CRO - Business Continuity & Resilience Risk Lead
Bloomberg is seeking a seasoned professional to join its second line of defense (2LoD) Risk function, providing independent oversight, challenge, and governance of the firm's Resilience program — encompassing Business Continuity(BC), Disaster Recovery (DR), and Operational Resilience.
The ideal candidate is a technically grounded practitioner who can credibly engage with engineers, infrastructure teams, and product teams — not just assess documentation — and translate technical recovery capabilities into meaningful risk judgments. They bring the seniority to influence senior stakeholders and the hands-on depth to ask the right questions when it matters most. This leader will be expected to work closely with key executives, including the Company’s central Business Continuity Management (BCM) lead, ENG leaders overseeing the Company’s DR program, and the Company’s Operational Resilience leadership team, among others, as a key risk adviser.
Critically, this is someone who operates with a genuine risk-based mindset — prioritizing effort, scrutiny, and escalation in proportion to actual risk exposure rather than applying uniform oversight for its own sake. They are thoughtful and deliberate in how they form views, practical in how they communicate and embed findings, and pragmatic enough to distinguish between issues that matter and noise that doesn't.
Key Responsibilities
Provide robust independent oversight and challenge of Bloomberg's BC, /DR and broader resilience programs and practices operated by the first line of defense. This will include, for example, assessment, oversight, and challenge of the adopted frameworks and strategies for BC, DR, and OpRes.
Assess the technical adequacy of the firm's recovery posture — including disaster recovery architecture, failover mechanisms, data replication strategies, backup integrity, and system recovery tiering — not just the documentation surrounding them.
Evaluate alignment between business continuity plans, disaster recovery capabilities, and impact tolerance thresholds to ensure end-to-end recoverability of critical services under realistic failure scenarios.
Identify gaps, weaknesses, and emerging risks across the resilience framework and escalate findings with clear, evidence-based remediation recommendations.
Own and maintain the 2LoD resilience policy and standards suite, ensuring they reflect both industry best practice and Bloomberg's complex, technology-intensive operating environment.
Drive periodic reviews and updates to frameworks in response to technology change, infrastructure evolution, and lessons learned from incidents and exercises.
Oversee the 2LoD review of resilience testing programs, including business continuity exercises, disaster recovery failover tests, tabletop simulations, and scenario-based resilience stress tests.
Ensure testing scenarios are technically realistic, covering cyber incidents (including ransomware and destructive attacks), infrastructure failures, data corruption events, third-party outages, and geographic disruptions.
Verify that lessons learned from tests and live incidents result in tangible improvements to resilience capabilities.
Evaluate third-party and vendor disaster recovery capabilities where they underpin critical Bloomberg services, with particular attention to concentration risk and recovery interdependencies.
Report on the firm's recovery posture against defined impact tolerances, flagging where resilience capability gaps could prevent the firm from remaining within tolerance during a severe but plausible disruption.
Contribute to operational risk appetite frameworks as they relate to resilience and recoverability risks.
Build trusted relationships with the 1LoD resilience teams, Technology Infrastructure, Site Reliability Engineering, Cyber/Information Security, Third Party Risk, and business leadership.
Serve as a technically credible challenge partner to Engineering and Product teams on resilience architecture decisions — able to engage substantively on design trade-offs, not just governance process.
Promote a culture where resilience is understood as an interconnected, technically grounded discipline rather than a siloed compliance activity.
Required Qualifications
10+ years of experience spanning BC/DR and enterprise resilience, with deep hands-on technical grounding in at least one associated disciplines.
Strong command of disaster recovery concepts including RTO/RPO design and validation, recovery tiering, active/passive and active/active failover architectures, data replication technologies, backup and restoration methodologies, and dependency mapping.
Experience assessing or governing disaster recovery capabilities in complex, technology-intensive environments — including on-premise data centers, hybrid infrastructure, and cloud-native or multi-cloud architectures.
Proven 2LoD experience with demonstrated ability to provide credible independent oversight and challenge, including the technical depth to go beyond policy review and assess actual capability.
Experience engaging constructively with engineering, SRE, and infrastructure teams
Strong analytical and communication skills; able to translate highly technical findings into risk-based narratives for senior and Board-level audiences.
Preferred Qualifications
Professional certifications such as CBCP, MBCI, CRISC, AWS/Azure/GCP certifications, or equivalent technical credentials in infrastructure, cloud, or IT risk.
Experience assessing cyber-informed disaster recovery strategies, including ransomware recovery planning, immutable backup architectures, and clean-room recovery environments.
Exposure to financial market infrastructure, data platforms, or real-time systems where recovery time requirements are exceptionally tight and data integrity is paramount.
Experience evaluating third-party and vendor disaster recovery capabilities, including due diligence on critical technology suppliers.