Tech Risk & Compliance Lead

ROLE PURPOSE

The Tech Risk & Compliance Lead is a hands-on, execution-focused role within the EMEA IT Risk and Compliance function, responsible for the practical design, implementation and testing of SOX IT General Controls (ITGCs) across the EMEA technology estate, alongside supporting compliance with the wider European regulatory landscape including the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA). The role holder works directly with architects and application owners to build IT controls into systems, performs control design and operating-effectiveness testing, collects and reviews evidence, manages deficiencies through to remediation, and acts as the day-to-day interface to internal and external auditors (PwC), risk and data protection functions, and regional IT leads

KEY RESPONSIBILITIES

Control Design, Implementation and Testing

  • Design and document SOX-compliant control specifications for IT platforms - covering logical access, change management, computer operations and segregation of duties - and work with IT owners to implement them in production.

  • Apply controls-by-design in practice: review designs, configurations and change requests against control requirements and confirm SOX, data protection and operational-resilience controls are built in before changes reach production.

  • Plan and execute control design and operating-effectiveness testing across the ITGC portfolio, including sample selection, test execution, workpaper preparation, and conclusion on control adequacy.

  • Maintain a detailed control inventory, test calendar and RACI for each control, and track identified deficiencies through root-cause analysis to validated remediation.

Architecture Review and Controls by Design

  • Review infrastructure architecture documents, design proposals, and change requests to assess SOX control implications prior to implementation; engage at design stage with architects and engineers to embed ITGCs, preventing control gaps from being introduced through system design.

  • Provide compliance input into cloud migrations, platform modernisation, database upgrades, and identity management programmes.

  • Develop and maintain a controls reference framework as a practical design guide for architects and platform owners.

Regulatory Control Implementation and Testing - SOX, GDPR and DORA

  • Embed GDPR technical and organisational controls (access control, encryption, logging, data retention and deletion, and audit trails) into infrastructure design and the ITGC framework, partnering closely with the Data Protection Officer and privacy function.

  • Establish a consolidated regulatory control mapping so that a single, well-designed set of controls satisfies SOX, GDPR and DORA obligations, reducing duplication and control fatigue across the estate.

  • Report on control implementation and testing status against regulatory requirements and track remediation of identified gaps through to closure.

Advisory and Stakeholder Engagement

  • Act as compliance advisor to application owners, architects, and engineering teams on ITGC-compliant access models, change workflows, and operational procedures.

  • Participate in architecture review boards and governance forums as the designated compliance representative; serve as primary contact for internal audit and PwC for all infrastructure-related SOX testing, evidence requests, and findings management.

  • Provide structured reporting to senior leadership on compliance posture, open findings, and remediation status.

Technology Risk and Continuous Improvement

  • Conduct periodic IT risk assessments and produce decision-ready risk reporting for senior management; assess compliance implications of new technologies and delivery models prior to adoption.

  • Drive standardisation and continuous improvement of the infrastructure compliance programme; develop guidance materials and training for infrastructure and application teams.

  • Operate effectively within an evolving regulatory environment, including GDPR, DORA, FCA requirements, and Lloyd's reporting obligations.

EXPERIENCE

  • Minimum 5 years in IT compliance, IT external or internal audit, or technology risk within financial services, insurance, or Big 4.

  • Proven ownership of SOX ITGC programmes including proactive monitoring and deficiency remediation.

  • Track record of reviewing architectural artefacts from a compliance perspective and guiding technical teams on control implementation.

  • Prior engagement with Big 4 external audit at a senior client-side level, or equivalent auditor-side experience.

  • SOX ITGCs: logical access, change management, computer operations, and segregation of duties.

  • Privileged access management tools: CyberArk and/or SailPoint.

  • Infrastructure platforms: Windows Server, Linux/AIX, iSeries (AS400), Oracle Database, SQL Server, and DB2.

  • Ability to critically assess architecture documents and identify control design implications.

  • Working knowledge of EU regulatory frameworks affecting infrastructure, including DORA operational-resilience requirements and GDPR technical and organisational controls.

QUALIFICATIONS

  • Required: Bachelor's degree in Computer Science, Information Technology, or a related discipline.

  • Preferred: Certified Information Systems Auditor (CISA).

  • Advantageous: CRISC, CISM, or equivalent professional qualification

We offer in return!

Competitive salary & pension scheme, discretionary bonus scheme, 25 days annual leave plus ability to purchase additional days, hybrid working options, Private Medical cover, Employee Share Purchase Plan, Life Assurance, Subsidised gym membership, Comprehensive Learning & development offerings, Employee Assistance program.

Integrity. client focus. respect. excellence. teamwork

Our core values dictate how we live and work. We’re an ethical and honest company that’s wholly committed to its clients. A business that’s engaged in mutual trust and respect for its employees and partners. A place where colleagues perform at the highest levels. And a working environment that’s collaborative and supportive.

Diversity & Inclusion. At Chubb, we consider our people our chief competitive advantage and as such we treat colleagues, candidates, clients, and business partners with equality, fairness and respect, regardless of their age, disability, race, religion or belief, gender, sexual orientation, marital status or family circumstances.

We are committed to ensuring our recruitment process is inclusive and accessible to all. If you have a disability or long-term condition (for example dyslexia, anxiety, autism, a mobility condition or hearing loss) and need us to make any reasonable adjustments, changes or do anything differently during the recruitment process, please let us know.