Job Description

Questrade Financial Group (QFG), through its companies - Questrade, Questbank, Questrade Wealth Management, Community Trust Company, Zolo, and Flexiti, provides securities and foreign currency investment, professionally managed investment portfolios, mortgages, real estate services, financial services and more. We use cutting-edge technology to help Canadians become much more financially successful and secure.
At QFG, we combine human-centric collaboration with AI-driven innovation to redefine financial services. The ideal candidate will be a catalyst for change, using AI to transform and deliver unparalleled customer experiences and shaping a future where AI empowers our teams to do their best work.
Join our diverse, inclusive, and hybrid workplace to unleash your creativity and nurture your curiosity without limits. If you share this sense of infinite possibility, come shape your future at QFG.

What’s in it for you as an employee of QFG?

• Health & wellbeing resources and programs
• Paid vacation, personal, and sick days for work-life balance
• Competitive compensation and benefits packages
• Work-life balance in a hybrid environment with at least 3 days in office
• Career growth and development opportunities
• Opportunities to contribute to community causes
• Work with diverse team members in an inclusive and collaborative environment

This job posting is for an existing vacancy

Reporting to the Director, Operational Risk Management, the Senior Manager, Technology Risk leads the second line of defence (2LOD) oversight of technology, cyber, and data risk across Questbank. The role is responsible for leading the design, implementation, operationalization, and ongoing sustainment of Questbank's Technology and Cyber Risk Management framework, supporting compliance with applicable regulatory requirements (including but not limited to OSFI Guideline B-13 – Technology and Cyber Risk Management and Guideline E-21 – Operational Risk and Resilience) and the Company's approved risk appetite.

The incumbent positions the 2LOD to provide effective, independent review and challenge of the first line's management of technology and cyber risk in Questbank's predominantly outsourced operating model, including emerging domains such as data integrity and the responsible use of artificial intelligence, and acts as the independent risk gatekeeper for new products and material technology change, embedded directly within Questbank's product and platform streams. Combining enterprise-grade framework build with deep technical subject-matter expertise, the role is a critical enabler of Questbank's growth across its product portfolio.

We’re looking for our next Senior Manager, Technology Risk. Could It Be You?

This role is responsible for the independent design, execution, and oversight of 2LOD technology and cyber risk assessments, risk-based control testing, and the validation of IT and cybersecurity controls. The incumbent applies a strong technical background to critically evaluate and challenge the first line's management of technology and cyber risk, including emerging domains such as data integrity and the responsible use of artificial intelligence, and to analyze technology performance, risk metrics, and control effectiveness against established standards, policies, and regulatory requirements (e.g., ISO 27001, NIST CSF, COBIT, and OSFI Guidelines B-13 and E-21). The incumbent produces technology and cyber risk reporting for the Operational Risk Management Committee (ORMC) and supports the Director, Operational Risk in onward reporting to Executive Management, the CRO, and the Board, articulating control deficiencies, residual risk exposures, and recommendations to the first line and to outsourced technology service providers.

• Framework and governance: Operate within and contribute to the continuous improvement of the 2LOD Technology and Cyber Risk Management framework, policy, and standards governing technology, cyber, and data risk.
• Outsourced technology operating model: Apply the 2LOD operating model for technology risk in Questbank's outsourced environment, including the 1LOD/2LOD roles and escalation matrix for technology and cyber events arising from internal teams, the parent company, and other service providers.
• Risk appetite: Propose technology and cyber risk appetite statements and integrate domain-specific KRIs and thresholds into the annual Risk Appetite Statement (RAS).
• Limits and monitoring: Operate limit-breach escalation protocols and continuously monitor technology and cyber risk against KRIs and tolerance levels.
• Oversight and challenge: Provide independent oversight and challenge of 1LOD's management of technology and cyber risk against the 2LOD Technology and Cyber Risk Management framework and recognized industry standards (e.g., ISO 27001, NIST CSF, COBIT), including the design and operating effectiveness of IT and cybersecurity controls, cybersecurity testing results (e.g., vulnerability scans, penetration tests), the residual risk exposure of IT processes and systems, and IT business continuity and disaster recovery arrangements from a risk perspective.
• Risk lifecycle operations: Run the day-to-day technology and cyber risk lifecycle, including risk event intake and triage, RCSAs and risk-based control testing, issue and remediation tracking, and risk acceptances, in line with supporting procedures and standards.
• Embedded initiative oversight: Engage 1LOD early on new products, material change, and strategic initiatives with technology or cyber risk implications; deliver 2LOD review and challenge alongside design and delivery, with formal sign-off through the Initiative Risk Assessment (IRA) process.
• Incident response oversight: Provide risk-based 2LOD oversight of the cybersecurity incident response process and ensure root causes and lessons learned inform controls, the framework, and reporting to internal stakeholders.
• Data integrity and AI governance (2LOD): Provide independent 2LOD oversight of data integrity practices and emerging AI governance across Questbank, including review and challenge of 1LOD controls supporting data quality, lineage, and use, and of the governance, risk, and control practices applied to artificial intelligence systems and models in production.
• Reporting: Produce technology and cyber risk reporting for the ORMC and support the Director, Operational Risk in onward reporting to Executive Management, the CRO, and the Board; escalate material matters to the Director for onward action through the ERMC.
• Regulatory compliance: Support compliance with applicable regulatory requirements, including but not limited to OSFI Guidelines B-13 (Technology and Cyber Risk Management), E-21 (Operational Risk and Resilience), and B-10 (Third-Party Risk Management), and proactively anticipate regulatory change for reflection in the program.
• Integration: Champion the alignment of technology and cyber risk management methodologies and practices with related 2LOD risk-types within the Operational Risk Management function, including operational risk, fraud risk, business continuity management, and third-party risk management; build the cross-functional relationships with product, technology, and business teams, Questrade Financial Group's Enterprise IT & Cyber Governance, Risk & Control function, and external service providers that surface emerging risks, material issues, and risk trends early.
• Culture and training: Elevate the organization's technology and cyber risk capability through risk and security awareness training for 1LOD leaders and the broader business. Promote risk awareness across the organization.
• Automation and analytics: Advance the use of automation and analytics, including automated KRI reporting and dashboards, to scale 2LOD oversight efficiently while remaining a business enabler.

