As part of U.S. Bancorp's CorporateRisk Management Division, the Operational Risk Management (ORM) Departmentserves a central coordinated role in helping to assess the levels and trends ofoperational risk, determining the effectiveness of operational risk controls,and working with Business Lines on opportunities to mitigate operationalrisk.
The Operational Risk Management DataProtection and Privacy Program Director will be a member of the ITOversight leadership team (second line of defense) and will be responsible foroversight of administrative, technical and physical safeguards to protect thesecurity, confidentiality and integrity of customer information.They will partner with senior risk managementand information security leaders within lines of business and corporate secondline of defense functions to establish and oversee effective governance andrisk management frameworks for customer information privacy and protection andGLBA, GDPR, CCPA and other legal and regulatory compliance obligations.They may own and drive remediation ofprogram-level legal, regulatory or internal audit findings or actively identifycontrol gaps or other risks to customer information and inform solutions and/orescalate.The Data Protection andPrivacy Program Director will coordinate oversight activities across multiplesecond line of defense functions, including the Enterprise Privacy Office,Information Security Services, Business Continuity, Corporate Physical Securityand Third-Party Risk Management and work closely with risk partners within theTechnology and Information Security programs.
The Data Protection and Privacy Directoris accountable for all data protection and privacy risk within the Bank toinclude oversight of information security, physical security, third party andprivacy controls and their testing throughout each year. The role isresponsible for aggregating all the previously stated risk elements into anoverall data protection risk opinion that goes annually to the Board. The rolealso chairs an operating committee – Data Protection and Privacy Committee –which is a subcommittee to the Operational Risk committee.
The Data Protection and PrivacyDirector is also accountable for projects and/or activities that ensurecompliance with applicable federal, state and local laws and regulations.Identifies gaps and drives solutions that minimize losses resulting frominadequate internal processes, systems or human errors. Accountable for theactive identification, response and/or escalation of risks as appropriate.Influences policies and procedures to maximize profit potential and minimizeregulatory exposure. Accountable for an effective partnership between the Lineof Business and the Lines of Defense.
The role will be responsible for carryingout the following responsibilities:
- Manage the Data Protection and Privacy compliance program governance framework.
- Implement and maintain oversight routines to ensure effective controls are in place for safeguarding customer information in the areas of: information security; vendor risk management; incident response; business continuity and resiliency, physical security; technology risk assessment and employee training.
- Carry out monthly governance meetings with senior business line risk management and second line of defense functions.
- Assess sufficiency of corporate policies and procedures for control of customer information risks and drive improvements, as necessary.
- Establish reporting routines, assess the sufficiency of information risk related reports and drive improvements, where necessary.
- Annually develop and publish the Data Protection and Privacy Program report to the Board of Directors.
- Prepare and maintain ongoing evidence of regulatory compliance and assist in internal and external examinations of the program.
- Bachelor's degree, or equivalent work experience
- 15 or more years of experience in an applicable risk management environment
- Applicable certifications
- Considerable knowledge of applicable laws, regulations, financial services, and regulatory trends that impact their assigned line of business
- Considerable knowledge of the business line’s operations, products/services, systems, and associated risks/controls
- Expert knowledge of Risk/Compliance/Audit competencies
- Ability to manage job scope and complexity of assigned business at the multi-departmental and/or multi-divisional level
- Strong leadership and management skills of processes, projects and people
- Excellent written and verbal communication skills
- Strong analytical, problem-solving and negotiation skills
- Proficient computer skills, especially Microsoft Office applications
Primary Location: Minnesota-MN-Minneapolis
Other Locations: North Carolina-NC-Charlotte, United States
Shift: 1st - Daytime