carry out risk assessments
  • Committee Support: Support the CIO in the preparation and delivery of communication to the Executive Risk Committee
  • Incident Oversight: Oversee IT Risk Incidents, ensuring that first-line responsibilities are being met and collating information required for reporting
  • Policy Attestation: Facilitating the Policy Attestation process
  • Deadline Tracking: Maintain a view of key dates for risk reporting, providing awareness to key stakeholders so that dates are met
  • Control Testing: Complete control testing activities to ensure active controls remain appropriate and robust
  • Control Execution: Execute controls in line with agreed schedules

6. Information Risk Manager Functions

  • Risk Oversight: Providing oversight and challenge of Information risks across EUI, including Information Security, Technology and Data quality risks
  • Subject Expertise: Act as a subject matter expert within the EUI Corporate Governance functions for Information risk management and security-related matters
  • Risk Assessment: Leading and supporting on independent risk/security assessments of the key Information and Security risks and controls across EUI, identifying, assessing, escalating and reporting on potential information risks and issues to Admiral
  • Incident Oversight: Providing oversight and challenge of the business response to Technology and Information Security risk incidents and events throughout EUI
  • Project Review: Providing review and challenge for EUI change projects related to Technology, Information Security and Data via steering committee membership or undertaking project risk reviews
  • Framework Development: Developing the Information risk framework within EUI including the implementation and embedding of the tools, policies, standards and procedures required to support the risk oversight and assessment activities
  • ERM Promotion: Promote and embed Enterprise Risk Management (ERM) processes, awareness and understanding across the EUI Technology, Information Security and Data teams to maintain operational resilience, minimising customer detriment and financial losses
  • Change Assessment: Assess the impact of Technology and Data change within the business against Admiral’s risk profile
  • Risk Identification: Ensuring timely identification of key themes and emerging risks, issues and exposure, and providing recommendations to management to mitigate and resolve potential issues
  • Risk Reporting: Reporting and escalating on risks and issues to senior managers, heads of department, Corporate governance teams and relevant working groups, management committees and Boards
  • Compliance Monitoring: Monitoring and assessing EUI’s compliance with Group and EUI Policies and Group Minimum Standards in relation to IT and Information Security
  • Risk Representation: Represent EUI Risk in relevant working groups and meetings
  • Stakeholder Management: Develop and maintain key stakeholder relationships across EUI, performing the role as a ‘critical friend’ to the business

7. Information Risk Manager Job Description

  • Privacy Vision: Driving the data privacy vision and objectives for businesses
  • Activity Management: Day-to-day responsibility for recording and managing privacy activities for the region within the global privacy management platform
  • Data Flows: Creating, reviewing and updating data flows
  • Vendor Assessment: Conducting vendor PIAs, managing data subject requests, cookie scanning, DPIAs, and maintaining the Article 30 Record
  • Advisory Support: Partnering with business owners to provide advisory and consulting services on data privacy, information security and risk mitigation
  • Privacy Training: Assisting and delivering training and awareness campaigns, particularly with a focus on data protection and security initiatives
  • Data Protection: Advising on data anonymization, pseudonimization and encryption techniques to develop systems that preserve and improve privacy protections
  • Incident Investigation: Investigating personal data and security incidents, supporting the global security operations team with forensic requirements and producing investigation reports
  • Compliance Review: Assessing current software and systems for compliance with data protection principles
  • Risk Mitigation: Recommending changes and new technologies to help mitigate privacy vulnerabilities and prevent potential future privacy risks
  • Solution Design: Defining and implementing risk-based solutions to ensure Privacy and Information Security by Design is adequately embedded in IT and Business projects and systems across the company, including through the development and training of users
  • Lifecycle Management: Maturing enterprise-wide information life-cycle management strategy and governance processes to identify, classify and protect personal data over its life-cycle
  • Vendor Management: Working with the wider business and core teams to assess and revise vendor management processes to ensure that vendors are appropriately vetted before engagement through onboarding due diligence
  • Asset Oversight: Overseeing asset inventories to meet regulatory requirements and support the audit function to ensure effective controls are in place

