About Group Compliance Group Compliance provides sound advice regarding legislation, regulations, industry standards, codes, guidelines and best practice to operational management / projects and business units through the application of Compliance Risk Management principles, policies, processes and procedures.
Key Purpose The success of Discovery is made possible by our great people. Group Compliance strives to be the most trusted and respected compliance practice in the financial services sector and our motto should reflect that we are, Trusted, Visible and Respected within the Discovery Group.
Our Group Compliance department is looking for a knowledgeable, self-starter to join the team as an IT Compliance Specialist to be responsible for the managing of compliance risks though the employ of policies and frameworks pertaining to our corporate regulatory obligations.
The successful candidate will be required, but not limited, to take full accountability for the development and implementation of a complete end-to-end IT Compliance programme for Discovery Group on par with best practice.
Areas of responsibility may include but not limited to Overview
Facilitate CRMP's to identify areas of compliance per juristic and geographical areas of economic activity
Review and understand areas of compliance and all possible changes required stemming from changes in legislation.
Identify and test compliance controls to provide independent assurance that the controls will yield compliance to law and regulations.
Report on the level of compliance to management, the board and governance forums in line with IT compliance standards
Identify remediation actions and control enhancements to ensure full remediation and compliance to law.
Maintain the IT compliance risk management frameworks. The following actions, not meant to be a comprehensive list, informs the requirement :
IT Compliance risk management framework is developed and maintained in accordance with the Generally Accepted Compliance Practice framework.
Advice is provided to management in respect of the IT compliance policies and procedures which address compliance related complaints.
A communication strategy and process is developed and implemented in order to keep IT compliance stakeholders informed of the design, implementation and maintenance of the IT compliance framework.
IT Compliance stakeholders are engaged to promote alignment of Group compliance and business objectives.
Sound working relationships are maintained with IT compliance stakeholders.
IT Compliance related advice is provided to management, staff and other compliance stakeholders.
Define, assess, maintain and advise on the IT regulatory universe. The following actions, not meant to be a comprehensive list, informs the requirement :
Regulatory requirements, including existing, changed or new requirements are researched and those which are applicable to the business are identified and explained in plain language to management, staff and other IT compliance stakeholders.
IT Compliance issues and concerns are identified and IT compliance related advice is provided to management.
An organisation's products and services are described to facilitate business relevant compliance solutions.
Develop, facilitate compilation of and review IT compliance risk management plans. The following actions, not meant to be a comprehensive list, informs the requirement :
IT Compliance risks related to regulatory requirements are identified and assessed and control measures are outlined.
IT Compliance plans are designed and developed in risk management format.
Regulatory requirements are analysed and the implications of non-compliance are assessed using appropriate risk assessment methodologies.
IT Compliance risk management plans are presented and communicated to management staff and relevant stakeholders in order to cultivate buy-in and to bring about changes in the control environment where necessary.
Conduct IT compliance monitoring. The following actions, not meant to be a comprehensive list, informs the requirement :
An IT compliance monitoring plan is developed in terms of Discovery’s planning standards.
IT Compliance monitoring is undertaken and working papers are prepared to assist management and the board of directors to understand whether business is conducted in compliance with relevant regulatory requirements.
IT Compliance monitoring findings are analysed and evaluated in order to support valid monitoring conclusions and recommendations.
IT Compliance monitoring reports are produced in accordance with Group Compliance reporting requirements.
IT Compliance monitoring outputs are followed-up or tracked to assist management and the board to understand the status of IT compliance risks and exposures.
Compile and submit internal and external compliance reports. The following actions, not meant to be a comprehensive list, informs the requirement :
Governance structures relating to IT compliance reporting are identified and analysed.
Independence and objectivity is consistently demonstrated.
Internal reporting methodologies are applied in accordance with organisational reporting requirements.
Responsibilities for the submission of IT compliance reporting are allocated to IT compliance stakeholders in order to establish an effective compliance reporting framework.
Information is obtained effectively, efficiently and ethically from IT compliance stakeholders and managed for the purpose of compliance reporting.
Records relating to compliance reporting are kept to serve as an effective audit trail relating to compliance reporting.
Interact with industry regulators, supervisors and stakeholders. The following actions, not meant to be a comprehensive list, informs the requirement :
IT Compliance roles and responsibilities in respect of regulators, supervisors and stakeholders are identified and recorded.
Written and verbal communication is undertaken with regulators, supervisors and / or compliance stakeholders in support of a sound working relationship with regulators or supervisors and to discharge responsibilities in terms of regulatory requirements.
Relationship with regulators or supervisors is managed in order to promote a sound working relationship between regulators or supervisors and the organisation.
Reports are submitted to regulators or supervisors in accordance with governance requirements.
Where there are revised or new regulatory proposals, a process is developed and implemented to evaluate the impact of such changes and to engage with and influence industry regulators, supervisors and stakeholders, where required.
Skills and Personal Attributes
Detailed knowledge of the local legislation and regulations relating to Information Technology (i.e. POPIA, PAIA, ECTA)
Working knowledge of International legislation and regulations relating to Information Technology (e.g. GDPR, Computer Misuse Act)
Proven track record in COBIT, King IV, ISO31000, ISO27001 / 2, NIST CSF, DMBOK, ITIL frameworks
Thorough understanding of governance, risk, compliance, and assurance concepts
Advantageous to have performed and worked with risk-based auditing or risk-based compliance monitoring
Previous exposure to control and risk facilitation : risk / control identification and assessments
Understanding compliance to IT requirements in line with other relevant compliance requirements
Persuasive and working in bigger teams
Logical and pragmatic
Goal orientated and driven
Good facilitation ability
Writes in a well- structured and logical way
Ability to write and review compliance policies and compliance guidance notes
Strong listening, organisational and communication skills
Work independently and as part of a team when required
Efficient time management skills, including quick turnaround time on work
Attention to detail
Takes ownership of work
Focus on understanding implementation of regulations and aligning this to a business model
Able to work well under pressure
Legislative knowledge and interpretation
The ability to think in an analytical and conceptual manner.
Education and Experience
LLB, BCom, BSC Information Technology, BCom Information Technology, Honours, Certified Information Systems Auditor (CISA), CRISC, CGEIT, CDPSE, CIPP, CIA, CA (SA), CPRAC, CPRO, CISA (Minimum requirement)
Post-graduate qualification in Compliance Management (advantageous)
At least five years’ experience within a compliance environment with working knowledge of the laws, regulations and codes holistically impacting a group of companies, as mentioned in this document.