Tech Risk & Controls Lead - Application Risk Classification (ARC) & Model Development in City of Westminster

Join our team to play a pivotal role in advancing JPMC's technology risk management capabilities. As the Tech Risk & Controls Lead, you will own and continuously enhance the Application Risk Classification (ARC) model, while supporting the development and integration of other risk models and performing thematic analysis. You will drive innovation in risk modelling, ensure operational excellence, and provide actionable insights to senior leadership, helping the firm proactively manage technology and cyber risks in a dynamic environment.

Responsibilities

• Own and Enhance ARC Model: Lead the ownership, maintenance, and continuous improvement of JPMC's Application Risk Classification (ARC) model, ensuring it adapts to evolving threats, technology changes, and regulatory requirements.
• Support Broader Model Development: Collaborate on the development, integration, and prioritization of additional risk models including de-duplication and reconciliation of risk findings from multiple sources.
• Thematic Analysis & Insights: Conduct thematic analysis of risk data to identify trends, vulnerabilities, and areas for improvement. Provide actionable recommendations to inform risk-based decision making.
• Stakeholder Engagement: Partner with engineering, security, business, and data teams to embed risk models into operational and strategic processes. Build trusted relationships to facilitate cross-functional collaboration.
• Reporting & Communication: Communicate risk priorities, model outcomes, and business implications to both technical and non-technical audiences. Translate complex technical risk data into clear, actionable recommendations for senior leadership.

Qualifications

• Proven experience in technology risk management, cyber risk modelling, or information security, with a focus on risk identification, assessment, and mitigation.
• Strong understanding of application risk classification, risk scoring methodologies and prioritization frameworks.
• Advanced data analysis skills; proficiency in SQL, Python, R, or equivalent tools.
• Experience with techniques for de-duplicating and reconciling risk findings from multiple sources (e.g., vulnerability scanners, code reviews, threat intelligence).
• Ability to synthesize complex technical information and present it in a clear, concise manner to senior executives.
• Familiarity with regulatory frameworks (e.g., NIST, ISO 27001, CIS Controls) and financial industry requirements.
• Demonstrated ability to influence strategic decision-making and translate technology insights into business strategies.
• Excellent written and verbal communication skills.
• Proactive in staying updated on cyber threat trends, regulatory changes, and emerging technologies.

Preferred Qualifications

• Industry-recognized certifications such as CISM, CRISC, CISSP, or similar.
• Experience leading risk model development, application risk classification, or data de-duplication initiatives.

J.P. Morgan is a global leader in financial services, providing strategic advice and products to the world's most prominent corporations, governments, wealthy individuals and institutional investors. Our first-class business in a first-class way approach to serving clients drives everything we do. We strive to build trusted, long-term partnerships to help our clients achieve their business objectives. Our professionals in our Corporate Functions cover a diverse range of areas from finance and risk to human resources and marketing. Our corporate teams are an essential part of our company, ensuring that we're setting our businesses, clients, customers and employees up for success.