Manager, IT Risk Management

Manager, IT Risk Management Job #: req34735 Organization: World Bank Sector: Information Technology Grade: GH Term Duration: 3 years 0 months Recruitment Type: Local Recruitment Location: Washington, DC,United States Required Language(s): Preferred Language(s): Closing Date: 11/19/2025 (11:59pm UTC)

Description

Working at the World Bank Group (WBG) provides a unique opportunity to help client countries solve their greatest development challenges. The World Bank Group is one of the largest sources of funding and knowledge for developing countries; a unique global partnership of five institutions dedicated to ending poverty on a livable planet. 

With 189 member countries and more than 120 offices worldwide, the World Bank Group works with public and private partners, invests in groundbreaking projects, and uses data, research, and technology to develop solutions to global, regional, and local challenges. For more information, please visit http: http://www.worldbank.org.
The organization has undertaken an ambitious exercise to revise its mandate, products and structure to adjust to the multiple, intertwined crises affecting the world today (see Evolution Roadmap), in the move to becoming a better Bank.

Business Unit Overview

The mission of the Information and Technology Solutions (ITS) Vice Presidential Unit (VPU) is to leverage information and technology as a force multiplier to accelerate, deepen, and sustain development impact. Their vision is to harness information and technology for a world free of poverty on a livable planet. For more information on ITS, check this video: https://www.youtube.com/watch?reload=9&v=VTFGffa1Y7w. 

Department Context

The WBG Information Security Office (ITSSR) provides strategic leadership and enterprise oversight for the World Bank Group’s cybersecurity program. The department’s mission is to safeguard the confidentiality, integrity, and availability of the Bank Group’s digital assets, platforms, and data that enable development operations across 189 member countries. ITSSR delivers global cybersecurity services spanning governance, risk, and compliance; threat intelligence and monitoring; cloud and application security; identity and access management; and incident detection and response. Its role is to ensure resilience of the World Bank Group’s critical systems, including financial platforms, data exchange systems, and knowledge services while enabling digital transformation, innovation, and secure connectivity for staff and partners worldwide.

The department also leads the Bank’s adoption of Zero Trust architecture, AI-enabled security operations, and risk-based frameworks aligned to NIST and international standards. As part of its mandate, it partners with senior leadership across IBRD, IDA, IFC, MIGA, and ICSID to ensure that security governance underpins the Bank Group’s mission to reduce poverty and promote shared prosperity.

Unit Context

The ITS Risk Management (ITSRM) team is focused on safeguarding the World Bank Group’s information assets. ITSRM delivers comprehensive information security services, including risk management, advisory support, and compliance oversight. The team plays a pivotal role in ensuring the resilience of the Bank’s operations by managing IT service continuity and business continuity, encompassing disaster recovery planning and the implementation of robust resiliency measures.

ITSRM ensures cybersecurity is embedded into the design and implementation of technology solutions (e.g., SWIFT, Quantum, Numerix) across the World Bank Group, in alignment with the Enterprise Security Architecture Reference Model, which is based on leading global standards and frameworks such as the Cloud Security Alliance, ISO and NIST.
ITSRM oversees management of third-party risks, including IT service providers, to maintain a secure and compliant technology environment. The unit provides technical breach assessments and actively supports the Incident Response Team (IRT) during vendor related data incidents, ensuring swift and effective containment and mitigation.
Key responsibilities of ITSRM include leading incident response efforts in collaboration with the Office of Information Security (OIS) and the IRT, which brings together representatives from HR, Corporate Procurement, Corporate Communications, and affected business units. The IRT coordinates mitigation strategies, risk assessments, and communications throughout incident management. ITSRM is also responsible for ongoing risk assessments, monitoring, and reporting on security controls, and advising on best practices and regulatory compliance.

Duties and Responsibilities

The Manager, IT Risk Management, will lead cyber risk governance by driving adoption of an AI-enabled Risk Management Framework that integrates automated dashboards, heatmaps, and quantitative risk scoring. A central responsibility will be developing and maintaining the organization’s “CISO Top 10 Risks,” ensuring these align with the institution’s overall risk appetite and inform decision-making at the highest levels.

The position requires embedding Zero Trust principles across enterprise security architecture, covering identity, endpoint, data, workloads, applications, and networks. The position will ensure that DevSecOps practices, infrastructure-as-code, and security-as-code automation become standard across the enterprise technology landscape, strengthening resilience and operational agility.

The position will modernize the certification, accreditation, and compliance program by shifting toward automated assessments. It will ensure ongoing compliance with key regulatory frameworks including GDPR, DORA, NIS2, SEC cyber rules, EU AI Act and other global requirements, while advancing adoption of software bills of materials (SBOMs) and comprehensive supply chain assurance processes.

