Program Management Risk
Resume:
DAVID W. GRAHAM, CISA, CFE, ISP, ITCP, LSSGB
E: **********@*****.*** M: 954-***-****
Enterprise Business & Technology Governance, Risk, Controls (GRC), Compliance & Audit Leader
RISK / PROGRAM MANAGEMENT ● STRATEGY ● COMPLIANCE ● CYBERSECURITY ● OPERATIONS ● BIG DATA ● IT AUDIT
SUMMARY:
Twenty plus (20+) years of international Technology and Business Operations Governance, Risk, Compliance (GRC), Information Security, Data Privacy, Third–Party Assessment, Project/Program Management, Process Engineering, Data Analytics and audit experience primarily from the financial sector; gained through working with firms such as: KPMG, Ernst & Young, the former Author Anderson, Experis Finance, KForce, Apex Systems, Aston Carter, Protiviti, Wells Fargo, DTCC, and my own independent practice, currently CloudAuditServices.
My previous experience includes serving as: Global head of Audit for EVERISE (Formerly C3/Customer Contact Channels Inc.) – EVERISE is a privately held global Business Processing Outsourcing (BPO) and Contact Center organization with over 10,000 employees and operations in more than ten (10) jurisdictions around the world.
My clients also included many of the world’s leading financial firms such as FIS Global, Citi, RBS, Scotiabank, TD Bank, Deutsche Bank, ING (Now Voya), CIBC, Fidelity Investments, Butterfield Bank Bermuda, First Commercial Bank Taiwan, BISCA Miami Agency, Espirito Santo Bank, BankUnited, Old Mutual, Assurant, and Wells Fargo, where provided IT GRC, IT SOX, Security, and Strategy consulting services.
My work included providing Second- and Third-Line Defense services relating to many international and national regulations, including: FACTA, FINRA, KYC, BSA/AML, OTS/FDIC, GLBA, FDICIA, PCI/DSS, CRA, SOX 404, Regulation SCI (SEC), SOC and BASEL. I also acted as operational liaison to external auditors; PwC, and RSM.
SKILLS:
Operations Risk Management Leadership, Audit, Security, Data Privacy, and Compliance experience – 20+ years
Engaging international regulators (Latin America, BERMUDA, Canada, US, Hong Kong, UK) – 20+ years
Strategy Consulting – 10 years
Third Party/Vendor/Supplier and Counterparty Risk Management – 10+ years
Operations Center/Cloud Services, BPO Risk Management – 10+ years
Audit liaison (PwC, RSM, etc.) - 10 years
Frameworks (CoBit, Coso, NIST 800-53, ISO 27001) – 10 to 15 years
Certifications: CISA, CFE, ISP, ITCP, Lean Six Sigma, Project Management – 3 to 15 years
Risk and Data Analytics Tools (ACL, Minitab, TeamMate, R) – 5 to 15 years
Regulation: FFIEC, FACTA, KYC, BSA/AML, OTS/FDIC, GLBA, FDICIA, PCI/DSS, CRA, SOX, and BASEL – 15+ years
Project Management, Business Analysis, Agile, SDLC, and Six Sigma Process Improvement – 5 to 15 years
Banking Processes (Wire Transfer, ATM, Card Services, Cash Management, Asset Management, Trust, Treasury, Credit, Supplier Vendor, Strategy, Infrastructure, and Problem Management) – 15+ years
ERP (SAP, ORACLE, PeopleSoft, BAAN) – 15+ years
Financial Application Systems (CitiRisk, Citi Risk & Controls, SHRP, BIKE, Bankmaster, Alltel, Milvus, Portia, Fiserv CBS, Fiserv Vision, Fiserv Precision, IBS, IMPACS, Kirchman, Jack Henry, ADP, WorkDay, PDMS, BRINQA) – 3 to 15 years
