Director, Operational Risk Management Information Technology and Security Risk

Risk Dallas, Texas


The Information Risk Management (IRM) team at Santander Consumer is a part of 2nd line Operational Risk Management and is focused on development, implementation, execution and management of the Operational Risk Management Framework, Policies and Procedures. Providing oversight, review and credible challenge of risk management activities owned and managed by the 1st line of defense Information Technology (IT), Information Security (IS) and Business Continuity (BC) functions. The IRM team works with operational risk subject matter experts, key business leaders and decision makers to solve problems by analyzing data to provide insights that drive the risk culture at the firm.

The individual will be responsible for managing a team of individuals executing a series of operational risk management monitoring, testing and other oversight activities. They will partner with key stakeholders across all lines of defense, all business lines and support functions, including IT, IS, BC, Risk, Compliance, Legal, Audit, Human Resources, Finance and other Operations, to support the identification, assessment, management and reporting of information risks. The individual will work in concert with the broader operational risk management team to ensure close coordination, integration, transparency and awareness of information risks across all risk management programs.

  • Provides 2nd Line risk oversight of the Information Risk Management Program and provides direct 2nd Line support for the Information Technology, Information Security, Business Continuity Management and Records Management Programs, including policies/standards/procedures, strategies, material risks, risk reporting routines and metrics.
  • Independently serves as a trusted partner and risk advisor to key stakeholders and business partners across all lines of defense.
  • Credible review and challenge of 1st Line Risk and Control Self-Assessments, including process mapping, identification and assessment of risk, identification of controls, and assessments of control design and effectiveness.
  • Provide direct support for regulatory exams and interactions, including assessing risk remediation/mitigation activities.
  • Perform independent risk assessments of information risk management related disciplines, including information technology, information security, business continuity management and disaster recovery and records management.
  • Positively contribute to the risk culture and overall awareness of information risk and contribute to the creation and delivery of information risk management training.
  • Escalate, report and communicate information risk management matters to executive management and/or regulatory bodies.

Who You Are

The candidate needs to be a dependable teammate with strong hands-on experience in Information Technology. Will need to know how to explain the essential insights to individuals at all levels; identify, understand and convey business risks, and translate requirements into testable hypotheses and usable insights. Can identify the approach best for the task at hand based on the business requirements, your knowledge of operational risk and technology. Have a proven track record demonstrating measurable business impact through relationship building, influence and innovation. Are intellectually curious, resourceful, and comfortable with ambiguity, continually learning, and always finding opportunities to share knowledge with others.

At Santander, we value and respect differences in our workforce and strive to increase the diversity of our teams. We encourage everyone to apply.


  • 10+ years of related experience; ideally a combination of Technology Risk (1st or 2nd line), IT Audit (3rd line) and/or 1st LoD Information Technology or Information Security experience
  • 5+ years in a leadership role managing staff and third-party relationships
  • Experience in Banking or Financial Services
  • Ability to work collaboratively with a broad range of constituencies
  • Bachelor’s degree in the field of IT, Information Security or related field; Master’s degree preferred
  • One or more recognized industry certifications from ISACA, (ISC)2, SANS/GIAC, IIA, etc.
  • Thought leader, strategic and critical thinker, problem solver
  • Motivated self-starter with positive energy
  • Ability to work well both independently and collaboratively as a member of the team
  • Ability to multi-task, work in a fast-paced environment and adapt to change
  • Ability to influence and deliver a difficult message
  • Strong written and verbal communications
  • Experience interacting with and presenting to C-level executives and Federal Regulators/Examiners
  • Strong program and project management skills/capabilities (PMP a plus)
  • Informed perspective on market environment, future trends, and emerging risks
  • Integrity, combined with high personal and professional standards
  • Spanish language skills preferred
  • Advanced Data Visualization Skills with comfort in Business Intelligence tools (e.g. Tableau, Power BI, MicroStrategy, etc.) preferred


  • Risk Management Knowledge: Risk Identification, Risk Assessment, Risk Treatment Measures including Risk Acceptance, Governance including Measuring/Monitoring/Reporting, Risk Aggregation, Control Assessments & Controls Testing, etc.
  • Information Technology Related Knowledge:  Asset management, change management, incident/problem management, patch management, Software Development Life-Cycle (SDLC), release management, capacity/performance management, data/records management and destruction, backup and recovery, etc
  • Information Security Related Knowledge: Identity and access management, privileged access management, generic ID management, threat intelligence, vulnerability management, secure coding practices, FFIEC Cyber Assessment Tool (CAT), data security and encryption, phishing, forensics, mobile security, third-party vendors, etc.
  • Business Continuity Management including Business Impact Analysis and Disaster Recovery Planning.
  • Technical skills and capabilities (minimum requirement: general understanding and/or working knowledge):  Microsoft Windows, Red Hat Linux, IBM AIX, IBM Mainframe/Midrange, VMWare ESXi, LAN/WAN/MAN Networking, Firewall Technologies, Intrusion Detection/Prevention Systems (IDP/IPS), Security Information and Event Management (SIEM), Cloud Computing, Governance Risk and Compliance (GRC) Tools, Web Proxies, SQL/Oracle/DB2 Database Technologies, Data Leakage Protection (DLP), Storage Area Networks (SAN) and Network Attached Storage (NAS), Email Systems, End-User Computing, Web Servers, Middleware Technologies, Microsoft SharePoint.
  • Regulatory Knowledge:  Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley (SOX), OCC Heightened Standards, FFIEC Guidelines, HIPAA, NYDFS, GDPR.
  • Knowledge of Industry-Standard Frameworks:  NIST Cybersecurity Framework, SAN/CIS Critical Security Controls, ISO 9001/20000/22301/27001/31000, ISACA COBIT, COSO 2013.

Employees desiring consideration should complete an online application, utilizing the appropriate process as subscribed by the posting entity. Employees should provide all pertinent information to support their candidacy.

To be considered eligible for internal posting, Santander employees must meet all of the following eligibility requirements:

•           Completion of at least one year of active service in Santander

•           Completion of at least twelve months in current position

•           Be in “Good Standing”  

Please click here to see the full policy -

Primary Location: Dallas, TX, United States

Organization: Santander Consumer USA,