Risk Governance

ING Hubs Philippines’ risk governance structure follows ING Bank’s three lines of defence model. This model aims to provide sound governance framework for risk management by defining and implementing three risk management ‘layers’ with distinct roles, execution, and oversight responsibilities.

First line of defence (1LoD)

Each department and business line has the primary ownership, accountability, and responsibility for assessing, controlling, and mitigating all financial and non-financial risks affecting their businesses and for the completeness and accuracy of financial statements and risk reports with respect to their responsible areas.

Meanwhile, the Management Committee (ManCom) is responsible for developing and implementing operational controls to manage and mitigate risks.

The ODCR Team functions as 1LoD risk and control, mandated to ensure framework execution in the organization and to provide control insight and support to the business lines and Mancom.

Specific to ING Hubs, the ODCR Team also:

Functions as the delegate Data Protection Executive (DPE) Office, ensuring execution of Global Personal Data Protection Policy and relevant local data privacy requirementsCovers specialized function for Fraud Management, Business Continuity Management, and Compliance, ensuring proper execution of relevant controls within the organization

Job Purpose

Contributes to business risk and control functions to ensure that ING’s activities are in line with regulatory requirements and run smoothly, in such a way that it can be demonstrated to the regulators and the outside world. Contributes to the integrity of ING’s products, services, and employees, and compliance with respect to the outside world.

Roles and Responsibilities

Process

Responsibilities

Activities

Training and Awareness

Ensure adequate understanding of control ownership and risks across the organization

Create awareness about Non-Financial Risk (NFR) responsibilities and control ownership across 1LODEnsure 1LOD staff are trained on NFR methodology and toolingDevelop local training & awareness plan in collaboration with 2LODMonitor timely participation in mandatory trainings on specific control requirements

Risk Assessment

Facilitate the timely execution of risk assessments, ensuring the participation of relevant 2LoD functions as of the start of risk assessment

Support the preparation, coordinate, and monitor the timely execution and submission of risk assessmentsEnsure quality and documentation of risk assessment in relevant tooling

Control Design

Support process control design, considering effectiveness, efficiency, and “customer” experience criteria

Advise business on the design of generic controls, considering effectiveness and efficiency and ensuring automation where possibleSupport business with control definition and documentation, including the definition of control indicators and/or test plans

Control Implementation / Execution

Facilitate gap analysis/impact assessment and monitor the remediation of gaps related to global policies, control standards, and regulatory requirementsEnsure the timely and proper documentation of controls in the systemCoordinate execution of applicable entity wide and/or process specific controls

Coordinate and advise on the analysis of control requirements to identify any required changesEnsure correct pushing of controls in the systemDocument/update risk assessment, risk and control owners, control description, waivers/deviations, test dates, and test plans, among others, in the systemTogether with risk and control owners, ensure timely and proper execution of controls in the entity or within the specific departments/business lines

Control Evaluation

Perform and/or coordinate Key Control Testing and/or other alternative methodsFacilitate and document testing results and control evaluationIn consultation with 2LoD, identify scope and plan of testing of key controlsMonitor progress on key control testing and/or other alternative methods (e.g., Risk Measurement Model)Coordinate and provide input for the timely control evaluation (sign-off on control effectiveness) in the system

Event Management

Ensure timely capturing, analysis, follow up, and reporting on eventsSupport the documentation of lessons learned and facilitate the sharing with/learning from other unitsEmbed event reporting process in the local set-upAdvise departments and business lines on immediate event reporting requirementsEnsure proper documentation and updates of incidents in the systemAgree with event owners on follow up actions and track these until closureSupport root cause analysis and lessons learned deliveryMonitor timely delivery of lessons learned and share with relevant stakeholders

Issue and Action Management

Execute and/or coordinate the timely definition, capturing, monitoring, and reporting of issues

Advise on issue risk ratings, action owners, management actions, and timelines to mitigate control deficienciesEnsure timely recording of issues and actions in the system with correct linkage to relevant controls and/or regulatory requirementsMonitor and track progress of issues and facilitate requests of risk rating and target date changes and issue acceptanceSupport business in CAS close out meetingsCoordinate timely closure of issues

Management Information and Reporting

Prepare dashboards providing management insight on control effectiveness, issues, events, among others

Report on NFR framework execution as well as on the effectiveness and efficiency of overall control environment to the local NFR Committee and relevant Operations Management TeamsSupport the preparation and reporting of quarterly NFR DashboardPrepare and release reports on NFR Targets

Mandate, roles, and responsibilities are the same except that C&R Officers are assigned as local control and risk owners while C&R Business Partners work with the Delivery Teams in managing 1LOD risk and control activities.

Work experience/skills required:

At least 3 years of banking experience, specifically in the fields of Business Control, Operational Risk Management, Compliance, and/or Audit

(Note: This increases depending on the GJA level. Specialized function (i.e., Fraud, BCM, DPE) will require at least 5 years of experience in the specific field/area of expertise.)

Demonstrable understanding of and experience with various risk management tools and processesFluent in English (written and spoken); with good communication and presentation skillsAble to liaise and collaborate with a broad range of individuals, including Senior Management and Global stakeholdersCapable to train others, transfer knowledge, and share expertiseAble to work well, apply sound judgment, and make timely decisions under pressureProactive, self-starter, and requires minimal supervisionAble to establish a good working relationship among colleaguesExperience with international/global financial institution is an advantage