Black Hills Corporation IT Risk Manager in Rapid City, South Dakota

Description :

Job Specifications

SALARY RANGE : $87,650 - $121,820

Base salary is determined by the knowledge, skills and abilities of the applicant.

CLOSING DATE : This position will close on August 20, 2018.

LOCATION : Rapid City SD


The IT risk manager is responsible for establishing and maintaining Black Hills Corporation’s overall IT risk management program, which is designed to ensure that the company’s IT systems and information assets are adequately protected. The individual in this position is responsible for identifying, evaluating and reporting on information IT risks in a manner that meets Black Hills Corporation’s regulatory and other compliance requirements. The IT risk manager works proactively with the various business units and other internal departments and organizations to implement practices that meet Black Hills Corporation’s defined policies and standards for information risk management.

The risk manager is the "process owner" for all of Black Hills Corporation’s IT-related risk assessment and identification activities, for the company's IT systems and information assets and for its IT-dependent strategic business objectives. A crucial element of the IT risk manager's role is working with senior executives, line-of-business managers and other key decision makers to determine acceptable levels of residual risk for the company as a whole and for various internal departments and organizations. The risk manager must possess in-depth knowledge of Black Hills Corporation’s business environment, to ensure that the company's IT systems are appropriately protected and fully functional.

The ideal candidate for this position is a proven thought leader, problem solver and integrator of people and processes, as well as an effective internal consultant. The risk manager must also possess solid domain competencies in a number of IT-risk-related disciplines, including security, business continuity management, business continuity management, privacy and compliance.

Black Hills Corporation’s IT risk management activities have, in the past, focused largely on technical solutions. However, effective risk management requires a more-comprehensive and performance-based approach that aligns levels of protection with business needs. For this reason, the IT risk manager must be much more than simply a technology and controls expert, it must also possess significant management and communications skills and extensive business knowledge.

REPORTING RELATIONSHIP : Applications, Senior Manager


  • Manage all the risk-related activities of Black Hills Corporation’s IT organization, including budgeting, planning, testing, reporting and recommending appropriate remediation measures.

  • Manage oversight and monitoring of risk mitigation and coordination of policy and controls with the compliance manager and the chief information security officer (CISO), to ensure that other managers are taking effective remediation steps.

  • Benchmark the risk management practices of other companies — particularly those in related industries or with similar business models — maintain an up-to-date understanding of industry best practices, and monitor the legal and regulatory environment for developments that could require changes to Black Hills Corporation’s established IT policies and practices.

  • Create, disseminate and (as required) update documentation of Black Hills Corporation’s matrix of identified IT risks and controls.

  • Work directly with the business units and other internal departments and organizations to facilitate IT risk analysis and risk management processes, identify acceptable levels of residual risk, and establish roles and responsibilities related to information classification and protection.

  • Design and conduct IT risk assessments.

  • Manage the oversight of technical risk assessments, such as vulnerability scanning and penetration testing.

  • Manage information asset and application risk assessments.

  • Conduct risk reviews for new applications.

  • Manage third-party risk assessments.

  • Coordinate information security and risk management projects with personnel from the IT organization, lines of business, and other internal departments and organizations.

  • Facilitate business alignment and communications by forming an IT risk management steering committee or advisory board.

  • Review risk assessments, analyze the effectiveness of Black Hills Corporation’s IT control activities and report on them — with actionable recommendations — to the CIO, the chief compliance officer (CCO), the CISO and IT managers.

  • Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken.


  • Tracks and reports risk management trends, opportunities and remediation quarterly.

  • Works closely with the CIO and the security, compliance, business continuity management and privacy organizations to develop and implement effective IT risk management practices.

  • Makes recommendations to the CIO, appropriate risk governance committees, line-of-business managers and the board of directors concerning IT-risk-related controls.

  • Serves as the IT organization’s representative on Black Hills Corporation’s companywide risk management committee.

  • Acts as risk management liaison with all levels of the IT organization and with the lines of business and other internal departments and organizations.

  • Supervises direct reports, as well as the IT-risk-management-related activities of indirect reports and others.


  • Maintain strong working relationships with all levels of personnel in the IT department.

  • Maintain strong working relationships with all levels of management in the organization and users within the corporate organization.

  • Maintains and extends networks within, across and external to organizational boundaries

  • Represents the organization on strategic issues impacting multiple organizations, the community and the professional field.


  • Experience in business/industry (beyond IT), managing cross-functional teams or projects, and influencing senior-level management and key stakeholders.

  • Five to seven years of experience in IT risk management or a related discipline (for example, security, privacy, business continuity management or compliance).


  • Minimum Bachelor of Science required, with a focus on IT or IT-risk-related disciplines (for example, security, privacy, business continuity management and compliance). A business degree is beneficial.


  • Demonstrated knowledge of project management techniques, risk management, corporate financials, and negotiation/facilitation techniques.

  • Basic knowledge of a broad range of standards and frameworks — for example, International Standards Organization (ISO) 27K series, IT Infrastructure Library and ISO 20000, NIST SP 800 Series, NIST Cyber Security Framework, Capability Maturity Model Integration and Six Sigma.

  • Knowledge of common risk management methodologies — for example, Control Objectives for Information and Related Technology and Committee of Sponsoring Organizations Enterprise Risk Management.

  • Excellent oral and written communication skills, including the ability to explain technology solutions in business terms, establish rapport and persuade others.

  • Knowledge of commonly used contract types/terms preferred.

  • Knowledge of the regulated utility business is desired.

  • Familiarity with NERC CIP, WECC, HIPAA, and PCI.

  • Familiarity with Supply Chain Risk Management (SCRM).


  • In-depth understanding of strategic business risks.

  • Ability to develop a comprehensive understanding of Black Hills Corporation’s business, market and industry and relate that knowledge to identified operations- and IT-related risks.

  • Knowledge necessary to propose relevant IT responses to changing business risks and regulatory changes.

  • Proven ability to communicate with people at all levels — from developers to the board of directors.

  • Excellent written and verbal communication skills — including the ability to effectively communicate security- and risk-related concepts to technical and nontechnical audiences — and strong interpersonal and collaborative skills.

  • Strong skills as a negotiator, to facilitate commitment to, and sign-off on, appropriate levels of residual risk from line-of-business managers.

  • High level of personal integrity, with the ability to handle confidential and otherwise sensitive matters professionally and with the appropriate level of judgment and maturity.

  • High degree of initiative, dependability and ability to work with little supervision.


  • One or more of the following preferred: ITIL, CISSP, CISM, CISA

  • One or more of the following desired: CRMA, PMI-RMP, CRISC, CGEIT, GRCP


  • A willingness to travel, including overnight stays.

  • May be responsible for matrix-oriented project team and the completion of their responsibilities on the project. Team size could be from 1 – 10 members.


  • Applicant must be able to perform the essential job functions of the position with or without accommodation.

The information contained in this position description describes the general nature and level of work being performed in this job. This description is not intended to be an all-inclusive list of responsibilities, duties, and requirements for employees in this position. The incumbent is responsible for performing all duties in a safe and efficient manner in compliance with safe work procedures and safety regulations. This job description is not intended to constitute an offer or contract of employment. Job descriptions may and do change periodically. Where positions are covered by a collective bargaining unit agreement, the terms and conditions of the collective bargaining unit agreement will apply.

We are an EEO Employer