We are looking for Head of IT Governance and Compliance to join our team. Head of IT Governance and Compliance: Essential Skill Profile (Client-Centric Focus) The ideal candidate is a strategic leader who functions as the Chief Risk Bridge, translating complex global financial regulations into an effective, auditable, and resilient operational framework, specifically leveraging our strategic alliance with Microsoft. This role requires an intrinsic understanding of the financial institution’s regulatory accountability, ensuring Quipu’s services allow our banking clients to operate without negative regulatory implications. 1. Executive Regulatory Mandate & Strategic Outsourcing Oversight This leader must own the interpretation and implementation of the laws governing our relationships with financial institutions, ensuring Quipu's legal and operational integrity across multiple jurisdictions from the perspective of mitigating the client bank's regulatory risk. EBA/DORA Strategic Mastery: Proven expertise in establishing and leading compliance with the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) and serving as the internal subject matter expert on DORA (Digital Operational Resilience Act). This includes defining the strategy for achieving DORA readiness across all five pillars and preparing for potential Critical ICT Third-Party Provider (CTPP) designation, always with the goal of reducing the bank's internal operational and outsourcing compliance burden. Global Privacy and Financial Crime Compliance: Comprehensive expertise in GDPR and its impact on sensitive financial data processing. Must possess deep knowledge of regulatory expectations regarding AML/KYC data handling and adherence in the EU, understanding how a bank's data classification and regulatory reporting requirements flow down directly to Quipu's systems. Contractual Risk Leadership: Demonstrated skill in leading the negotiation of compliance addendums, SLAs, and liability clauses with banking clients, ensuring the alignment of Quipu's operational commitments with the client's direct regulatory burdens. Must structure agreements to provide the necessary contractual assurance that allows the bank to meet its regulator's scrutiny. 2. ☁️ Strategic Security Frameworks & Cloud Assurance This section focuses on the leadership required to implement and certify the security frameworks that validate our operational integrity, with a specific emphasis on the Microsoft cloud environment, ensuring the controls are recognized and trusted by our banking clients' regulators. ISO/SOC Program Ownership: Executive-level experience in directing the maintenance and continuous improvement of the ISO/IEC 27001 ISMS and managing annual SOC 1 and SOC 2 Type II audit cycles. The focus must be on leveraging these certifications to provide demonstrably reliable assurance that significantly reduces client due diligence burden and audit costs. Microsoft Cloud Security Specialization: Mandatory deep familiarity with Microsoft Azure's compliance offerings, security best practices, and assurance frameworks. This includes leveraging tools and documentation like the Microsoft Service Trust Portal and understanding how to map the security controls inherent in Azure and Microsoft 365 to financial sector requirements (EBA, DORA, etc.) to directly facilitate the bank's external cloud usage approval. NIST/Cloud Security Alliance Governance: Expertise in applying advanced frameworks like NIST SP 800-53 or the Cloud Security Alliance (CSA) CCM to govern the security architecture of services hosted in the cloud, ensuring controls are robust, scalable, and audit-ready to satisfy the risk appetites of the client banks. 3. Executive Risk Management & Operational Acumen The candidate will be responsible for defining the risk methodology, ensuring operational processes meet regulatory standards, and providing executive reports to management and the Board, all while maintaining a relentless focus on our clients' operational integrity. Risk Methodology and Control Mapping (GRC): Ability to establish and govern the methodology for mapping legal and regulatory requirements (EBA, DORA) directly to technical controls within the IT environment and the product development lifecycle ( Security and Resilience by Design ). This ensures that Quipu's services never become the root cause of a material regulatory breach for a client bank. Audit and Oversight Leadership: Experience in successfully leading and defending the company during high-stakes client audits and potential regulatory oversight (e.g., CTPP oversight or equivalent national authority reviews). Must be able to synthesize complex information into an executive-level Statement of Applicability (SoA) that proactively addresses the concerns of the client bank's internal audit and supervisory bodies. Proactive Resilience Strategy: Ownership of the Disaster Recovery (DR) and Business Continuity Management (BCM) strategy, including defining the methodologies for mandatory resilience testing (e.g., DORA's TLPT), and integrating continuous monitoring into operational processes. The strategy must be designed to maintain the client bank's mandatory Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) under all scenarios. Additional Requirement: Language: Proficiency in English and German is mandatory to effectively manage communication with key clients and local regulatory bodies within the EU. If you like wild growth and working with happy, enthusiastic over-achievers, you'll enjoy your career with us!