IT Risk Manager job at KCB Bank

About Us

KCB Group is registered as a non-operating holding company which started operations as a licensed banking institution with effect from January 1, 2016. The holding company oversees KCB Kenya – incorporated with effect from January 1, 2016 – and all KCB’s regional units in Uganda, Tanzania, Rwanda, Burundi, Ethiopia and South Sudan. It also owns KCB Insurance Agency, KCB Capital, KCB Foundation, National Bank of Kenya, and all associated companies. The holding company was set up to among other things to enhance the Group’s capacity to access unrestricted capital and also enable investment in new ventures outside banking regulations, achieve operational and strategic autonomy for the Group’s operating entities and enhance corporate governance across the Group and oversight in the management of subsidiaries. Related documentation: Group Name Change, Name Change Certificate, KCB Advise on Non-Operating Holding Company, KCB Group Structure, Kenya Gazette Notice.

KEY RESPONSIBILITIES:

A. IT Risk Governance & Framework Implementation

• Implement and maintain the IT Risk Management Framework in line with the Bank’s Enterprise Risk Management (ERM) framework and Group standards.
• Maintain an updated IT Risk Register, identifying emerging threats, control weaknesses, and residual risks.
• Ensure alignment of IT Risk activities to the Risk Appetite Statement, Basel II/III, ISO 27001, NIST, and COBIT frameworks.
• Facilitate periodic IT risk assessments, scenario analysis, and control self-assessments across all IT domains.
• Drive IT Risk awareness and capacity building across the Bank.

B. IT Risk Monitoring, KRIs & Reporting

• Define and track Key Risk Indicators (KRIs) for critical IT processes, including cybersecurity, system availability, change management, and data protection.
• Prepare monthly and quarterly IT Risk Reports for Management Risk Committee (MRC), Board Risk Committee (BRC), and Group Risk.
• Escalate breaches of IT risk appetite and ensure timely mitigation.

C. Incident, Cyber, and Operational Resilience Management

• Coordinate the incident management process, ensuring prompt logging, investigation, root cause analysis (RCA), and closure of IT incidents.
• Support the activation and escalation under the Cybersecurity Incident Response and Recovery Plan (CIRRP).
• Work closely with IT, Information Security, and BCM teams to ensure effective response and post-incident reviews.
• Maintain oversight of Business Continuity (BCP) and Disaster Recovery (DR) testing outcomes and ensure alignment to the bank’s Resilience Framework.

D. Third-Party & Project Risk Oversight

• Conduct IT risk assessments for new systems, digital channels, APIs, and major IT projects.
• Evaluate and monitor third-party/vendor IT risks, including due diligence, data privacy, service continuity, and exit strategies.
• Participate in Change Advisory Board (CAB) sessions to ensure risk considerations are embedded before deployment.

E. Regulatory, Audit & Group Alignment

• Ensure compliance with Bank of Uganda, Data Protection, and Group Information Security standards.
• Coordinate responses to internal audits, external audits, and regulatory inspections, ensuring timely closure of findings.
• Maintain strong engagement with Group IT Risk and Group Information Security to align local initiatives with Group frameworks.

F. Emerging Risk, Reporting & Awareness

• Identify and assess emerging technology risks, including AI, cloud, fintech partnerships, and open APIs.
• Conduct periodic risk reviews, thematic analysis, and technology risk stress testing.
• Champion awareness sessions on cyber hygiene, information security, and IT risk governance across business units.

MINIMUM POSITION QUALIFICATION REQUIREMENTS

a) Academic & Professional

ParticularsDetailSpecific Field or QualificationNeed Type

EducationBachelor’s degreeInformation Technology, Computer Science, Information Science, Information Systems, Information Security or related disciplinesRequired

Professional QualificationsCRISC, CISM, CISSP, CISA, ISO 27001 Lead Implementer & related professional qualificationsAdded Advantage

Master’s degreeIT, MBA, Computer Science, Risk & related disciplinesAdded Advantage

b) Experience

DetailAreaMinimum No of Years

Experience Area 1Information Risk /or IT Security and/or IT Audits4

Experience Area 2Information Risk Reviews and Vulnerability Assessments Experience3

Experience Area 3Red Team Exercises and/or Penetration Testing Experience2

Experience Area 4Stakeholder management2

Experience Area 5Report writing2

• Implement and maintain the IT Risk Management Framework in line with the Bank’s Enterprise Risk Management (ERM) framework and Group standards.
• Maintain an updated IT Risk Register, identifying emerging threats, control weaknesses, and residual risks.
• Ensure alignment of IT Risk activities to the Risk Appetite Statement, Basel II/III, ISO 27001, NIST, and COBIT frameworks.
• Facilitate periodic IT risk assessments, scenario analysis, and control self-assessments across all IT domains.
• Drive IT Risk awareness and capacity building across the Bank.
• Define and track Key Risk Indicators (KRIs) for critical IT processes, including cybersecurity, system availability, change management, and data protection.
• Prepare monthly and quarterly IT Risk Reports for Management Risk Committee (MRC), Board Risk Committee (BRC), and Group Risk.
• Escalate breaches of IT risk appetite and ensure timely mitigation.
• Coordinate the incident management process, ensuring prompt logging, investigation, root cause analysis (RCA), and closure of IT incidents.
• Support the activation and escalation under the Cybersecurity Incident Response and Recovery Plan (CIRRP).
• Work closely with IT, Information Security, and BCM teams to ensure effective response and post-incident reviews.
• Maintain oversight of Business Continuity (BCP) and Disaster Recovery (DR) testing outcomes and ensure alignment to the bank’s Resilience Framework.
• Conduct IT risk assessments for new systems, digital channels, APIs, and major IT projects.
• Evaluate and monitor third-party/vendor IT risks, including due diligence, data privacy, service continuity, and exit strategies.
• Participate in Change Advisory Board (CAB) sessions to ensure risk considerations are embedded before deployment.
• Ensure compliance with Bank of Uganda, Data Protection, and Group Information Security standards.
• Coordinate responses to internal audits, external audits, and regulatory inspections, ensuring timely closure of findings.
• Maintain strong engagement with Group IT Risk and Group Information Security to align local initiatives with Group frameworks.
• Identify and assess emerging technology risks, including AI, cloud, fintech partnerships, and open APIs.
• Conduct periodic risk reviews, thematic analysis, and technology risk stress testing.
• Champion awareness sessions on cyber hygiene, information security, and IT risk governance across business units.

• Bachelor’s degree in Information Technology, Computer Science, Information Science, Information Systems, Information Security or related disciplines
• CRISC, CISM, CISSP, CISA, ISO 27001 Lead Implementer & related professional qualifications (Added Advantage)
• Master’s degree in IT, MBA, Computer Science, Risk & related disciplines (Added Advantage)