Job Description

Role Summary

The LOD 1 Risk Manager serves as a key pillar within the First Line of Defense (LOD 1) for AirAsia MOVE, ensuring that all business operations, processes, and products adhere to internal policies, regulatory requirements, and industry standards. This role is responsible for the day-to-minute implementation and oversight of compliance controls, the proactive management of operational risks, and the direct support of critical certification programs like PCI DSS. The manager acts as the primary governance link between business execution and enterprise control functions.

Key Responsibilities

First Line of Defense (LOD 1) Governance

• Policy Implementation: Translate enterprise-wide governance and security policies into actionable, day-to-day controls and procedures for AirAsia MOVE business units (e.g., booking, payments, mobile app functions).

• Process Assurance: Perform internal compliance checks and self-assessments to ensure controls are operating effectively before escalation to LOD 2 functions (Risk, Compliance).

• Risk Monitoring: Proactively identify, assess, and monitor operational risks, maintaining a local risk register focused on LOD 1 activities and controls.

• Control Design: Collaborate with product and engineering teams to embed security, compliance, and risk controls directly into new products and feature rollouts (Shift-Left approach).

PCI DSS Certification Support

• Program Management: Act as the internal coordinator for all activities related to maintaining and achieving PCI DSS compliance for AirAsia MOVE’s cardholder data environment (CDE).

• Evidence Collection: Manage the timely collection and review of evidence required for annual PCI DSS audits and quarterly self-assessment questionnaires (SAQs).

• Control Validation: Oversee the validation and testing of PCI DSS security controls, coordinating with IT and Security Operations teams for remediation of gaps.

Business Resilience & Impact Analysis (BIA)

• BIA Coordination: Drive and facilitate the annual Business Impact Analysis (BIA) process across all critical AirAsia MOVE business functions to determine recovery objectives (RTO/RPO).

• Disaster Recovery Support: Work with the Technology team to align disaster recovery and business continuity plans with the outcomes of the BIA.

Compliance & Stakeholder Management

• Regulatory Adherence: Ensure the business remains compliant with relevant local and international regulations pertaining to digital platforms and payments (e.g., PDPA, DGCA, specific central bank requirements).

• Advisory: Advise local leadership and business heads on the implications of new compliance requirements and manage remediation plans.

• Training: Develop and deliver targeted compliance and governance training to LOD 1 personnel.

Reporting

• Provide regular, data-driven reports on the status of LOD 1 controls, compliance posture, and key risk indicators (KRIs) to the AirAsia MOVE leadership and the Enterprise Governance, Risk, and Compliance (GRC) team.

Qualifications

• Degree in Cybersecurity, IT, Business, or a related field.

• 5+ years of experience in GRC, Internal Audit, or Compliance within the FinTech, Aviation, or e-commerce/critical infrastructure sectors.

• Demonstrable expertise and practical experience with PCI DSS standards.

• Solid understanding of Business Continuity Management principles and experience conducting Business Impact Analysis (BIA).

• Knowledge of control frameworks such as ISO 27001 and NIST.

• Relevant professional certifications (e.g., CISA, CRISC, PCI-P/ISA, COBIT) are highly desirable.