POSITION SUMMARY

The Sr IT Risk Program Manager (Sr ITRPM) performs independently under the direction of the Director of Information Technology Risk Management. The Sr ITRPM is responsible for oversight and management of the Information Security (IS) and Information Technology (IT) Department Risk Program for the Bank. This position will lead and direct the IT Risk program which includes governance, risk assessment, risk analysis, risk metrics and reporting, program maintenance and organizational integration. The Sr ITRPM supervises the ITRPS and the ITRPM.

This role works directly with technology and business leaders to maintain a high-level knowledge and understanding of information security and risk issues, oversees the risk management and assessment efforts and development of effective remediation programs. The Sr ITRPM leads and directs the IT and IS audit and compliance areas to ensure the controls established by management are appropriate for the size and complexity of the IT operation. The role is responsible to develop, refine, and ensure adherence to Technology best practices in the areas of IT General Controls, Audit, Information Security, Vendor Management and Business Continuity planning.

MAJOR RESPONSIBILITIES

• Supervise and provide guidance to ITRPS and ITRPM in all areas of risk compliance and data governance, IT audit and compliance, and support of Business Continuity (BC) and Vendor Management (VM)

IT RISK AND DATA GOVERNANCE PROGRAM SUPPORT, MANAGEMENT AND DEVELOPMENT

• Responsible to oversee and approve the customized risk and control framework process, and ensure it is aligned with current regulatory, leading practices and internal requirements to improve the organization's IT risk profile.

• Ensure continual alignment to the business and IT strategy through oversight of the IT Risk Management framework and processes.

• Lead, advise and approve the annual risk assessment process and improvement recommendations. Ensure the process addresses new and updated requirements and gaps that fully addresses the IT risk profile. Oversee implementation.

• Responsible for the process of identification, analysis, and evaluation of risk using an assessment methodology and procedures for the company’s assets, relationships, processes, and functions associated with IT risk. Approves and advises on recommended action steps.

• Oversee the process to ensure all areas of IT risk are updated and current with regulatory, compliance, law, and industry standards.

• Ensures collaboration occurs cross-functionally to help mature and execute the IT Risk processes which include governance, risk assessment, risk analysis, risk metrics and reporting, program maintenance and organizational integration. Leads and directs this process and provides advice and direction.

• Oversee the process to ensure all programs, schedules and testing methods of the Bank’s IT test and exercise program are updated and current to the Bank’s IT policies and programs, compliance, and regulatory requirements. This includes but is not limited to: IS Incident Response, application, software, and other technology testing and BCPM tests and exercises.

• Oversee the IT, IS and BC test program to ensure tests are appropriate to the IT risk profile and are completed within the required timeframe.

• Provide leadership, direction and assistance to all IT and business areas in testing activities and requirements.

• Oversee all IT, IS and BC test and exercise reporting.

• Oversee and lead, in cooperation with other IT managers, in the enhancement of the IT Risk Program for the Bank. Proactively introduce new and changed requirements to include solutions.

• Complete educational courses and monitor regulatory agencies and banking groups to maintain a high-level awareness and understanding of new and changed IT risk, compliance, and data governance regulations, laws, and current events. Interpret, communicate, and report the new and changed information.

• Partner with Product and department managers to continuously improve the IT risk processes and programs.

INFORMATION SECURITY (IS) RISK AND DATA GOVERNANCE PROGRAM SUPPORT, MANAGEMENT AND DEVELOPMENT

• Collaborate with the ISO to improve and enhance the IS risk and data governance programs.

• Maintain a high-level awareness and understanding of IS risk and Data Governance regulations, laws, and current events.

• Monitor for new and changed regulation, compliance, laws, and best practices related to IS risk and incidents. Interpret and communicate to ISO.

• Perform reviews of IS implementations related to risk and data governance updates and changes.

• Participate with ISO in cyber incident responses and planning. Advise members in IT risk areas in ISO's absence.

• Partner with the ISO to continuously improve the IS processes and programs.

• Assist ISO with Risk Assessments based on Cybersecurity Frameworks such as NIST, FFIEC, or the CAT.

• Assist the ISO to lead, advise and approve recommended IS improvements to the customized Cyber Risk Assessment. Ensure the process addresses new and updated requirements in addition to gaps resulting in an improved IS risk profile.

• Oversee updates and implementation.

• Collaborate and participate in supporting Enterprise Risk Management.

• Ensures collaboration occurs cross-functionally to help mature and execute the IS Risk processes which include governance, risk assessment, risk analysis, risk metrics and reporting, program maintenance and organizational integration. Leads, advises, and directs this process.

• Collaborate, and provide advice and direction to the CRO, Internal Audit, Information Security, and related departments regarding IS Risk Management issues and controls to ensure issues are addressed and controls are current to regulation, compliance, and law.

• Collaborate with ISO to identify, correct and implement IS new and changed processes and procedures.

