Tech Risk and Controls Director

Role Summary

Employee Platforms powers the technology and services that enable great employee experiences at scale across the firm.  As Executive Director of Risk & Controls for Workforce & Experience Technology (WXT) & EP CTO, you will lead the first-line risk and control agenda, partner with the business in framing / managing business risk and drive technology risk strategy as part of the EP CTO workstreams.  You will own risk identification, control design and effectiveness, RCSA execution, issue management, and regulatory/audit engagement in close partnership with engineering and product leaders, ensuring resilient, secure, and compliant platforms that support hundreds of thousands of colleagues globally.

Key Responsibilities

• First-line ownership of risk and control posture for WXT, aligning control objectives with EP strategy and platform roadmaps and embedding controls into platform architectures and operating procedures.
• Lead the full control lifecycle: design, implementation, monitoring, attestation, and continuous improvement, ensuring control effectiveness and sustainability.
• Establish, track, and report KRIs/KPIs and control health metrics; deliver transparent, data-driven dashboards and narratives for senior stakeholders and governance forums.
• Govern issue management and remediation: ensure timely, high-quality corrective actions with root-cause analysis, evidence, and durability testing; oversee closures and validation.
• Key trusted partner for the business in evaluating business objectives and corresponding risks, with the ability to frame and translate them into action plans and strategies that drive outcomes.   This includes owning and participating in business routines
• Partner with architecture, engineering and product to integrate and codify control requirements into technical standards, preferences, configuration baselines, CI/CD pipelines, and change management processes.    This will be key in the world of agentic and agents
• Coordinate internal and external audit/exam readiness, walkthroughs, evidence management, and responses; maintain strong control narratives and documentation.
• Lead policy and standards adherence, exception governance, and execution of firm control procedures; align with central frameworks while tailoring to WXT realities.
• Build and lead a high-performing control management team; develop talent, define operating model, and strengthen risk culture across EP.
• Collaborate across EP, CTC, Cybersecurity, Technology Operations, and Lines of Business to harmonize control approaches and share best practices; influence senior leaders on risk tradeoffs and investments.
• Anticipate emerging risks (e.g., endpoint security, identity lifecycle, SaaS governance, vendor/third-party, AI/automation), and drive proactive controls and resilience measures.

Required Qualifications

• 12 years of progressive leadership in first-line technology risk and control management within large-scale, complex technology organizations; proven success partnering with engineering and product.
• Deep experience with control design/testing, metrics, issue management, and regulatory/audit engagement in enterprise environments.
• Strong domain knowledge across workforce technology: endpoint/device management, identity and access management, collaboration suites, service management platforms, and related cloud/on‑prem integrations.
• Demonstrated ability to embed controls into technical standards and configuration baselines; strong understanding of change, incident, problem, and release management controls.
• Executive communication and stakeholder management skills; ability to simplify complex risk topics and influence at senior levels.
• Experience in managing business risk with LOB partners
• People leadership: building, coaching, and scaling high-performing control teams; operating model design and continuous improvement mindset.
• Bachelor’s degree in Information Systems, Engineering, or related; or equivalent experience.

Preferred Qualifications

• Certifications such as CRISC, CISA, CISSP, CIA, or equivalent.
• Experience with large-scale endpoint/security configuration standards, identity governance, and SaaS risk management.
• Familiarity with regulatory frameworks and expectations relevant to technology and operational risk in financial services.
• Data and automation fluency for control monitoring, analytics, and reporting.