Director-Tech Risk & Control (Software Development & Enterprise Architecture)

Job Description

At American Express, our culture is built on a 175-year history of innovation, shared values and Leadership Behaviors, and an unwavering commitment to back our customers, communities, and colleagues. From delivering differentiated products to providing world-class customer service, we operate with a strong risk mindset, ensuring we continue to uphold our brand promise of trust, security, and service.

As part of Team Amex, you'll experience this powerful backing with comprehensive support for your holistic well-being and many opportunities to learn new skills, develop as a leader, and grow your career. Here, your voice and ideas matter, your work makes an impact, and together, you will help us define the future of American Express.

Joining ETS Governance & Control means helping protect American Express customers and company through integrated, intelligence-driven technology risk and control management. Operating at the intersection of technology, governance, and risk, the team partners across the enterprise to modernize the foundation, advance risk intelligence, demonstrate trust at scale, and reduce material risk—enabling innovation with the right controls in place.

By building simplified, consistent frameworks and embedding continuous assurance, ETS Governance & Control enhances transparency, accountability, and sustainable risk reduction. The work is about empowering confident decisions, accelerating responsible delivery, and ensuring controls evolve with the business to strengthen trust and reduce enterprise risk at scale.

Role Overview

The Director, Technology Risk and Control (Software Development & Enterprise Architecture) is a senior leader within the Technology Governance & Control organization, accountable for risk advisory, governance, and control oversight across secure software development, engineering practices, enterprise architecture, and emerging technology domains.

This role partners with leaders across Technology, Engineering, Enterprise Architecture, Cybersecurity, Product, and Operational Risk to ensure technology risks are identified, assessed, governed, and mitigated through a robust Risk and Control Self-Assessment (RCSA) framework.

The successful candidate will bring deep expertise in technology risk management, software engineering and enterprise architecture practices, and governance of AI/ML and other emerging technology solutions within large, complex, and highly regulated environments.

Responsibilities

Risk Advisory Leadership

• Serve as the accountable risk and control lead for software development and enterprise architecture domains.
• Provide strategic risk advisory and credible challenge to senior technology leaders on risk identification, mitigation, and acceptance decisions.
• Lead RCSA execution across the domain, including risk identification, control assessment, and residual risk evaluation.
• Maintain risk profiles, taxonomies, and control inventories that support consistent oversight across engineering and architecture functions.
• Drive quality and consistency in assessments, issue management, remediation, and reporting across the domain.

Technology Risk Assessment

• Oversee risk assessments related to software delivery, engineering practices, application architecture, third-party integrations, and platform dependencies.
• Support assessment of control design and operating effectiveness, and recommend enhancements where needed.
• Advise leadership on the risk implications of technology strategy, architectural decisions, and transformation programs.

AI and Emerging Technology Risk Advisory

• Provide risk advisory for AI/ML and emerging technology solutions, including AI use in software development such as code generation, test automation, documentation, and engineering workflow support.
• Assess risks related to AI-assisted software development, including code quality, insecure code generation, data leakage, prompt and input handling, model provenance, third-party tools, lifecycle governance, explainability, privacy, regulatory compliance, and AI security.
• Partner with engineering and enterprise architecture teams to embed risk-by-design principles, human review, approval controls, and secure development practices into AI-enabled software delivery processes.
• Advise on governance frameworks, control standards, and auditability requirements that support the responsible use of AI in software development and broader enterprise adoption at scale.

Governance, Reporting, and Regulatory Engagement

• Lead the preparation and presentation of risk insights, emerging themes, and recommendations for senior leadership and governance forums.
• Develop meaningful risk metrics, key risk indicators, and management reporting to support informed decision-making.
• Support internal audits, regulatory examinations, and external assessments with clear, well-structured risk and control narratives.
• Ensure alignment with enterprise risk frameworks, policies, standards, and regulatory expectations.

Stakeholder Management

• Build strong partnerships across Engineering, Architecture, Cybersecurity, Data, Product, Compliance, and Operational Risk.
• Influence senior leaders and promote risk-informed decision-making across strategic initiatives.
• Act as a trusted advisor on technology risk, governance, and transformation priorities.

Team Leadership

• Lead and develop risk professionals supporting technology risk and control activities.
• Foster a culture of accountability, continuous improvement, and strong risk awareness.
• Build team capability through coaching, development planning, and succession management.

Qualifications

• Bachelor’s degree in information technology, information security, risk management, business, or a related discipline And/ Or equivalent experience required
• 10+ years of experience in technology risk management, operational risk, IT audit, software engineering, enterprise architecture, cybersecurity, or closely related fields.
• 5+ years of leadership experience in risk, controls, governance, and technology functions.
• Demonstrated experience leading RCSA programs and technology risk assessments in large, complex organizations.
• Strong understanding of software development methodologies, cloud environments, and enterprise architecture practices.
• Proven ability to influence senior executives and provide effective challenge on strategic technology decisions.
• Strong analytical and problem-solving skills, with the ability to translate complex technical and regulatory concepts into clear risk insights.
• Exceptional executive communication, stakeholder management, and presentation skills.

Preferred Qualifications

• Experience leading technology risk governance across software development, SDLC, engineering, architecture, and emerging technology domains.
• Experience supporting regulatory examinations and internal or external audits.
• Professional certifications such as CISA, CISSP, CRISC, CISM, CGEIT, or equivalent.
• Advanced degree in information security, risk management, business, or a related discipline.
• IT/IS background – SDLC or Architecture is a plus