Risk Management, Compliance and Information

Background:
The OSCE has a comprehensive approach to security that encompasses politico-military, economic and environmental, and human aspects. It therefore addresses a wide range of security-related concerns, including arms control, confidence
- and security-building measures, human rights, combating human trafficking, national minorities, democratization, policing strategies, counter-terrorism and economic and environmental activities. All 57 participating States enjoy equal status, and decisions are taken by consensus on a politically, but not legally binding basis.

The OSCE Secretariat in Vienna assists the Chairpersonship in its activities, and provides operational and administrative support to the field operations, and, as appropriate, to other institutions.

The OSCE Secretariat’s Department of Management and Finance (DMF) is responsible for managing the material and financial resources of the Organization. The objective of DMF is to provide efficient and effective management of non-staff resources in support of OSCE programmatic activities. It provides policy guidance on the management of OSCE financial and material resources and develops and maintains OSCE Financial Regulations and Rules and Financial Administrative Instructions. DMF consists of Budget and Finance Services, Mission Support Section, Information and Communication Technology Section and the Information Security and Co-ordination Unit.

The Risk Management, Compliance and Information Security (RMCIS) Unit, in the Office of the Director, performs a diverse set of OSCE-wide governance, risk and compliance-related functions related to Second Line of Defence duties. In addition to overseeing the Organization's Risk Management Framework, co-ordinating the Internal Control system, and supporting Information Security, the Unit deals with the Secretariat’s Implementing Partner portfolio, OSCE-wide Data Privacy matters, and advises senior management on a host of related activities.

Tasks and Responsibilities:
The unit plays a Second Line of Defence role under the Three Lines of Defence model. It enables risk owners across OSCE to identify emerging risks in their daily operations, so that they can provide reasonable assurance on their objectives. It does this by providing compliance and oversight in the form of advisory work, frameworks, policies, tools, and techniques to support managers in their handling of their risks and the internal controls in place to manage those risks.

As Risk Management, Compliance and Information Security Officer, you will report to the Chief, Risk Management, Compliance and Information Security.

Functions required from the incumbent of the post are best understood as having two levels of analysis. At the basic level, the unit plays three distinct 2nd-line-of-defence roles: risk management; internal control; and information security. A second, superimposed level of analysis touches upon areas of activity that require playing one or more of the three roles for a given topic, namely: project reviews, including via implementing partners; a variety of internal consultancy work; the interpretation, review and redrafting of policies regulating daily operations across OSCE; and the deployment of digital fluency skills as an enabler and effect-multiplier helping the roles of RMCIS.

More specifically, you will be responsible for the following:

- Risk Management
- OSCE bases itself on ISO31000 standard. The incumbent will have a vertically-integrated approach to risk management, on two levels: at the basic level, handling and interprets risk-related information; providing risk assessments, whether qualitative or quantitative, on a variety of activities; collaborating with risk owners in the identification and assessment of emerging or current risks; preparing and compiling reports, summaries and presentations to communicate findings and providing advice to key stakeholders; collaborating with stakeholders on reporting and evaluation techniques to support the updating of relevant information feeding OSCE’s risk exposure;
- At a higher level, is responsible for (re)designing and implementing risk methodologies that can help with better decision-making and better processes at different levels of the organization.

2. Internal Control
- Oversees the effectiveness of the internal control system and practices, particularly as regards OSCE’s Common Regulatory Management System (CRMS);
- Whereas risk management monitors and assesses current and emerging risks, internal control co-ordinates the monitoring and reporting of risks by assessing the effectiveness of internal controls put in place to bring the risk exposure to within acceptable levels. It does so by assessing, drafting and communicating policies, guidance and advice on internal controls, including the coordination and challenge of mandatory checks and verifications by risk owners;
- Plays a major role in the annual Internal Control Walkthrough exercise, an impo