Technology Risk & Controls Lead (Assurance Lead)

Company Overview

Capco is an entrepreneurial consulting business with expertise in transformation, technology, and strategy. We specialize in banking and payment; capital markets; wealth & investment management; finance, risk & compliance; and technology, serving our clients from offices in leading financial centers across US, Europe and APAC. We are expanding our business rapidly across Asia (especially Malaysia). You will work on engaging projects with some of the largest banking and insurance clients in the world, projects that will deliver significant transformation and change. Besides, we have exciting growth plans in APAC and some very interesting new service lines opening. We are building the business, so now is a good time to join because you can join at the start, have an impact and play a role in its future success = promotion opportunities, better bonus opportunities and faster career progression.

Through our collaborative and efficient approach, we help our clients successfully increase revenue, manage risk and regulatory change, reduce cost and enhance control. We specialize in banking; capital markets; wealth and investment management; finance, risk & compliance; and technology. We serve our clients from offices in leading financial centers across North America, Europe and APAC.

Role Overview

Capco is seeking a Technology Risk & Controls Lead (Assurance Lead) to provide independent, regulator-defensible assurance to financial institutions against Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) and related regulatory standards.

This role plays a critical assurance and judgement function, acting as an Independent External Service Provider, with end-to-end ownership of assurance conclusions, materiality decisions, and regulatory attestations. You will work closely with client executive management, boards, regulators, and internal delivery teams to ensure technology, cyber, cloud, resilience, and governance controls meet regulatory expectations and industry best practices.

Key Responsibilities

• Independent Assurance Ownership
  • Own the end-to-end independent assurance lifecycle for BNM RMiT engagements, from scoping and control interpretation through testing, evaluation, and final attestation.
    • Exercise professional judgement on control adequacy, effectiveness, and materiality, ensuring conclusions are evidence-based, proportionate, and regulator-defensible.
    • Provide final approval of assurance conclusions, opinions, and attestations, maintaining independence from advisory and implementation activities.
• Regulatory Interpretation & Control Frameworks
  • Translate BNM RMiT Policy (all Parts) into clear, testable control expectations aligned to the bank’s technology, cyber, cloud, resilience, and governance landscape.
    • Interpret and apply related regulatory and industry standards, including:
    – BNM RMiT
    – BNM Outsourcing Policy Document
    – Business Continuity Management (BCM) Policy Document
    – ISO 27001
    – COBIT
    – NIST Cybersecurity Framework
    – ISAE 3000
    • Ensure control expectations are aligned with regulatory intent, industry practice, and proportional risk management.
• Risk, Materiality & Professional Judgement
  • Apply risk-based prioritisation to focus assurance efforts on areas of highest regulatory, operational, and systemic risk.
    • Make defensible materiality judgements, balancing regulatory expectations, control maturity, and business context.
    • Challenge management where necessary while maintaining constructive, professional relationships.
• Executive, Board & Regulator Engagement
  • Engage confidently with senior management, Boards, and regulators, articulating assurance scope, findings, and conclusions clearly and credibly.
    • Prepare and deliver executive-level assurance reports, summaries, and regulatory submissions.
    • Act as a trusted assurance authority, capable of standing behind conclusions in regulatory discussions and reviews.
• Assurance Quality & Ethical Standards
  • Uphold strict independence, ethical, and professional assurance standards, consistent with external assurance expectations.
    • Ensure assurance work is compliant with ISAE 3000 and internal quality standards.
    • Provide oversight and guidance to assurance teams to maintain consistency, quality, and defensibility of outcomes.

Required Experience & Capabilities

• Extensive experience in technology risk, IT audit, or independent assurance within financial services.
  • Deep exposure to financial-services regulation, particularly BNM technology, cyber, and resilience requirements.
  • Strong capability in regulatory interpretation, control design assessment, and operating effectiveness testing.
  • Proven ability to exercise independent judgement and make materiality decisions in complex environments.
  • Experience engaging Boards, senior executives, and regulators with credibility and authority.
  • Strong written and verbal communication skills, particularly for assurance opinions and executive reporting.

Certifications

• CISA – required
  • CRISC and/or CISM – preferred

Why join us?

You will join a company that supports and encourages an entrepreneurial outlook and independent thinking. Capco is not about organizational charts and layers –we operate with little hierarchy because we want all employees to feel that Capco is their firm. We warmly value diversity and inclusion and embrace our collective uniqueness –our culture is a strong, fresh, and invigorating difference from our competitors.