8. Senior Information Risk Manager Overview

  • Policy Management: Responsible for creating, deploying, and managing policies, procedures and controls to assure compliance with applicable regulatory and legal requirements as well as good business practices as part of a controls assurance program
  • Risk Analysis: Conducting formal risk analysis and a self-assessment program for various Information Services systems and processes
  • Customer Support: Directly supporting front-line sales professionals through the operation of a customer security management office (CSMO)
  • Privacy Program: Responsible for creating, deploying, and managing a comprehensive global privacy protection program
  • Vendor Assurance: Deploying and maintaining a 3rd party vendor assurance program
  • Process Improvement: Identifying, analyzing, and implementing process improvements and effectively communicating and leading change management initiatives
  • Cross Collaboration: Working cross-functionally to advocate on behalf of both customers and technology professionals' needs with internal teams including engineering, product, and IT
  • Process Adoption: Successfully driving the adoption of processes and key metrics that improve performance
  • Risk Program: Mature and maintain a comprehensive Security and IT Risk Management program
  • Risk Tracking: Manage tracking of identified risks, risk decisions, decision execution, and provide reporting to leadership
  • Risk Metrics: Develop and implement relevant cyber and IT risk metrics and reporting to management and risk committees
  • Tooling Design: Design and implement applicable risk tooling
  • Functional Support: Work with other SpaceX teams to determine functional needs, implement efficient and sustainable solutions and communicate security policies
  • Team Mentoring: Mentor fellow teammates and take an active role in their development
  • Program Alignment: Collaborate with Assurance, Security, IT, and business leaders, creating aligned program objectives and key results
  • Trend Monitoring: Maintain an up-to-date understanding of emerging trends in information security risks, and new techniques and trends, in line with overall information security objectives and risk tolerance

9. Information Risk Manager Details and Accountabilities

  • Risk Monitoring: Manage and monitor the IT Risk posture for the franchise, providing management with transparency over what these risks are and how they can be addressed
  • Risk Activities: Coordinate or participate in all relevant IT Risk activities (e.g., regulatory inspections and assessments, control testing, monitoring, reporting, internal audits and remediation activities)
  • Subject Expertise: Act as a subject matter expert in relation to IT Risk Control and Security
  • Relationship Building: Develop and maintain strong business and technology relationships, become a trusted partner as well as foster collaborative relationships with various Lines of Business operating, Corporate functions such as Audit, Corporate IT, Risk and Global Technology Infrastructure
  • Control Remediation: Participate in or lead programs to improve or remediate the control environment across the franchise
  • Regulation Oversight: Interpret regulatory requirements and corporate policies, communicate these clearly alongside current status and provide oversight of compliance
  • Resiliency Expertise: Expertise in application and infrastructure high-availability and resiliency architectures, with demonstrated experience in business
  • Access Management: Work with LOB and Program ISMs to ensure awareness and implementation of Identity and Access Management controls
  • Project Definition: Define project requirements, dependencies, in conjunction with the Program Manager, on an application-by-application basis to understand the best solution to implement Identity and Access Management controls
  • Program Participation: Participate in Program workshops, forums and discussions, and represent the Identity and Access Management position as it relates to access control
  • IRM Leadership: Build, establish and drive Trade Republic’s Information Risk Management
  • IRM Representation: Become the first point of contact and represent Information Risk Management to departments, partners and stakeholders
  • Risk Identification: Identify and manage information risks across the company and report progress to management
  • Risk Alignment: Closely aligned with the Risk department to ensure effective risk management company-wide
  • Stakeholder Collaboration: Reliably collaborate and work with various stakeholders in an international, diverse and highly interdisciplinary, fast-growing environment

10. Information Risk Manager Tasks

  • Risk Assessment: Assist with risk assessment activities, coordinating with the security team, Senior Leadership, vendors, and contractors
  • Policy Advisory: Serve as an advisor in the development, implementation, and maintenance of a company-wide information security policy and control framework
  • Process Improvement: Provide process improvement support in the functional area of Governance, Risk and Compliance
  • Risk Analysis: Provide periodic analysis of corporate risk position, based on analysis of current controls status and current cyber threat landscape
  • Risk Register: Assist with items to be added/maintained in the corporate risk register
  • GRC Implementation: Assist in the development, configuration, and implementation of GRC toolsets
  • Evidence Collection: Collect evidence of project completions and maintain program records
  • Industry Monitoring: Monitor developments in the information security industry including vendor strategies and communicate on the potential impact on or applicability to the organization
  • Security Culture: Promote security culture and drive continuous security improvements
  • Control Integration: Ensure technical and operational security controls are incorporated into new systems and applications through participation in planning groups and the review of new systems, installations, and other major changes
  • Data Protection: Assist internal teams and external entities concerning the security of information and critical data processing capabilities
  • Control Application: Interpret client and Regulatory controls across all verticals and properly apply the specifications across the operational responsibilities to help build cost-effective, scalable security controls and infrastructure to sustain certification levels across the enterprise
  • Automation Support: Encourage new ways of thinking and performing activities to increase automation capabilities
  • Team Cohesion: Build rapport, credibility, and cohesion across all business unit teams and IT teams in the course of managing the projects
  • Program Oversight: Engage with and participate with cross-functional independent representations of management to ensure appropriate oversight and governance of the security program
  • Program Review: Ensure that assessment functions periodically review key programs related to information protection to obtain independent assessments of the security program effectiveness
  • Progress Reporting: Report progress to management, and assess and measure results related to Information Security activities
Relevant Information
What Does A Credit Risk Manager Do?
What Does A Director of Information Technology Do?
What Does An Enterprise Risk Manager Do?
What Does A Head of Information Technology Do?