Senior Manager, Technology Risk


Retail Credit
Toronto, Ontario
Posted On: July 14, 2026

Why DUCA? 

We’re a vibrant, exciting credit union that lives its "profits with a purpose" philosophy in every financial transaction, product, interest rate, and community initiative we offer. Founded in 1954, DUCA has grown from a single branch credit union in Toronto to 19 branches across Southern Ontario with over 85,000 Members we are proud to serve.  

We exist to help People, Businesses and Communities Do More, Be More, and Achieve More™. 

DUCA (www.duca.com) is distinguished for the following: 

  • Positive, un-big bank like service experience delivered through Member-facing staff in branch, on the phone (Member-Connect) and via our Mobile mortgage specialists, Wealth Management advisors and Commercial and Business Banking Account Managers. 
  • Competitive rates.
  • Personalized financial solutions, guidance, and service with the lowest possible fees for both Personal and Business Members.
  • Profit sharing among Members.
  • Multiple ways to bank—online, mobile app, phone/full-service Member Connect Contact Centre, and, of course, in-branch—DUCA is accessible 24/7 
  • A community philosophy of “profits with a purpose” culminating in the creation of the DUCA Impact Lab (www.ducaimpactlab.com), a charitable foundation committed to helping the credit challenged and underbanked.  This led to DUCA's designation as a B-Corp certified organization, the first ever credit union to receive this global recognition.

A career with DUCA means you’ll find endless opportunities to make a difference with your unique abilities and perspectives. Our people live their purpose while helping others Do more, Be more and Achieve more with their money and their lives.  At DUCA, you’ll be part of a vibrant and collaborative team where you’ll be supported to excel and make an impact, no matter what role you play. 


Senior Manager, Technology Risk

DUCA is looking for a Senior Manager, Technology Risk to join our growing team! 

Job Purpose & Summary

As an integral part of DUCA’s Risk Management team, the Senior Manager, Technology Risk is responsible for supporting the effective management and independent risk oversight of Information Technology (IT), Information Security, Cybersecurity, Operational Resilience, and Emerging Technology risks across the organization. The role provides second line of defense to technology risk management practices, ensuring technology risks are identified, assessed, monitored, mitigated, and reported in accordance with DUCA’s risk appetite, internal policies, and regulatory expectations.

 The Senior Manager, Technology Risk partners closely with Technology, Information Security, business stakeholders, Internal Audit, and regulators to support the management of risks related to cybersecurity, cloud services, operational resilience, AI and emerging technologies, IT operations, third-party technology providers, system availability, change management, technology currency, and data protection.

 This position supports the ongoing enhancement of DUCA’s Technology Risk Management Framework and contributes to compliance with applicable FSRA guidance, cybersecurity expectations, operational resilience requirements, and industry best practices.

Key Accountabilities & Duties

Technology Risk Governance & Oversight

  • Support the development, implementation, maintenance, and continuous enhancement of DUCA’s Technology Risk Management Framework, policies, standards, procedures, methodologies, and reporting processes. Provide independent risk oversight and effective challenge of first-line technology and cybersecurity risk management activities to ensure technology risks are identified, assessed, managed, monitored, and reported within approved risk appetite and regulatory expectations.
  • Partner with Technology, Information Security, Internal Audit, Compliance, and business stakeholders to strengthen governance processes, promote sound risk management practices, and support a strong risk culture across the organization.

 Technology Risk Assessment & Monitoring

  • Provide risk oversight, guidance, and effective challenge of technology and information security risk assessments conducted by Technology, Information Security, and business stakeholders across IT infrastructure, applications, cloud and SaaS environments, cybersecurity controls, AI and emerging technologies, third-party technology providers, operational resilience activities, disaster recovery capabilities, and technology change initiatives to ensure risks are appropriately identified, assessed, and managed.

  • Evaluate risks related to system availability, operational stability, technology currency and end-of-life platforms, cybersecurity threats, data protection, access management, privacy, operational disruptions, and technology transformation initiatives. Assess the design and operating effectiveness of controls, challenge risk mitigation strategies and risk acceptance decisions, and maintain technology risk registers, issues, and remediation plans to support ongoing risk management and reporting.

 Cybersecurity & Operational Resilience Risk Oversight

  • Provide risk oversight and effective challenge of key technology and cybersecurity risk management processes, including IT incident management, cybersecurity incident response, vulnerability management, privileged access management, patch management, IT change management, technology currency management, technical debt management, and risks associated with end-of-support and end-of-life technologies.
  • Assist in the oversight of operational resilience, business continuity, and disaster recovery programs by reviewing resilience assessments, recovery capabilities, technology dependencies, scenario testing results, and remediation activities designed to strengthen the organization’s ability to withstand and recover from disruptive events.

