Risk Manager

Job Description

Role Summary

The LOD 1 Risk Manager serves as a key pillar within the First Line of Defense (LOD 1) for AirAsia MOVE, ensuring that all business operations, processes, and products adhere to internal policies, regulatory requirements, and industry standards. This role is responsible for the day-to-minute implementation and oversight of compliance controls, the proactive management of operational risks, and the direct support of critical certification programs like PCI DSS. The manager acts as the primary governance link between business execution and enterprise control functions.

Location: Manila, Philippines

Key Responsibilities

First Line of Defense (LOD 1) Governance

• Policy Implementation: Translate enterprise-wide governance and security policies into actionable, day-to-day controls and procedures for AirAsia MOVE business units (e.g., booking, payments, mobile app functions).

• Process Assurance: Perform internal compliance checks and self-assessments to ensure controls are operating effectively before escalation to LOD 2 functions (Risk, Compliance).

• Risk Monitoring: Proactively identify, assess, and monitor operational risks, maintaining a local risk register focused on LOD 1 activities and controls.

• Control Design: Collaborate with product and engineering teams to embed security, compliance, and risk controls directly into new products and feature rollouts (Shift-Left approach).

PCI DSS Certification Support

• Program Management: Act as the internal coordinator for all activities related to maintaining and achieving PCI DSS compliance for AirAsia MOVE's cardholder data environment (CDE).

• Evidence Collection: Manage the timely collection and review of evidence required for annual PCI DSS audits and quarterly self-assessment questionnaires (SAQs).

• Control Validation: Oversee the validation and testing of PCI DSS security controls, coordinating with IT and Security Operations teams for remediation of gaps.

Business Resilience & Impact Analysis (BIA)

• BIA Coordination: Drive and facilitate the annual Business Impact Analysis (BIA) process across all critical AirAsia MOVE business functions to determine recovery objectives (RTO/RPO).

• Disaster Recovery Support: Work with the Technology team to align disaster recovery and business continuity plans with the outcomes of the BIA.

Compliance & Stakeholder Management

• Regulatory Adherence: Ensure the business remains compliant with relevant local and international regulations pertaining to digital platforms and payments (e.g., PDPA, DGCA, specific central bank requirements).

• Advisory: Advise local leadership and business heads on the implications of new compliance requirements and manage remediation plans.

• Training: Develop and deliver targeted compliance and governance training to LOD 1 personnel.

Reporting

• Provide regular, data-driven reports on the status of LOD 1 controls, compliance posture, and key risk indicators (KRIs) to the AirAsia MOVE leadership and the Enterprise Governance, Risk, and Compliance (GRC) team.

Qualifications

• Degree in Cybersecurity, IT, Business, or a related field.

• 5+ years of experience in GRC, Internal Audit, or Compliance within the FinTech, Aviation, or e-commerce/critical infrastructure sectors.

• Demonstrable expertise and practical experience with PCI DSS standards.

• Solid understanding of Business Continuity Management principles and experience conducting Business Impact Analysis (BIA).

• Knowledge of control frameworks such as ISO 27001 and NIST.

• Relevant professional certifications (e.g., CISA, CRISC, PCI-P/ISA, COBIT) are highly desirable.

We are all different - one talent to another - that is how we rely on our differences. At AirAsia, you will be treated fairly and given all chances to be your best.We are committed to creating a diverse work environment and are proud to be an equal opportunity employer.

Search Firm Representatives - AirAsia does not accept unsolicited assistance from search firms for employment opportunities. All CVs / resumes submitted by search firms to any employee at our company without a valid written search agreement in place will be deemed the sole property of our company. No fee will be paid in the event a candidate is hired by our company as a result of an agency referral where no pre-existing agreement is in place.