GRC Analyst – Enterprise & Third Party Risk

Caris Life Sciences•Royal Oak, MI

About The Position

At Caris, we understand that cancer is an ugly word—a word no one wants to hear, but one that connects us all. That’s why we’re not just transforming cancer care—we’re changing lives. We introduced precision medicine to the world and built an industry around the idea that every patient deserves answers as unique as their DNA. Backed by cutting-edge molecular science and AI, we ask ourselves every day: “What would I do if this patient were my mom?” That question drives everything we do. But our mission doesn’t stop with cancer. We're pushing the frontiers of medicine and leading a revolution in healthcare—driven by innovation, compassion, and purpose. Join us in our mission to improve the human condition across multiple diseases. If you're passionate about meaningful work and want to be part of something bigger than yourself, Caris is where your impact begins. Position Summary Working as part of the Information Security Team, the GRC Analyst – Enterprise & Third Party Risk will support and lead internal risk assessments, exception reviews, and third-party risk management activities. This role plays a critical part in identifying, assessing, and monitoring risks across internal systems and third-party vendors while ensuring that exceptions to policy are appropriately evaluated and documented. The ideal candidate will bring strong analytical capabilities and a proactive approach to governance, risk, and compliance.

Requirements

Bachelor’s degree in Information Security, Risk Management, or a related field; or equivalent work experience.
Minimum of 4 years of experience in Information Security Risk Management, Third-Party Risk, or GRC functions.
Strong understanding of internal control assessments, exception management, and third-party/vendor risk practices.
Familiarity with legal and regulatory compliance standards such as HIPAA, SOX, GDPR, etc.
Knowledge of security and risk frameworks such as NIST Cybersecurity Framework, ISO 27001, and CIS Controls.
Excellent communication skills with the ability to collaborate effectively across technical and non-technical teams.

Nice To Haves

Industry certifications such as CISA, CRISC, CISSP are highly desirable.
Experience using GRC or IRM platforms (e.g., Compyl, AuditBoard, RSA Archer, LogicGate, or similar).
Experience in healthcare or life sciences industry is a plus.

Responsibilities

Conduct internal risk assessments across business units, systems, applications and processes to identify potential security, operational, and compliance risks.
Develop and maintain the internal risk register and facilitate periodic risk reviews with control owners and business stakeholders.
Evaluate risk exception requests, perform risk-based analysis, and ensure appropriate documentation, approval, and tracking.
Lead and support third-party risk management activities including vendor due diligence, risk assessments, contract reviews, and ongoing monitoring.
Partner with procurement, legal, and business stakeholders to embed security and risk requirements into vendor lifecycle processes.
Assist in defining and maintaining IT and organizational policies, standards, and procedures related to security, risk, and compliance.
Support internal and external audits (e.g., HIPAA, SOX, GDPR) by collecting evidence and addressing audit findings and recommendations.
Collaborate with IT and business teams to assess the adequacy and effectiveness of internal controls and drive remediation efforts.
Conduct periodic gap assessments and ensure controls are maintained to support ongoing compliance.
Stay abreast of changes in regulatory requirements and industry best practices related to risk management, third-party governance, and cybersecurity.