The Apex Group was established in Bermuda in 2003 and is now one of the world’s largest fund administration and middle office solutions providers.
Our business is unique in its ability to reach globally, service locally and provide cross-jurisdictional services. With our clients at the heart of everything we do, our hard-working team has successfully delivered on an unprecedented growth and transformation journey, and we are now represented by over circa 13,000 employees across 112 offices worldwide.Your career with us should reflect your energy and passion.
That’s why, at Apex Group, we will do more than simply ‘empower’ you. We will work to supercharge your unique skills and experience.
Take the lead and we’ll give you the support you need to be at the top of your game. And we offer you the freedom to be a positive disrupter and turn big ideas into bold, industry-changing realities.
For our business, for clients, and for you
Job Overview:
Lead the internal technical risk assurance function for banking/finance/hedge fund businesses, ensuring risk exposure is identified, measured, monitored, and remediated across applications, infrastructure, and services. Align all activities to the Cyber Strategy and directives from the Group CISO, and provide decision-ready narratives to the Technology Risk Forum (TRF).
Own end-to-end assurance across policy/standards, control design and operating effectiveness, KRI/KPI governance, RCSA execution, audit/regulator engagement, and executive reporting. Manage local regional expertise and stakeholder communication to enable consistent risk reduction and operational resilience across the region.
Key Responsibilities:
· Metrics & Risk Appetite Governance: Define, maintain, and continuously improve internal KRIs/KPIs mapped to risk appetite; run monthly Metrics Quality Assurance (MQA) checks (accuracy, timeliness, completeness, reconciliation).
· Risk & Control Self-Assessment (RCSA): Lead annual RCSA across applications/platforms; calibrate inherent/residual risk; document treatment plans and risk acceptances; ensure closure to target dates.
· Assurance Execution: Plan and deliver control testing (design and operating effectiveness) across identity, access, change, patching, vulnerability remediation, data protection, incident response, resilience/backup/restore, third-party touchpoints within internal scope.
· Regulatory & Framework Mapping: Maintain a single control library mapped to ISO/IEC 27001:2022, NIST CSF 2.0, ISO 31000, COBIT, GDPR, DORA (EU), EU AI Act, SOX 404 (where applicable), and PCI DSS v4.0 for payments; ensure evidence quality and audit readiness.
· Issue Management & Remediation: Drive RCA for failing metrics and control gaps; implement the Metric Rewrite Protocol where definitions are unfit; track remediation to closure with owners and SLAs.
· Technology Risk Forum Inputs: Provide quarterly TRF packs—regional posture, KRI/KPI trends, material events, themed risks, remediation progress, and clear asks (policy decisions, funding, prioritization).
· Stakeholder Management & Communication: Coordinate with application owners, platform/cloud teams, SOC, IT Ops, Data Protection, Finance, Legal/Compliance, Internal Audit; communicate complex themes in clear, persuasive executive narratives.
· Automation & Reporting: Partner with GRC and BI teams to implement automated dashboards and evidence repositories; maintain data lineage and owner accountability.
· Regional Enablement: Build and mentor local/regional assurance practitioners; harmonise methods, thresholds, and reporting across countries within region.
· Execute delegated tasks as deemed appropriate by the Group CISO and other empowered Group Cyber leadership authorities, ensuring timely and effective completion in alignment with organizational priorities.
· Support the Group Cyber Strategy end-to-end, driving alignment of all activities, decisions, and deliverables with strategic objectives and business outcomes.
Candidate Profile
· 7- 8 years in cyber risk assurance, internal audit, or GRC within financial services.
· Demonstrated experience leading RCSA/control testing and turning failing metrics green via structured remediation.
· Deep familiarity with ISO/IEC 27001:2022, NIST CSF 2.0, ISO 31000, COBIT 2019, GDPR, DORA (EU), EU AI Act, SOX 404 (as applicable), and PCI DSS v4.0/v4.0.1.
· Exceptional communication, presentation, articulation, and stakeholder influence skills; strong executive-level storytelling.
Disclaimer: Unsolicited CVs sent to Apex (Talent Acquisition Team or Hiring Managers) by recruitment agencies will not be accepted for this position. Apex operates a direct sourcing model and where agency assistance is required, the Talent Acquisition team will engage directly with our exclusive recruitment partners.