SPECIALTIES:
Expert IT Audit, IT Infrastructure, Applications, Process, Cloud Services, Data Privacy, CoB, Cybersecurity, Fraud Examination, Risk, and Compliance Audit Practitioner
Sarbanes-Oxley 404 (SOX), SAS 70/SSAE 16/18 (Type 1 & II) – (SOC) Assessment, GLBA, PCI-DSS, Basel II/III Compliance
Trained and certified software engineer
Team Leadership/Supervision, Business Analysis, Project and Program Management
Corporate and Environmental Sustainability Risk Management
Lean Six Sigma Process Improvement Engineer, Big Data Analysis practitioner (Minitab 17 & R)
Financial Institution Operations Risk Management (Risk Modeling and Design Specialist)
Enterprise Vendor/Supplier Risk Management
Financial Institutions, Asset Management, Cash Management, ATM Services, Payment Processing, AML and Fraud Analysis, ACH Operations review, BRD, FRD
Cloud Assessments: AWS
Web Development Exp.: Joomla, PHP, HTML, MySQL, XML, AJAX, Adobe Master Collection CS5
Significant experience with various risk and control methodologies and tools, including: MetricStream, Coso, Cobit, ITIL, KPMG-IRM, E&Y GAM, GLBA, Protiviti’s SOX Method, ACL, SAS, Visio, PDMS, Jira, Rally and BRINQA
EXPERIENCE:
Cloud Audit Services, LLC, Fort Lauderdale, FL 04/2021 – Present
Founder / Managing Director, Operational Risk Management, Tech & Cyber
Founder of Cloud Audit Services, a tech and cyber risk management, compliance, and audit practice severing national and international clients in in diverse sector.
Client included Santander Consumer, TekSystems, Protiviti, Shinhan Bank NY.
Citi, Fort Lauderdale, FL 07/2021 – 06/2024
Senior Vice President, Operational Risk Management, Tech & Cyber
Served as a senior officer in Citi's Institutional Clients Group—ICG (global investment bank) providing second line of defense tech and cyber-related operational risk management services
Dedicated internal consultant providing cyber-security assessment services as well as information technology incident management services pertaining to financial services processes, infrastructure, and applications, including global payment systems
Responsible for executing Product Risk Assessments to meet regulatory requirements leveraging tools such as CitiRisk, Citi Risk & Controls, SharePoint, etc.
Responsible for leading the development of a data-analytic framework to highlight trends in ICG technology-related incidents at the lower severity levels to mitigate them from occurring at the higher levels
DTCC - DEPOSITORY TRUST & CLEARING CORPORATION, Tampa, FL 10/2018 - 04/2021
Group Chief Risk Office (GCRO) / Technology Risk Management Consultant (TRM) Contract through US Tech Solutions
Engaged as a Technology Risk Consultant / Cybersecurity Analyst in the TRM division of DTCC performing Second Line of Defense internal IT Process, Application, and Infrastructure risk assessments in compliance with regulatory bodies: DTC, NSCC, and FICC which was also designated by the Financial Stability Oversight Council (FSOC) as “systemically important financial market utilities” under Title VIII of Dodd-Frank in July 2012.
