What I Do
Turning regulatory expectations into clear, actionable risk programs that elevate performance.
Risk Governance & OCC Alignment
Built and refined enterprise risk frameworks aligned to OCC guidance: written risk appetite statements, clear roles across the three lines of defense, and board-ready reporting.
Technology & Cyber Risk Management
Led IT risk metrics programs, control automation, and remediation of audit and exam findings spanning cyber, IAM, logging/monitoring, and resiliency.
Operational & SOX Controls
Consolidated FLOD controls testing, led Commercial Bank SOX 302/404 programs, and drove error rates down by 35–40% while improving audit outcomes.
Case Study 1 –
OCC-Aligned Risk Governance Framework
Challenge
The OCC’s heightened expectations for risk governance required our technology and operations groups to demonstrate a written risk appetite, strong three-lines-of-defense execution, and cohesive ERM coverage across seven risk categories (strategic, credit, compliance, operational, reputational, market, and liquidity).
My Role
As Senior Technology Risk Manager, I partnered with Independent Risk, Audit, and Technology leadership to translate OCC guidance and internal frameworks into actionable, first-line processes.
What I Did
-
Codified the Risk Appetite in Technology Terms
-
Helped map OCC’s guidance on risk appetite and ERM into concrete limits and indicators for technology and cyber risk, including outage tolerances, security incident thresholds, and control performance targets.
-
-
Operationalized the Three Lines of Defense
-
Clarified FLOD ownership of risks and controls, IRM’s challenge role, and Internal Audit’s assurance activities using internal training materials and lifecycle diagrams.
-
-
Aligned to Enterprise Risk Framework
-
Ensured technology risk identification, assessment, monitoring, and reporting followed our enterprise Risk Management Lifecycle—identification, measurement & response, monitoring/testing, and aggregation/reporting.
-
Results
-
Strengthened exam-readiness and board-level confidence in technology risk posture.
-
Reduced fragmented risk reporting by aligning all tech risk items to a single risk taxonomy and ERM framework.
-
Enabled more consistent OCC exam responses, tying each finding and remediation to clear owners and lifecycle stages.
Case Study 2 –
IT Risk Metrics Dashboard Using Deloitte KRI Approach
Challenge
Technology leadership needed a consistent way to see risk across functions, not just by issue count or audit findings. Existing metrics were siloed and not aligned to business objectives.
My Role
I led the IT risk metrics and dashboard initiative, leveraging Deloitte’s framework for defining KRIs and linking them to business goals.
What I Did
-
Defined Key Risks & Risk Universe
-
Facilitated workshops with ISRM, technology, and business leaders to define our IT risk universe and map risks to business objectives (security, resiliency, agility, cost, growth).
-
-
Prioritized KRIs
-
Selected KRIs based on effectiveness, feasibility of data collection, measurability, and ownership, and set risk thresholds/tolerance levels.
-
-
Piloted & Rolled Out
-
Stood up pilot dashboards, validated data sources, refined thresholds, and then rolled out audience-specific dashboards for CIO staff, risk committees, and operations teams.
-
Results
-
Moved leadership conversations from anecdotal to metric-driven, with trending and exception-based reporting.
-
Enabled proactive intervention on emerging technology risks using leading indicators instead of only lagging incidents.
-
Provided a reusable pattern for other risk domains (third-party, operational, compliance).
Case Study 3 – Commercial Bank SOX & Controls Consolidation
Challenge
The Commercial Bank had fragmented controls testing and inconsistent SOX evidence quality, leading to a higher risk of deficiencies and OCC scrutiny.
My Role
As Horizontal Controls Monitoring and SOX Program Lead, I led a team of control managers and offshore testers responsible for all FLOD controls monitoring for the Commercial Bank.
What I Did
-
Consolidated FLOD controls testing into a single operating model, transitioning work to a trained offshore team and creating robust training and governance.
-
Standardized control descriptions and evidence templates in line with OCC and audit expectations for preventive/detective controls, ownership, and frequency.
-
Led end-to-end SOX 302/404 program execution across 12 business processes, coordinating with EY and internal audit.
Results
-
40% reduction in SOX compliance errors and 100% audit adherence, with improved exam outcomes.
-
$3M annual savings through optimized outsourcing model and performance metrics.
Case Study 4 – Control Automation Program & IT Division Battlecards
Challenge
Manual controls across technology operations created operational risk, higher error rates, and inconsistent monitoring.
My Role
I co-led efforts to design and track a Control Automation Strategy, including automation targets, battlecards, and executive reporting.
What I Did
-
Defined automation priority criteria (e.g., repeat ineffective controls, SOX key controls, high residual risk controls, manual destination-state controls).
-
Built an automation “battlecard” to track each division’s manual, hybrid, and automated controls; progress vs. targets; and obstacles to automation.
-
Established monthly Tech REP / Steering Committee reviews to keep senior leadership accountable for commitments and progress.
Results
-
Increased proportion of automated or hybrid controls, improving both effectiveness and efficiency.
-
Created transparency and a repeatable playbook for future automation waves.
-
Strengthened OCC exam narrative around continuous improvement of control environment.