The position also carries responsibility for preparing the organization for emerging technology risks. This includes overseeing resilience planning for quantum computing, blockchain, confidential computing, ransomware, and AI-driven threats. The position will establish and enforce responsible AI governance practices rooted in fairness, transparency, and bias mitigation to ensure trustworthy adoption of advanced technologies.

Finally, the position will play a leadership role in shaping workforce culture and advisory functions. This includes building a high-performing, agile cybersecurity workforce aligned with organizational job architecture and transformation strategies, as well as driving executive adoption of cyber playbooks for crisis communication, board-level briefings, and phishing resilience. The position will champion continuous training, maturity assessments, and culture-building efforts to raise cyber resilience across the entire institution.

People Management & Leadership

- Build, mentor, and empower a diverse, high-performing team to deliver program objectives, ensuring clarity of roles, skills development, and alignment with strategic priorities.

- Foster a culture of accountability, collaboration, and continuous learning that enables staff to innovate and deliver impactful outcomes.

- Provide coaching, feedback, and growth opportunities that strengthen both technical and leadership capabilities, preparing staff for future organizational needs.

Within the first year, this leader will deliver the following:

- Enhance Operational Excellence by streamlining OIS review processes using Lean Six Sigma methodologies to eliminate bottlenecks, accelerate decision cycles, and improve control validation outcomes.

- Replace manual risk workflows with automated processes to accelerate incident escalation, risk approvals, and documentation.

- Transform certification and accreditation through AI-enabled digital workflows, automation and continuous automation capabilities – reducing assessment cycle times while increasing accuracy, transparency, and risk responsiveness.

- Deploy an AI-enabled enterprise risk monitoring platform with real-time dashboards, heatmaps, and automated KRIs.

- Establish consolidated Cyber and Technology Risk Register to inform strategic investment decisions.

- Implement a reporting cadence that drives executive awareness, escalates priority risks, and ensures traceability to institutional risk appetite.

- Build a high-performing global risk management team aligned to future-state skills and ITS job architecture.

- Drive a culture of shared accountability for risk through targeted executive engagement, training, and maturity uplift.

Selection Criteria

The selected candidate should be a proven cybersecurity leader with deep technical expertise, strategic vision, and the ability to influence at the executive level. The ideal candidate combines mastery of enterprise security architecture and Zero Trust principles with experience modernizing risk management and compliance processes. They will bring strong regulatory knowledge, a history of preparing organizations for emerging technologies, and leadership skills to build high-performing, agile teams across global operations.

Key Requirements:

* Master’s degree in cybersecurity, information systems, engineering, or business, with 12+ years of progressively responsible IT and information security leadership experience (or bachelor’s degree with 15+ years).

* 10+ years of hands-on cybersecurity architecture and IT risk management experience, preferably in a large financial, governmental, or multinational organization.

* Demonstrated expertise in enterprise security architecture, Zero Trust, cloud security, and IT risk governance, including secure solution design and implementation across global environments.

* Strong knowledge of cloud and cybersecurity frameworks, including NIST 800-53, ISO/IEC 27001, CSA, and ENISA guidelines.

* Experience implementing automated compliance and continuous assurance capabilities, including OSCAL workflows, SBOM-driven supply chain risk management, and digital certification/accreditation processes.

* Knowledge of emerging technologies and associated risks, including AI, blockchain, confidential computing, and quantum resilience.

* Proven leadership in managing cross-functional teams, resource allocation, strategic planning, and vendor or third-party oversight.

* Demonstrated ability to influence executive stakeholders and boards, translate technical risk into business outcomes, and drive enterprise-wide security transformation.

* Strong commitment to fostering a risk-aware culture and promoting inclusive leadership and workforce development.

Certifications

Required:

CISSP, SAFe Agilist

Preferred:

* SABSA Chartered Security Architect

* SAFe Product Manager/Product Owner (POPM)

* SAFe for Architect

WBG Culture Attributes:
1. Sense of urgency: Anticipate and quickly respond to the needs of internal and external stakeholders.
2. Thoughtful risk-taking: Challenge the status quo and push boundaries to achieve greater impact.
3. Empowerment and accountability: Empower yourself and others to act and hold each other accountable for results.

The World Bank Group values diversity and encourages all qualified candidates who are nationals of World Bank Group member countries to apply, regardless of gender, gender identity, religion, race, ethnicity, sexual orientation, or disability.  Sub-Saharan African nationals, Caribbean nationals, and female candidates are strongly encouraged to apply.