Functioned as senior policy management analyst overseeing and facilitating the update of all Information Security policy documentation and related control standards
Functioned as Lead Risk Analyst representing DTCC’s Solutions RDS and Solutions Institutional Trade Processing (ITP) Business Units at DTCC with responsibility for overseeing, assessing, and reporting on all technology-related risk assessments
Led the development of documentation to support the GCRO Technology Risk Management (TRM) - Third-Party Risk Assessments, and risk treatment approaches including Risk Remediation, Risk Acceptance, and Policy Deviation. This included core and procedure documentation, and job aids published on DTCC’s PDMS
Performed TRM Policy Deviation and supported Third-Party Risk Assessments services to address DTCC’s Cyber Security risks
Engaged senor TRM, TPRM, ORM leaders and LoB representatives and leveraging tools such as Brinqa, Enterprise Policy Repository, IRQ Library, MS Visio, etc. in executing Third Party Risk Assessment and Policy Deviations
Supported the TRM Third Parry Risk Assessment Leadership in designing metrics including KPIs to encourage enforcement of remediation practices, and for reporting purposes
Supported TRM leadership in their interaction with external auditors and regulators
Engaged External Audit Consultant (EY) in their preliminary audit of TRM Risk Assessment framework and process in 4th Quarter 2018
Supported the Associate Director of Third-Party Risk Assessments in his initiatives by providing technical advice and guidance relating to Technology Risk Management, and Supplier Risk Management process design
WELLS FARGO, Sunrise, FL 01/2016 - 10/2018
Vice President, Operational Risk Consultant - Enterprise Technology Risk Management (04/2017 - 10/2018)
Led International, multi-disciplined team, composed of Managed Services, Operations, Project Management, Professional Services, Sales, Engineering, Contractors, and uniform team planning and implementing projects in a disciplined, strategic, manner from conception through life cycle management (SDLC) using IT Governance, Lean Six Sigma Business Process Re-Engineering Solutions
Executed Wells Fargo's Enterprise Information Technology (EIT) Risk Assessment program
Led and executed process cross-border risk assessments and related Second Line of Defense technology considerations - including information security and other operational risk team services in compliance with FFIEC, BASEL, etc.
Supported, trained, and provided leadership and guidance to other risk assessment team members
Engaged senor technology risk leaders and LoB representatives and leveraged tools such as SHRP and BIKE in executing process risks assessments
Led or participated in a number of risk assessment reviews that focused on Technology Strategy Management, Supplier Vendor, Enterprise Infrastructure Management, Knowledge Management, and Problem Management which yielded positive changes across the organization
Operational Risk Consultant, Enterprise Finance & Information Technology - IT SOX Engagement 01/2016 - 12/2016
Engaged as an Operational Risk Consultant 5 at Well Fargo & Company in Charlotte, North Carolina
Completed multiple divisional and corporate process improvements projects
Provided enterprise Second Line of Defense SOX risk management and compliance consulting services in support of Wells Fargo's Technology, Data, and Operations Risk Management (TDO RM) division. Specific responsibilities include the onboarding of in-scope application systems and their related application and IT general controls – in compliance with SOX and other regulatory requirements
Application onboarding tasks include interacting with global SMEs and other stakeholders to gain an understanding of the process environment specific to the applications, conducting control design assessments, and facilitating the test of both design and effectiveness of net-new controls
Assignment facilitated through Aston Carter/Aerotek
ENERGY TECHNOLOGY RISK ADVISORS, LLC (ETRA LLC), Plantation, FL 09/2010 - 03/2017
Principal, Risk Management Consultant – IT SOX Engagement
ETRA LLC provided Big Data analytics, lean Operational Process Improvement, Business Analysis, Project and Program Management, Security Assurance, Advisory, Audit, and IT Compliance consulting services to corporations focusing on Enterprise IT, Business Operations, and Sustainability related project
Responsible for gathering requirements and acting as the liaison between the IT departments and various cross-functional partners within the organizations.
Responsible for ERM including ensuring vendor management program is in place to address vendor/supplier risk
The projects also included IT Audit, SOX Advisory, PCI & SOX Compliance, SOX Application Onboarding, ACH, GLBA, and Information Security and Privacy Risk Assessments, and Operations Advisory Services leveraging cyber security frameworks such as CoBit and NIST
Clients included:
oRBS-Citizens Bank, First Commercial Bank Taiwan, FNBC Bank
oNextEra Energy - Miami, FL - December 2015 - January 2016: IT SOX Roll Forward Testing Consultant
oEVERISE (formerly C3/Customer Contact Channels) - Plantation, FL - May 2014 to December 2015: General IT Auditor – Security, Risk, and Compliance consultant (See below for details)
EVERISE (formerly C3/CUSTOMER CONTACT CHANNELS, Plantation, FL. 05/2014 - 12/2015
General Auditor, Principal IT Security, Risk, Compliance & Data Analytics Consultant (Contract)
C3 is an emerging global leader in outsourced customer management solutions, and cloud service management with over 10,000 employees in more than 10 locations around the world.