• Maintain a high-level awareness and understanding of the Bank's current IS risk profile and updated industry standard methods to reduce and monitor the risk. Seek out educational opportunities through regulatory agencies, bank user groups and webinars to remain current.

• Interpret, communicate and report new and changed requirements to appropriate lines of business managers.

• Partner with the department managers to continuously improve the IS risk processes and programs.

INFORMATION TECHNOLOGY BEST PRACTICE MANAGEMENT AND DEVELOPMENT

• Maintain a current high-level understanding of industry best practices regarding IT and IS risk management to improve the IT and IS risk position in reporting, policy and procedures.

• Provide advice and guidance to IT and other managers to enhance reporting, policy, programs, and procedures.

• Responsible to ensure the IT SharePoint Policy, Program and Procedure site remains current and organized.

• Oversee the IT (including IS, BC and VM) policy, program, and procedure review process to ensure it is current with regulatory and industry standards and best practices, and that it is maintained and on schedule.

• Provide advice and guidance, in advance of scheduled renewal, to ensure policies, programs and procedures are current to regulation, law, industry standards and data governance best practices prior to submission for approval.

• Collaborate with all technology groups, lines of business, and corporate functional areas to define, gather and analyze metrics.

• Monitor reporting for enhancements to further develop the IT Risk reports to ensure management and board reporting remains relevant to the IT risk position. Communicate to IT managers and collaborate on implementation.

• Ensure report accuracy in advance of the meetings and provide guidance to managers for improvement.

• Review the IT Steering Committee monthly agenda prior to the meetings to ensure IT risk areas are covered.

• Responsible for providing updated IT Steering Committee recurring items (i.e., minutes, DR/BCP Tests, metrics and project reports).

• Provide targeted reporting to all levels of IT and Business Management regarding gaps and enhancements. Provide advice and guidance in these areas.

• Provides targeted and quantifiable reporting of IT Risk Management activities, including all aspects of the metrics/reporting lifecycle management.

• Collaborate with ISO to monitor key risk indicators (KRIs) and key performance indicators (KPIs) in all IT areas with a specific focus on IS.

• Participates as a member of risk-related committees at the management and board level.

• Oversee the assistance provided by the ITRPM and ITRPS to the BCPM with the BC Steering Committee preparation and meeting documentation and monthly reports.

• Attend BC Steering Committee meetings to communicate new and updated risks in IT and IS. Advise and assist with solutions and implementation to improve the risk position.

• Responsible to ensure that the BCPM and VPM positions are covered in their absence.

IT AUDIT AND COMPLIANCE MANAGEMENT

• Partner with IA, External Audit, IS, Risk and IT Directors/Managers regarding audit assignments and programs.

• Ensure the IT and IS audit program is current and appropriate for the size and complexity of the IT organization.

• Review and approve audit schedules.

• Provide leadership and direction in the department's audit, exam and/or review processes.

• Oversee the process to ensure requests are addressed timely and that each audit, exam and/or review is completed accurately and efficiently.

• Attend and participate at all IT audit meetings. Ensure accurate records are maintained regarding decisions. Attend Board Audit and/or Risk Committee Meetings as needed.

• Oversee and approve the risk and control process framework to ensure the organization’s IT risk profile is consistently aligned with current regulatory, leading practices and internal requirements. Ensure gaps are identified and addressed.

• Ensure continual alignment to the business and IT strategy through oversight of the IT Risk Management framework and processes.

• Make recommendations and collaborate with Internal Audit, IS and related departments regarding IS Risk Management audit and compliance requirements.

• Responsible for ensuring all areas of IS reports and P&P are updated and correct in relation to current audit/compliance requirements.

• Oversee the audit remediation process.

• Attend meetings and review decisions to ensure best practice solutions are applied and current to requirements. Provide guidance and recommendations.

• Communicate audit process changes to IT management timely.

• Maintain a high-level awareness and understanding of all current applicable regulations and laws in areas of IT, IS, BC, and VM to lead the department in continually improving the audit/exam and compliance review processes.

• Seek out information through monitoring regulatory agencies, banking and user groups, conferences and webinars and other resource experts.

• Communicate updates and new requirements to IT management and applicable oversight committees as applicable. Provide guidance and recommendations.

• Oversee and advise on implementation of new regulation, industry standards and laws to ensure the IS audit/compliance risk program is current.

• Maintain a high-level awareness and understanding of new and changed regulation and compliance related to IS risk and incidents.

• Assist and participate with ISO to interpret, recommend, communicate, and implement applicable policies and procedures.

• Review and approve department audit and compliance reporting.

• Present to management and board committees as requested.

ASSIST AND BACK-UP THE BUSINESS CONTINUITY PROGRAM (BCP) AND VENDER MANAGEMENT PROGRAM (VMP)

• Perform the role of BCPM and VMPM in their absence.

• Assist the Director of IT Risk to lead the bank through BC/DR recovery activities during an unplanned event and in the absence of the BCPM.

• Maintain a high-level knowledge of BC and VM programs and processes including applicable risks to the programs.

