Professional Documents
Culture Documents
5 - IT Risk Job Descriptions
5 - IT Risk Job Descriptions
Template
These job descriptions are part of ISACA’s IT Risk Starter Kit. They include
examples of basic qualifications for key roles in an IT Risk program. These job
descriptions are intended to be illustrative, not comprehensive, and should be
customized for each enterprise.
IT Risk Officer
The IT risk officer is responsible for the overall delivery of the IT risk management practice. This position
drives the execution of highly complex and technical processes through the combination of oversight,
advisory and effective challenge activities across the enterprise. These activities include risk
identification and response, meeting regulatory requirements and consulting on technology strategies
and solutions. The IT risk officer oversees the IT risk team to ensure its work is managed, prioritized and
completed in alignment with enterprise business goals, drivers and commitments.
Behaviors:
Desired Accomplishments:
Establish a robust advisory and effective challenge model that will facilitate deeper risk
conversations and surface insights in support of strategic decision-making.
Identify opportunities to influence risk-taking strategies and ensure that aggregate risk is
understood.
Challenge and reinvent the methodology that the enterprise uses to measure IT risk.
Influence peers and executives to take accountability for complex (and sometimes sensitive) IT
risk.
Constructively debate trade-offs between different risk response approaches with other
business and IT partners.
Enhance the business’ understanding of regulatory/compliance requirements and the
implications to the firm.
Mentor and develop associates to meet their professional development goals.
Basic Qualifications:
Preferred Qualifications:
Master’s degree
IT Risk Analyst
The IT risk analyst supports the IT risk management practice, which ensures risk is proactively identified,
decisioned, communicated and monitored. The primary responsibilities of the IT risk analyst are to
perform assessments of potential risk exposures and prepare actionable risk reporting. In this role, it is
critical to foster strong working relationships with leaders in other areas of the enterprise to perform
evaluations of the enterprise risk posture and to offer independent advice regarding ways to reduce risk
in line with established risk appetites.
The successful candidate thinks strategically, is intellectually curious and is comfortable working in
undefined problem spaces. As a member of a growing enterprise, the IT risk analyst will be expected to
shape and further refine the risk program and will have the opportunity to operate with both autonomy
and empowerment from senior leadership.
Behaviors:
Thinks critically and analytically, with the ability to express a point of view supported by data
(for both technical and nontechnical audiences)
Raises concerns early and facilitates constructive problem-solving at all levels of the enterprise;
knows when to escalate
Exhibits passion and expertise in technology and cybersecurity domains, with an ability to be
confident, respectful and articulate when registering dissenting or unpopular opinions
Collaborates effectively with colleagues, stakeholders and leaders across multiple organizations
to get consensus, socialize strategy and achieve objectives
Manages multiple parallel initiatives while maintaining superior results
Is execution-oriented and self-motivated
Desired Accomplishments:
Succinctly frame emerging threats and risk in alignment with the existing risk profile.
Distill complex risk, process and control relationships into simple dashboards/reports.
Demonstrate robust risk management oversight in supporting various internal audits and
regulatory exams.
Support the development of the IT risk management practice, framework and methodologies.
Basic Qualifications:
Preferred Qualifications:
At least one professional risk or security management certification, such as Certified in Risk and
Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), Certified
Information Systems Security Professional (CISSP), or Open FAIR
Data science/analytics experience