Served as Principal IT Security, Risk, Compliance, Audit & Analytics consultant at C3/CustomerContactChannels.
Managed and delivered a broad range of end-to-end process improvement and implementation initiatives using Six Sigma, Lean Sigma and DMAIIC methodologies
Working with the CIO and Manager of Compliance, managed technology risks (e.g., SSAE16, PCI-DSS, etc.), strengthening global internal controls, providing data analytics and Six Sigma process improvement services, and functioning as key liaison to external auditor and regulators
Designed a Risk Management Framework for the firm working with clients and other stakeholders, including external auditors to ensure operational and technology risks were addressed
EXPERIS (formerly JEFFERSON WELLS), Ft. Lauderdale, FL 07/2013 - 04/2014
IT Security & Technology Risk and Audit Consultant & Project Manager – IT SOX Engagement (Contract)
Engaged as a consultant with Experis (a Manpower Group company) performing IT and Security Infrastructure risk management, compliance, and audit services
Work included executing IT and Information Security risk assessments, performing general controls reviews and compliance services, developing policy training presentations, and engaging clients in international jurisdictions.
Clients: Fidelity Information Services (FIS) and American Institute of Certified Professional Accountants (AICPA)
Work also included performing reviews of Profile, Systematics, MISER, IBS, and IMPACS operating environments, and conducted an RSA Envision Security Logging and Monitoring audit at FIS
CITIGROUP, Tampa, FL 01/2012 - 07/2013
Global Project Manager & Lead Business Analyst - OTRM/ESRM (Contract)
Supported Citi's Global Operations & Technology Risk Management (OTRM) organization and the Enterprise Supplier Risk Management group as a Project Manager, and Lead Business Analyst. Activities include working with program leaders, stakeholders, Business Supplier Relationship Managers (BSRMs), internal and external subject matter experts, and coordinating a team of analysts across multiple businesses, functions, and geographies to achieve prescribed objectives on the MetricStream platform. This was a Citi Strategic Enhancement Program (StEP) initiative.
Successfully developed a Risk Management Framework & Pilot Approach to test the framework which focused on Supplier Concentration and Levels of Dependence
Successfully conducted a current state assessment, and pilot execution managing global data
Successfully performed Big Data analysis and developed templates used by team to complete tasks
Successfully presented project deliverables to the program’s Advisory & Design oversight Committee
Successfully participated in StEP Project Coordinator’s and Project Owners meetings, and preparing and delivering project status updates to senior Citi executives and program leaders
Successfully organized & chaired all core/extended, stakeholder, and project leader team meetings
OCEAN BANK, Miami, FL 04/2008 - 10/2009
AVP, Information Technology Audit Supervisor
Lead a team of IT Risk Management professionals in providing Third Line of Defense assurance services over the Bank’s IT infrastructure and business systems including vendor & supplier risk and operational & technology risk
Successfully conducted a post implementation review of the bank’s Conversion from Fiserv to Jack Henry Banking System and reporting to the Bank’s management where improvements were necessary
Participated in security investigations involving ATM, BSA, AML/KYC and related matters
ACCUME PARTNERS, Fort Lauderdale, FL 07/2005 - 03/2008
Senior Manager, IT Consulting Services – IT SOX Engagement
Accume Partners is a trusted advisor that serves clients by delivering integrated Risk & Regulatory, Internal Audit, and Cybersecurity & Privacy solutions to help manage uncertainty and drive business value.
Had responsibility for client development, and providing IT Audit, Business Systems and Banking Operations Analysis consulting services to more than one dozen financial services clients in the Southern Florida area.
