Chief Risk Officer and Head of Information Security - Crypto
Location: Luxembourg
About Our Client
Our client is a leading, regulated cryptocurrency exchange operating across Asia, Europe and the United States. The firm is licensed in multiple major jurisdictions and is a financial institution authorised by the Luxembourg Ministry of Finance and regulated by the CSSF in Luxembourg.
As a Luxembourg-based entity registered as a Virtual Asset Service Provider (VASP), the company operates at the forefront of digital asset regulation and innovation. The organisation combines strong governance standards with a dynamic, international culture and a deep commitment to blockchain and digital asset technology.
About the Role
Our client is seeking an Authorised Manager primarily responsible for Risk Management, Internal Control and Information Security. The role is based in Luxembourg and forms part of the firm's senior management.
The Authorised Manager will be accountable for the design, implementation, oversight and effectiveness of the firm's risk management framework, internal control system and ICT / information security governance, in line with MiCA/MiFID requirements and applicable EU regulations, including DORA.
This is a hands-on role with no dedicated Risk or Information Security team. In addition to functional responsibilities, the successful candidate will serve as one of the firm's Authorised Managers, sharing overall managerial responsibility for the entity alongside the other Authorised Manager. The position requires senior management oversight and coordination across all functions, including Risk and Compliance, while fully respecting the functional independence of the Compliance function.
Key Responsibilities
Authorised Manager Responsibilities
Act as Authorised Manager vis-à-vis the CSSF for Risk, Internal Control and Information Security matters
Ensure the sound, prudent and compliant operation of the firm in coordination with the other Authorised Manager(s)
Contribute to defining the firm's strategy and development plan
Represent the firm in internal and external meetings, including with regulators, auditors and other stakeholders
Liaise with regulatory authorities, external auditors, service providers and vendors as required
Coordinate with global group functions to ensure alignment and consistency of approach
Functional Oversight
As one of the Authorised Managers, hold overall senior management responsibility for the firm, with functional oversight of:
Risk Management and Internal Control
Compliance
IT and Information Security
HR and Administration
Ensure these functions operate effectively and in alignment with the firm's governance framework, strategy and regulatory obligations.
With respect to Compliance, provide senior management oversight and coordination while fully respecting its functional and operational independence, and act as a senior management escalation point for the Head of Compliance.
Risk Management & Internal Control
Develop, maintain and enhance the risk management framework, policies and procedures, including:
Risk identification and risk universe
Risk appetite framework
Risk assessment and monitoring
Risk reporting and Key Risk Indicators (KRIs)
Cover the full risk universe, including but not limited to:
Operational risk
ICT and information security risk
Credit risk
Market and FX risk
Liquidity risk
Reputational risk
Identify, assess and monitor material risks and ensure appropriate mitigating controls are in place
Review, document and evaluate the internal control framework, including automated and manual controls
Identify gaps or weaknesses in the risk and control framework and ensure remediation aligned with regulatory expectations and industry standards
Prepare and present risk and internal control reporting to senior management and the Board
Oversee outsourcing and third-party risk, including methodology and ongoing monitoring
Information Security, ICT Risk & DORA
Act as senior accountable person for ICT risk management and information security governance
Define, maintain and review:
Information security policy
ICT-related policies and procedures
Incident management and escalation frameworks
Ensure compliance with DORA and other applicable ICT / information security regulatory requirements
Perform and coordinate ICT and information security risk assessments
Oversee ICT controls across the full system lifecycle
Monitor security vulnerabilities, incidents and emerging threats, ensuring appropriate mitigation
Oversee third-party IT service providers, including SLAs and security requirements
Coordinate ICT-related regulatory reporting and audits in collaboration with Compliance
Qualifications
University degree in risk management, finance, accounting, law, IT or a related field
Professional risk or control qualification (e.g. FRM) or equivalent professional experience is an asset
Required Experience
Minimum 5 years' experience in a senior Risk, Internal Control, Compliance or related function within a regulated financial institution
Strong experience in risk management within a MiCA/MiFID-regulated firm
Solid and practical knowledge of:
Information security and ICT risk
DORA regulatory framework
Good understanding of finance and accounting, including:
Financial statements
Capital and prudential considerations
Financial and operational controls
Experience interacting with regulators, auditors and senior management
Ability to operate effectively in a hands-on role without a dedicated team
Experience in multicultural and international environments
Exposure to digital assets or blockchain is an advantage, though not essential
Key Competencies
Strong judgment and decision-making capability at senior management level
Ability to combine strategic oversight with operational execution
Clear communication and stakeholder management skills
Independence of mind and ability to challenge constructively
High level of integrity and regulatory awareness