 Third-Party Technology & Cloud Risk Management

  • Review and challenge technology vendor, cloud service provider, and outsourced technology risk assessments, including security reviews, SOC reports, operational resilience capabilities, disaster recovery arrangements, data protection controls, and contractual risk provisions to ensure risks are appropriately identified, assessed, and managed throughout the vendor lifecycle.
  • Partner with vendor relationship managers, Technology teams, and Information Security stakeholders to support the effective management of technology vendor risks and ensure compliance with DUCA’s Vendor Management Framework, Technology Risk Framework, and regulatory expectations

 Regulatory Compliance, Reporting & Stakeholder Management

  • Monitor and report on Key Risk Indicators (KRIs), Key Control Indicators (KCIs), technology incidents, vulnerabilities, outages, emerging risks, and remediation activities.
  • Develop and maintain technology and cybersecurity risk reporting for Senior Management, Executive Leadership, Risk Committees, and the Board highlighting key risk indicators, trends, and their business impact and implications.
  • Support compliance with applicable FSRA guidance, cybersecurity and operational resilience expectations, privacy requirements, internal policies and standards, and recognized industry frameworks such as NIST, ISO 27001, COBIT, CIS Controls, and ITIL.
  • Track and monitor remediation activities related to audit findings, regulatory observations, risk assessments, control deficiencies, cybersecurity reviews, and technology risk issues while maintaining effective working relationships with regulators, auditors, external stakeholders, and business partners.

Occupational Experience & Education Requirements

  • Undergrade degree in Information Technology, Computer Science, Cybersecurity, Business, Finance, Risk Management, or a related discipline.
  • Minimum 5 to 8 years of progressive experience in Technology Risk Management, Information Security, Cybersecurity Risk, Operational Risk, IT Governance, or related disciplines within a financial institution, credit union, banking, insurance, or other regulated environment.
  • Demonstrated experience conducting risk assessments, evaluating control effectiveness, facilitating issue remediation, and preparing risk reporting for senior management and governance committees.
  • Experience working within a Three Lines of Defense governance model and supporting interactions with regulators, auditors, and external assessors.
  • Experience applying regulatory expectations and industry frameworks, including FSRA guidance and regulatory expectations, NIST Cybersecurity Framework, ISO 27001, COBIT, ITIL, CIS Critical Security Controls, Privacy and data protection requirements.

 Knowledge, Skills & Attributes

  • Strong understanding of IT infrastructure, cloud computing, SaaS solutions, cybersecurity controls, IT service management, operational resilience, business continuity, disaster recovery, and technology lifecycle management.
  • Strong analytical, critical thinking, and problem-solving skills with the ability to assess complex technology and cybersecurity risks and translate technical concepts into business impacts.
  • Ability to provide independent challenge and influence stakeholders across Technology, Information Security, and business functions while maintaining collaborative working relationships.
  • Strong understanding of technology risk management, cybersecurity, operational resilience, cloud risk, third-party risk, and governance frameworks.
  • Excellent organizational skills with the ability to manage multiple priorities, projects, deadlines, and competing stakeholder demands within a fast-paced environment.
  • Strong written and verbal communication skills, including experience preparing executive-level reports, committee materials, and presentations.
  • Demonstrated ability to build effective relationships across all levels of the organization and interact professionally with regulators, auditors, vendors, and external stakeholders.
  • Strong attention to detail, professional judgement, governance discipline, and risk awareness.
  • Experience with governance, risk and compliance (GRC) platforms, reporting tools, data analytics, process mapping, and dashboard development considered an asset.

Working Conditions

Normal office environment with the potential for extended hours during significant technology incidents, cybersecurity events, regulatory reviews, audits, project implementations, business continuity exercises, and reporting deadlines.


Department: Retail Credit 

Primary Location: Corporate Office 

Employment Status: Full-Time 

Hours per Week: 38

Salary: The annual salary range for this position is $92,798 to $115,998.  Actual annual base salaries will vary depending on relevant job-related factors such as experience, knowledge, skills, qualifications, and education/training. This position may be eligible for discretionary bonuses.

Number of Existing Vacancies: 1


DUCA is committed to employment equity and encourages applications from all qualified candidates. Recruitment related accommodations will be provided upon request.

Our hiring process includes AI screening for keywords and minimum qualifications. Talent Acquisition Partners review all results.

Qualified applicants are encouraged to submit their application. Applications must include a resume.

We thank all applicants but only those considered for an interview will be contacted.

Skip to the main content