Tech Risk & Controls Lead – Application Risk Classification (ARC) & Model Development
Job Summary
Join our team to play a pivotal role in advancing JPMC’s technology risk management capabilities. As the Tech Risk & Controls Lead, you will own and continuously enhance the Application Risk Classification (ARC) model, while supporting the development and integration of other risk models and performing thematic analysis. You will drive innovation in risk modelling, ensure operational excellence, and provide actionable insights to senior leadership, helping the firm proactively manage technology and cyber risks in a dynamic environment.
Key Responsibilities
1. Own and Enhance ARC Model: Lead the ownership, maintenance, and continuous improvement of JPMC’s Application Risk Classification (ARC) model, ensuring it adapts to evolving threats, technology changes, and regulatory requirements.
2. Support Broader Model Development: Collaborate on the development, integration, and prioritization of additional risk models including de-duplication and reconciliation of risk findings from multiple sources.
3. Thematic Analysis & Insights: Conduct thematic analysis of risk data to identify trends, vulnerabilities, and areas for improvement. Provide actionable recommendations to inform risk-based decision making.
4. Stakeholder Engagement: Partner with engineering, security, business, and data teams to embed risk models into operational and strategic processes. Build trusted relationships to facilitate cross-functional collaboration.
5. Reporting & Communication: Communicate risk priorities, model outcomes, and business implications to both technical and non-technical audiences. Translate complex technical risk data into clear, actionable recommendations for senior leadership.
Required Qualifications, Capabilities, and Skills
6. Proven experience in technology risk management, cyber risk modelling, or information security, with a focus on risk identification, assessment, and mitigation.
7. Strong understanding of application risk classification, risk scoring methodologies and prioritization frameworks.
8. Advanced data analysis skills; proficiency in SQL, Python, R, or equivalent tools.
9. Experience with techniques for de-duplicating and reconciling risk findings from multiple sources (., vulnerability scanners, code reviews, threat intelligence).
10. Ability to synthesize complex technical information and present it in a clear, concise manner to senior executives.
11. Familiarity with regulatory frameworks (., NIST, ISO 27001, CIS Controls) and financial industry requirements.
12. Demonstrated ability to influence strategic decision-making and translate technology insights into business strategies.
13. Excellent written and verbal communication skills.
14. Proactive in staying updated on cyber threat trends, regulatory changes, and emerging technologies.
Preferred Qualifications
15. Industry-recognized certifications such as CISM, CRISC, CISSP, or similar.
16. Experience leading risk model development, application risk classification, or data de-duplication initiatives.