IT Risk & Compliance Associate

Booking.com follows a defense in depth strategy for managing its risks. As part of this strategy, Booking has 3 departments focussing on each line of defense. Global Internal Audit (GIA) is responsible for the 3rd line of defense, Risk and Controls (R&C) is responsible for the 2nd line of defense, while the responsibility of 1st line has been distributed between process/control owners and the Trust, Risk, Assurance and Compliance (TRAC) team. TRAC is the first-line of defense risk team responsible for Central Tech business unit risks & Security risks across the company.

Our IT Risk & Compliance Associate is aspiring to be an SME, and has domain knowledge of one or two areas to address processes, risks and control issues. They are responsible for working with Issue owners and risk owners within Security & Fraud teams to maintain internal controls around risk and governance.

Our team member as IT Risk & Compliance Associate in Risk Governance team supports Cybersecurity & Risk best practices that include tracking and updating Issue register,supporting teams in triage for cyber risk related activities like performing Issue triage, tracking issue remediation, processing security policy exceptions, track audit issue closure for status and risk.

Our associate is a key resource for our operational IT security risk governance processes such as maintaining cyber risk and issue register, risk acceptances, audit issue remediation status updates are provided to senior management that gives a very high degree of visibility.

Our associate has basic awareness of GRC and related technologies across Risk domains (Cybersecurity, Privacy, Third party, Fraud, Trust & Safety) and provides first level functional and technical requirements with support from Risk & compliance manager for engineering teams to develop technical solutions. They understand what the most critical elements of the technical solution are and can explain and justify the chosen technical solutions.

Our associate takes pride in being the part of processes and operations that have a direct impact on the Cybersecurity Risk and security posture of the organization.

Responsibility

Core responsibilities of IT Risk & Compliance Associate are -

• Manage the operational risk governance processes such as maintaining cyber risk register, security exceptions, tracking remediation status of audit and overdue remediation tasks.

• Manage Risk related activities like updating Risk register, triaging risks, manage internal controls, systems and process landscape to enable clear understanding of impact from IT issues and identify risks to be updated in the cyber risk register and central issue register
• Triage and track issues to closure
• Track and Manage exceptions to IT policies and standards.
• Lead Risk Governance processes together with issue owners and risk owners based in Amsterdam, Manchester and Bangalore
• Keep cyber risks inventoried and updated
• Keep the Policy and Risk knowledge base updated
• Candidates with at least 1-2 years of experience in GRC are preferred.

Stakeholder

Type

Available options:

Cooperation

Persuasion

Information

Frequency

Available options:

Continuous (daily or a number of times a day)

Frequent (about once a week)

Occasionally (once or twice a month or less)

Tech business function and other business units

Cooperation

Partner with SSF issue owners and risk owners by providing guidance and support in designing and implementing appropriate controls to strengthen the control environment, mitigate the company risks and support the business in achieving objectives.

Identify control gaps, based on identified risks.

Facilitate and participate in cross functional groups to implement or enhance controls in cross functional processes.

Support SSF issue and risk owners in resolving issues related to tracking updates on open issue, open risks coming from Issue management, Exceptions and Audit issue tracking.

Occasionally

Risk Governance

Perform

Triage and monitor risks on risks in Risk register or observations and work with risk owners to update status.

Report the outcome of tracking risks coming from issues, exceptions and audit issues to relevant trackers.

Frequent

Subject Matters Experts (SMEs) e.g. Security, Fraud, Privacy, Legal, etc.

Cooperation

Coordinate and coordinate with various teams, GIA and other SME teams for managing GIA audit and risk outcomes and expectations of stakeholders

Frequent