Collected requirements, documented and analyzed risk management processes for supplier/vendor risk, CoB, operations risk, and IT risks
Lead multiple consulting teams of up to six professionals. Specific activities included designing fraud detection systems at a regional Banking Client in South Florida using SAS, and ACL
Work focused on AML/KYC analysis. This also included reviewing and configuring the Bank’s environment to address suspicious activity monitoring and reporting, and customer due diligence/KYC risk-scoring
HEICO AEROSPACE, Fort Lauderdale, FL 05/2005 - 07/2005
Technology Risk/SOX Consultant – IT SOX Engagement (Short term contract with Protiviti)
Worked on a short-term contract basis, assisting RHI / Protiviti’s client (HEICO Aerospace) with their SOX 404 project implementation initiatives
ERNST & YOUNG LLP, Fort Lauderdale, FL 05/2004 - 05/2005
Manager, Technology and Security Risk Service (TSRS) – IT SOX Engagement
Member of the executive team of Ernst & Young, Technology and Security Risk Services group in South Florida
Responsible for leading project teams and performing SOX 404 Advisory and IT Audit Services as well as supporting Business Analysis and Financial Audit engagements by reviewing IT Controls.
Clients were based in multiple states in the continental USA
Clients' IT environments included various applications such as Fiserv, Jack Henry, Digital Insight, Kirchman, Alltel, Jack Henry, BankServ, ERP systems ORACLE, PeopleSoft, SAP, and BAAN, leveraging ACL, SQL for data analysis
MCARTHUR GRAHAM & ASSOCIATES, Toronto, Canada 08/2002 - 05/2004
President & IT Risk Management Consultant
KPMG LLP, Toronto, Canada 01/2001 - 07/2002
Manager, Information Risk Management
BOARD MEMBERSHIPS AND PROFESSIONAL ACTIVITIES:
Founding Member and Vice President Bermuda Chapter of ISACA
Professional Certification (CISA) Coordinator Bermuda Chapter of ISACA
EDUCATION:
STANFORD, Graduate School of Business, Stanford, California, 2008
oGraduate Certificate, Business Strategies for Environmental Sustainability (BSES)
ATHABASCA UNIVERSITY, Center for Innovative Management, Alberta, Canada, 1999
oAdvanced Graduate Diploma in Management / Executive MBA program
University of Northampton, Faculty of Business and Law, Northampton, UK 2023/2024
oExecutive MBA (Top-up) program
ALGONQUIN COLLEGE, School of Advanced Technology, Ottawa, Canada, 1990
oBusiness, Software Engineering / Computer Programmer Undergraduate program
MIT - MASSACHUSETTS INSTITUTE OF TECHNOLOGY
oBig Data/AI professional education certificate MIT& MIT Computer Science & Artificial Intelligence Laboratory-CSAIL Cambridge MA USA. 2015
FLORIDA ATLANTIC UNIVERSITY, Center for Professional Development (PMI), Boca Raton, FL. 2014
oExecutive Certificate in Project Management, (ECPM)
King’s College London, London, UK
oInternational Affairs — Cybersecurity and Strategic Studies Continuing Education Graduate Studies
PROFESSIONAL CERTIFICATIONS, AND MEMBERSHIPS:
Certified Information Systems Auditor – CISA, ISACA
Executive Certificate, Lean Six Sigma Green Belt (CLSSGB), 2014 – Florida Atlantic University
Certified Fraud Examiner (CFE) 1999 – Member, The Association of Certified Fraud Examiners
Certified Information Systems Professional of CANADA (I.S.P.) 1996
Information Technology Certified Professional (ITCP) 2008 – Member, Canadian Info Processing Society, CIPS
PUBLICATIONS - TECHNOLOGY RISK MANAGEMENT RELATED EXTERNAL PUBLICATIONS:
Don't bet the house! My views on Cryptocurrencies and the Blockchain
Intellectual Risk – The new Frontier in Cyber Security Risk Assessment
The "Risk" versus "Audit" perspective concerning Security
How Big Data Analytics will save Consumers
Contact this candidate