• Attain and maintain a high-level understanding of risks related to BCP and VMP. Advise and assist to implement risk position improvements.

• Oversee the documentation of events, tests and meetings and ensure that action items are resolved accurately. Provide guidance where appropriate.

• Collaborate with the BCPM and VMPM on enhancements, audits, and education.

• Ensure BCP and VMP reports are completed accurately and timely.

• Present reports upon request.

• Ensure BC plans, processes and tests are current and ready for use by critical departments in the case of an unplanned event.

• Assists in a leadership role with coordination of unplanned events.

• Assist and provide input regarding Lessons Learned to include resolution decisions and implementation as applicable.

• Collaborate with BCPM and VM to address past due and outstanding items. Act to resolve issues when requested to back up the position in the absence of the managers.

• Maintain and ensure VM records are current and updated.

• Collaborate with VM to identify and implement improvements.

• Participate, and lead as required, in all levels of vendor reviews and onboarding.

• Maintain and ensure VM records are current and updated.

• Participate on special projects.

EDUCATION EXPERIENCE AND OTHER SKILLS REQUIRED

• College Degree in Computer Science or Information Security or equivalent work experience preferred

• Minimum 5-8 years’ experience demonstrating leadership and management skills.

• Minimum 5-8 years’ experience in Information Technology and/or Information Security.

• Minimum 5-8 years’ experience in information risk governance; or

• Any combination of academic education, professional training, or work experience, which demonstrates the ability to perform the duties of the position.

• Current CISSP, CISA, CRISC, CISM or other equivalent information security or risk management certification required.

• Business Continuity Certified Planner (BCCP) or Certified business Continuity Professional (CBCP) beneficial

• Certified Regulatory Vendor Program Manager (CRVPM) beneficial

• Experience using risk based/cyber security frameworks, such as NIST

• Experience with building and managing relationships with senior level stakeholders

• Advanced knowledge of laws and regulations impacting data protection and confidentiality, integrity, and availability of systems and data in the financial industry such as, Sarbanes-Oxley, and state regulations

• Advanced knowledge of all phases of IT, IS Cyber, BCP, VMP risk assessment including identification, analysis, impact evaluation, response, reporting and tracking

• Advanced knowledge of how technologies, processes, and controls impact risk in both the information systems and corporate business environment.

• Knowledge of BC and VM with ability to backup processes.

• Ability to utilize personal computers and Windows driven programs, including Microsoft Word, Excel, and PowerPoint.

• Advanced knowledge and ability to administer GRC software.

OTHER ESSENTIAL QUALIFICATIONS

• Adaptability and demonstrates good judgment.

• Excellent written and verbal communication skills

• Strong analytical, planning, problem solving and time management skills

• Interpersonal skills to interface with internal and external parties in a professional manner

• Organizational abilities.

• Maintains a current understanding of Bank policies and procedures, in compliance with all state and federal laws including but not limited to Bank Secrecy Act (SARs, OFAC), Information Security Guidelines (Privacy, GLBA), Identity Theft Red Flags, and Unfair, Deceptive, Abusive Acts or Practices.

• Work with customers via telephone, email, VPN and remote web meeting, in conjunction with employing all available technical resources internally and externally, to bring issues to a timely resolution.

PHYSICAL AND MENTAL REQUIREMENTS

• Ability to maintain confidentiality

• Ability to work independently

• Ability to work in a team environment

• Ability to grasp new concepts

• Exercise independent judgment in decision making

• Ability to simplify and communicate very complex ideas for general understanding

• Strong leadership skills

• May be required to lift up to 50 pounds.

COMPANY PROFILE

Established in 1975, Tri Counties Bank is a wholly-owned subsidiary of TriCo Bancshares (NASDAQ: TCBK) headquartered in Chico, California, with assets of over $10 billion and more than 45 years of financial stability. Tri Counties Bank provides a unique brand of Service With Solutions® for communities throughout California with a breadth of personal, small business and commercial banking services, plus an extensive branch network, more than 37,000 surcharge-free ATMs nationwide, and advanced online and mobile banking.

Tri Counties Bank remains strong and profitable through our top-down commitment to our core values, sound business principles and responsible lending practices.

Our success is also based on our community engagement. We still believe in the vision of the helpful and caring community banker. As we grow and serve more communities, we become more involved, providing substantial financial and volunteer support to local economies and community organizations. We applaud our employees who roll up their sleeves to work and volunteer for a greater good in our communities.

Tri Counties Bank hires individuals who are qualified for the role and who represent the communities in which we serve. We look to place people in positions where they can best utilize their abilities and strengths, and where they are able to grow with the Bank.

The hiring range for this opportunity is $62,000 to $90,000 annually along with incentive opportunities, creating a competitive total compensation package based on our pay scale, and may be modified by location and is commensurate with qualifications and experience.

Tri Counties Bank is an Affirmative Action and Equal Opportunity Employer, Race/Color/Religion/Sex/Sexual Orientation/Gender Identity/National Origin/Disability/Veteran.