Risk and Compliance Officer

Join Booking.com as a Risk and Compliance Officer

Role Overview

The Risk and Compliance Officer role at Booking.com is focused on leading the identification and reporting of first-line technical risks, including but not limited to IT, cybersecurity, fraud, trust & safety, and any regulatory compliance risks impacting our technology. You will engage with various first-line stakeholders to track and monitor appropriate risk responses and report on our IT controls framework. The IT Risk & Compliance Officer partners with risk owners throughout the Tech business function and other business units to design and maintain governance processes, operating models, and set up GRC tooling that reflects our risk appetite and maintains the quality of our processes.

This role requires working closely with stakeholders from multiple departments, maintaining a strong big-picture focus while being able to zoom in and out of the details to ensure full process understanding. As an individual contributor, you will develop into a subject matter expert, leveraging an understanding of the enterprise risk discipline and combining knowledge of theory and organizational practice or expertise across one or more different disciplines within the security function (e.g., cybersecurity, privacy, fraud, trust & safety, corporate security, business continuity, IT disaster recovery) and industry frameworks such as NIST, PCI-DSS, SOX, and SWIFT CSF. Practical knowledge of IT and cybersecurity controls is required to agree on mitigation plans for technology-related risks across the organization.

Responsibilities and skills required for the IT Risk Officer role in Risk Governance focus on the upkeep of internal controls spanning the technology landscape, aligning with the organization's risk appetite, and ensuring process quality within the Booking.com GRC tool, which is the backbone of our risk management processes and reporting. The IT Risk & Compliance Officer must have solid stakeholder management skills and be comfortable challenging risk owners to develop robust, scalable solutions that mitigate key risks while enabling successful business operations.

Key Job Responsibilities and Duties

• Assist in the development and leading of regular security training/awareness programs to train and educate risk owners and the broader organization on internal controls and security topics.
• Co-lead/support the processes of maturity assessments (cyber, fraud, trust & safety) and recommendations follow-up.
• Coordinate the follow-up of audit and internal assessment security issues; monitor and report the status of remediation plans; assess remediation progress and challenge management on the selected approach and prioritization.
• Co-lead/support the process of SS&F risk register update, including the maintenance of the SS&F risk definition.
• Support the IT policy lifecycle management, including the design, implementation, and adoption of policies, standards, and guidelines in the areas of SS&F.
• Manage security exceptions to IT policies and standards.
• Stay flexible to meet dynamic business needs while maintaining robust solutions that strengthen the control environment.

Role Qualifications and Requirements

• Bachelor’s degree in technology, computer science, or a related field is required.
• CISA, CISSP, CISM, CEH, CIPP/E, or a related certification.
• 5-7 years of work experience in business analysis, information security processes, auditing, corporate governance, risk management, internal controls, or security awareness programs.
• Ability to develop solid relationships with business partners to drive the adoption of a risk management culture.
• Strong program management and stakeholder engagement skills.
• Thorough technical understanding of SS&F internal control requirements and design, with experience applying them in various businesses.
• Able to split large tasks into logical, manageable, and decoupled actions that are managed effectively and delivered on time.
• Flexible and agile in response to changes in business, stakeholder expectations, and/or the regulatory/operating environment of Booking.com.
• Good understanding of IT control and cybersecurity frameworks, such as COBIT, ISO 27001, and NIST CSF / SP 800-53.
• Strong independent contributor, while still being a strong team player.

Total Reward Philosophy:

The benefits and perks offered by the company can be found on the Booking.com careers site.

Pre-Employment Screening

If your application is successful, your personal data may be used for a pre-employment screening check by a third party as permitted by applicable law. Depending on the vacancy and applicable law, a pre-employment screening may include employment history, education, and other information (such as media information) that may be necessary for determining your qualifications and suitability for the position.