Open to senior leadership opportunities Toronto · Open to global relocation

Asif
Noor.

Cyber & Technology Risk leadership for globally regulated financial institutions.

Senior Manager at Scotiabank's Global Operational Risk function. Eighteen years building enterprise-wide cyber and IT risk programs across Canada's largest financial institutions.

Trusted advisor to senior technology leadership on second-line operating model design, regulatory strategy, and executive risk reporting — translating technical exposure into decisions the boardroom can act on.

View experience → Get in touch

01 — Profile

A second-line voice
for first-line realities.

Cyber and IT risk leaders rarely fail because of what they don't know. They fail because the second line either over-reaches into operational territory or retreats into compliance theatre — and the boardroom is left to interpret risk through reports it cannot use.

My work sits in that gap. I design 2LoD operating models with a credible mandate, build governance frameworks that engage rather than antagonise the first line, and produce executive risk reporting that moves from technical detail to strategic decision in a single page.

Across Scotiabank, RBC, and CIBC I've led independent challenge on cloud migrations, post-incident reviews, third-party concentration, and global subsidiary oversight — under OSFI, NIST, ISO 27001, and COBIT. The brief is always the same: protect the institution without slowing it down.

02 — Selected Outcomes

Numbers that moved the needle.

100+

Critical vendors analyzed; concentration-risk diversification strategy delivered

200+

EUC spreadsheets migrated to controlled platform under enterprise governance program

70%

Reduction in risk-report distribution time through process automation

50+

High-risk contracts negotiated with embedded security & data-privacy clauses

03 — Experience

Eighteen years, three
top-tier institutions.

Sep 2021 — Present

Scotiabank

Senior Manager, Cyber & IT Risk
Global Operational Risk

Trusted advisor to senior technology leadership; drives the strategic direction of the enterprise Cyber & IT Risk program across a globally regulated footprint.

Strategic Risk Leadership. Drove the strategic overhaul of the Cyber & IT Risk 2LoD Target Operating Model, defining the second-line mandate and engagement model with the first line.
Framework Standardization. Developed and standardized the Cyber & IT Risk Framework aligned to NIST, providing credible independent challenge across a diverse global enterprise.
Executive Reporting. Designed and implemented the risk-resiliency metrics dashboard for the Risk Committee, providing a consolidated view of enterprise cyber threats and control effectiveness.
Adjudicated Exceptions. Challenged high-risk exception requests on cloud migration and infrastructure initiatives, ensuring alignment with enterprise risk appetite.
Incident Governance. Led post-incident reviews for major IT and cyber events, quantifying financial impact and advising the remediation steering committee — addressing systemic root causes to reduce recurrence.
Global Governance. Unified cybersecurity oversight across international subsidiaries through enhanced engagement models, ensuring a consistent and mature risk posture globally.

Nov 2018 — Aug 2021

RBC

Senior Manager, IT & Operational Risk
ORM, Canadian Banking

Led independent risk oversight for Canadian Banking — a high-revenue business unit — through credible challenge and the design of proactive monitoring frameworks.

Third-Party Concentration Risk. Identified and mitigated vendor concentration risk by analysing dependencies across 100+ critical vendors; delivered a diversification strategy that reduced exposure.
Risk Advisory. Trusted 1A risk advisor to business units during vendor negotiations, embedding non-negotiable security clauses into 50+ high-risk contracts.
Proactive Monitoring. Spearheaded design and implementation of a suite of KRIs and KCIs for core technology platforms — enabling real-time risk visibility and preventing incidents.
Operational Excellence. Championed the Enterprise EUC Governance Program, migrating 200+ critical spreadsheets to ClusterSeven, strengthening control visibility and audit readiness.
Strategic Advisory. Trusted 2LoD advisor to first-line technology teams; provided independent challenge on RCSAs, scenario analyses, and project execution risks.

Jul 2016 — Oct 2018

RBC

Manager, Business Information
Operational Risk Management

Transformed the operational risk reporting function through automation and enterprise standardization.

Process Automation. Automated key risk-assessment processes — achieving a 70% reduction in report-distribution time and freeing team capacity for strategic analysis.
Enterprise Standardization. Designed and implemented a standardized Enterprise Risk Assessment template adopted across all business units, enhancing proactive identification of risks in new products and strategic initiatives.

Nov 2010 — Jun 2016

RBC

Business Analyst, Risk Infrastructure & Support
Canadian Banking

Implemented a new enterprise risk management system, improving data accuracy and reporting capabilities — and lifting risk monitoring efficiency by 20%.

May 2008 — May 2009

CIBC

Test Analyst / Business Analyst
Finance & Equities Technology

Documented current- and future-state processes and validated financial calculation models with cross-functional teams.

04 — Domains of Expertise

What I'm known for.

Second-Line Operating Models

Designing the 2LoD mandate, engagement model with the first line, and the governance scaffolding that makes independent challenge credible rather than ceremonial.

2LoD Design Three Lines Mandate

ii.

Regulatory Strategy

Translating supervisory expectations — OSFI in Canada, equivalent regimes globally — into operating frameworks, reporting structures, and policy positions that satisfy both regulator and business.

OSFI NIST CSF ISO 27001 COBIT

iii.

Executive Risk Reporting

Building dashboards and Risk Committee materials that consolidate enterprise cyber and technology exposure into views a CRO or Board can decide on — without losing the underlying signal.

Risk Dashboards Board Reporting KRIs / KCIs

iv.

Operational Resilience

Embedding resilience thinking into technology programs — from incident governance and post-event reviews through to scenario analysis and recovery planning under heightened regulatory focus.

Resilience Incident Mgmt Scenario Analysis

Cloud & Technology Risk

Adjudicating high-risk exceptions on cloud migrations and infrastructure initiatives; advising on cloud-security architecture and data-privacy controls in regulated environments.

Cloud Security Data Privacy Architecture Risk

vi.

Global Subsidiary Oversight

Building engagement models that unify cybersecurity oversight across international subsidiaries — a consistent risk posture without flattening local context.

Multi-Jurisdiction Group Oversight Governance

05 — Credentials

Earned, not claimed.

Certifications

CISM Certified Information Security Manager ISACA
CRISC Certified in Risk & Information Systems Control ISACA
CISA Certified Information Systems Auditor ISACA
CC Certified in Cyber Security ISC²
GCP Google Cloud Architect Google

Education

Master of Arts

Linguistics

Bachelor of Commerce

Business & Finance

Technical & Tools

Analytics Tableau, Power BI, Power Query

Databases SQL Server, Oracle, Access

GRC Platforms OpenPages, Archer, ServiceNow

Workflow Jira, ClusterSeven, SharePoint 365

06 — Connect

Let's talk about the
second line you actually need.

I'm currently exploring senior leadership roles — Director and VP-level mandates in Cyber & IT Risk, Operational Risk, and Operational Resilience — across North America, the UK, MENA, and Asia. If your institution is rebuilding its second line, redesigning executive risk reporting, or strengthening multi-jurisdictional oversight, I'd be glad to talk.

Email
asifshoro@gmail.com

→

Phone
+1 416 357 9128

→

Network
LinkedIn Profile

→

Resume
Print or save

↓