WHAT DOES AN IT RISK MANAGER DO?

Published: Nov 13, 2025 - The Information Technology (IT) Risk Manager oversees IT audit, compliance, and risk assessment processes to ensure alignment with corporate policies and regulatory standards. This role focuses on evaluating information security controls, managing audit responses, and supporting governance and compliance initiatives. The manager also contributes to the development of key risk indicator reports that enhance transparency and inform leadership decisions on technology risk management.

A Review of Professional Skills and Functions for IT Risk Manager

1. IT Risk Manager Duties

  • Policy Development: Developing and implementing IT policies and procedures by analyzing data security needs
  • Risk Advisory: Advising on IT risk concerns and ensuring they are resolved
  • Risk Assessment: Leading and performing IT risk assessments and conducting reviews to ensure compliance with the regulatory requirements such as the MAS TRM framework
  • Governance Improvement: Proactively identifying opportunities to further improve upon IT governance processes
  • Project Leadership: Leading IT projects and being the point of contact for vendors
  • Security Training: Designing and implementing security training programs to better educate others and raise awareness of IT risks
  • Cybersecurity Management: Drive implementation of cybersecurity risk management activities and initiatives
  • Framework Maintenance: Maintain and revise the cybersecurity risk management framework, risk and control assessment methodology and reporting
  • Risk Remediation: Provide effective challenge 1LOD risk remediation priorities and provide 2LOD risk opinion, advisories and recommendations
  • Risk Reporting: Provide independent reporting on cybersecurity risk posture to senior management
  • Risk Analytics: Develop a risk analytics model, perform risk assessment and provide insights on the cybersecurity risk posture of the public healthcare sector
  • Risk Monitoring: Perform analysis of cybersecurity risk metrics for emerging risk trends and work with stakeholders to address the risks

2. IT Risk Manager Details

  • Risk Assessment: Responsible for security risk assessments on new and existing applications to ensure strong risk management strategies, tools, frameworks and standards are in place
  • Risk Analysis: Identify and provide analysis and recommendations for IT security risks, and track corrective actions performed by the business through the risk exception process
  • Performance Reporting: Provide accurate and timely reports to demonstrate individual and team activities and progress
  • Risk Remediation: Work closely with IT and business representatives to drive risk assessment and remediation
  • Program Oversight: Oversee the technology risk management programme, functioning as an independent and objective body that is responsible for identifying, assessing, mitigating and monitoring all functional areas of technology and cyber risk management
  • Framework Implementation: Drive the bank-wide enhancement and implementation of the technology and cyber risk management framework, policies, methodology and tools in line with the Bank's risk appetite on technology and cyber risks
  • KRI Development: Establish and maintain technology and cyber risk oversight and risk sensing through the development and analysis of integrated Key Risk Indicators (KRIs)
  • Risk Reporting: Ensure that an effective technology and cyber risk management reporting process is in place, enabling timely escalation of severe operational risk incidents and submission of operational risk management reports to the Risk Management Committee (RMC)
  • Incident Oversight: Maintain oversight on major operational risk incidents to ensure proper corrective actions, identify root causes and drive effective preventive actions
  • Cross-Functional Collaboration: Work across all levels of the organisation to understand cross-functional linkages and interdependencies, as well as the implications of risk at both strategic and business levels

3. IT Risk Manager Responsibilities

  • Provide support with all aspects of operational risk management and the associated policies, procedures, governance and controls
  • Provide risk management advice, support to the business, in particular IT functional leads, ensuring that concepts, approaches and techniques are widely understood
  • Embed a continuous risk and control culture across the business
  • Ownership of the governance around Risk and remediation management for the function
  • Owns the required status reporting for the function into the Head of IT Risk, Controls and Operations for inclusion in board/exec reporting
  • Provision of data and analysis for the reporting of key risk metrics and Risk Appetite statements
  • Proactively supports Functional leads with the Periodic Risk Review process
  • Support the ABS Head of Risk in conducting deep-dive, thematic reviews with the functional leads and teams
  • Identify the root cause of any operational risk issues, identify control failings, and agree on suitable mitigation to prevent future recurrence
  • Work closely with IT Heads to ensure there is good awareness of reporting around service reporting and monitoring and the associated risks
  • Ensures all issues relating to the control environment are captured and actions defined, executed and monitored effectively and on a timely basis
  • Perform data quality on all inputs to the risk management system, support with inputting data and hold administration rights to update some fields in support of the risk system management team in the 2nd LOD
  • Work with the 1st and 2nd lines to ensure appropriate training is available in the areas of risk and compliance management

4. IT Risk Manager Job Summary

  • Risk Management: Provide support with all aspects of operational risk management and the associated policies, procedures, governance and controls
  • Risk Advisory: Provide risk management advice and support to the business, ensuring that concepts, approaches and techniques are widely understood
  • Risk Culture: Embed a continuous risk and control culture across the business
  • Governance Oversight: Ownership of the governance around risk and remediation management for the function
  • Status Reporting: Own the required status reporting for the function into the Head of IT Risk, Controls and Operations for inclusion in board or executive reporting
  • Data Analysis: Provision of data and analysis for the reporting of key risk metrics and Risk Appetite statements
  • Risk Review: Proactively support functional leads with the Periodic Risk Review process
  • Thematic Review: Support the Head of Risk in conducting deep-dive, thematic reviews with the functional leads and teams
  • Root Cause Analysis: Identify the root cause of any operational risk issues, identify control failings, and agree on suitable mitigation to prevent future recurrence
  • Risk Awareness: Work closely with IT Heads to ensure there is good awareness of reporting around service monitoring and the associated risks
  • Issue Management: Ensure all issues relating to the control environment are captured and actions defined, executed and monitored effectively and on a timely basis
  • Data Quality: Perform data quality on all inputs to the risk management system and support data administration for the risk system management team
  • Training Support: Work with the 1st and 2nd lines to ensure appropriate training is available in the areas of risk and compliance management

5. IT Risk Manager Accountabilities

  • Audit Management: Overall responsibility for the IT audit and compliance program for internal and external audits and 3rd Party reviews
  • Risk Assessment: Perform Information Security and Information Technology Control and Compliance risk assessment activities
  • Security Assessment: Conduct Information Security and technology risk assessments
  • Regulatory Compliance: Ensure compliance with corporate security policies, regulatory requirements and adherence to best practices
  • IT Governance: Perform Information Security and Technology governance
  • Control Management: Execute control and compliance activities as required by management
  • Audit Coordination: Work with IT stakeholders to coordinate and respond to audit findings
  • Risk Management: Support IT risk management activities, including guiding projects
  • KRI Reporting: Assist in developing internal IT risk management KRI reports for senior leadership and board presentations
Relevant Information
What Does An IT Project Manager Do?
What Does An IT Infrastructure Manager Do?
What Does An IT Service Delivery Manager Do?
What Does An Internal Audit Manager Do?