So are YOU our next Senior Manager, Technology Risk Management? You are if you…

• University degree in Computer Science, Information Systems, business, or related discipline, or equivalent directly related experience; advanced education or professional qualification(s) preferred (e.g., CISA, CRISC, CISM, CGEIT, or a recognized risk designation).
• Minimum of 7 to 10 years of specialized technology risk, cyber risk, IT governance, or IT audit experience, including three years across other risk disciplines (e.g., operational, business continuity, third-party).
• Industry experience in financial services / fintech; experience working with regulators is highly valued.
• Experience within a second line of defence risk function, preferably technology and/or cyber risk.
• Comprehensive knowledge of technology and cyber risk management frameworks, tools, and methodologies (e.g., COBIT, NIST CSF, ISO 27001, ITIL, RCSAs, KRIs, control testing, and risk appetite).
• Working knowledge of emerging domains including data governance, data integrity, and AI/ML risk management practices.
• Demonstrated ability to provide effective review and challenge of IT and cybersecurity control design and operating effectiveness, including cybersecurity testing (e.g., vulnerability scans, penetration tests).
• Ability to build customized, right-sized, end-to-end IT governance and risk solutions scaled to complexity and risk levels.
• Strong working knowledge of financial institution regulation (OSFI including Guidelines B-13, E-21, and B-10) and an understanding of banking, mortgage, and investment operations.
• Working knowledge of adjacent risk areas, including operational risk, fraud risk, business continuity, third-party risk, and compliance.
• Proficiency in data analytics and business intelligence tooling (e.g., Tableau or Power BI) and in Google Workspace (Docs, Slides, Forms, and Sheets).
• An entrepreneurial, proactive self-starter who is comfortable operating autonomously, sees the big picture, and does not operate in silos.
• Strong critical thinker able to gather, synthesize, document, and present information to both technical and non-technical audiences in a succinct and organized manner.
• Experience overseeing or governing outsourced technology services is considered an asset.
Additional Information…

• This role requires three days of in-office presence per week for Greater Toronto Area (GTA) residents. For candidates residing outside the GTA, a remote workplace arrangement is available.
Compensation Information:

• Base salary range: $140,000 - $175,000
• The final compensation package will be commensurate with the successful candidate's experience, skills, and geographic location (Canada). It includes a comprehensive benefits plan and a competitive incentive (bonus) program for Full-Time Permanent roles.

Sounds like you? Click below to apply! #LI-DM1 #LI-Hybrid

At Questrade Financial Group of Companies, with multiple office locations around the world, we are committed to fostering a diverse, inclusive and accessible work environment. This is an environment where individuals are treated with dignity and respect. Here, the unique skills and experience you bring will be valued. You will be supported and motivated, so that you can harness your unlimited potential. Our team reflects the diversity of the communities we serve and operate in. Having a collaborative and diverse team helps us push boundaries to bring the future of fintech into existence—not only for the benefit of our customers, but for those who build their career with us.

Questrade Financial Group of companies Applicant Tracking System utilizes artificial intelligence (AI) for application screening. The AI system operates on predetermined criteria, with final decisions subject to human review.

Candidates selected for an interview will be contacted directly. If you require accommodation during the recruitment/selection process, please let us know and we will work with you to meet your needs.