Lead GRC Analyst

About The Position

Requirements

• BA/BS Degree (4-year) in Information Security, Computer Science, Business, Risk Management, or related field; or equivalent related work experience
• 6-8 years experience in GRC, ERM, or risk/compliance roles
• Demonstrated ownership of risk programs or major program components (ERM, TPRM, or compliance)
• Experience working in enterprise environments with cross-functional stakeholders
• Deep understanding of ERM concepts (risk appetite, inherent/residual risk, KRIs, scenario analysis)
• Strong experience with regulatory and security frameworks (NIST, ISO 27001, PCI-DSS, SOC, GDPR/CPRA)
• Ability to operate effectively in ambiguous environments and drive initiatives from concept through execution
• Ability to translate technical and risk concepts into business decisions
• Experience building executive-level reporting and dashboards
• Proficiency with GRC platforms (e.g., Archer, ServiceNow GRC, OneTrust, LogicGate)
• Strong facilitation, stakeholder management, and influencing skills

Nice To Haves

• CISSP, CISM, CRISC, or CISA highly preferred
• ISO 27001 Lead Auditor or equivalent preferred but not required

Responsibilities

• Own and continuously enhance the enterprise risk management framework, including risk taxonomy, scoring methodology, and governance processes
• Lead enterprise-wide risk identification and assessment workshops with senior stakeholders across business and technology functions
• Drive risk quantification and scenario analysis to support risk-informed business decisions
• Own the enterprise risk register, ensuring accuracy, completeness, and executive-level relevance
• Identify gaps in current risk processes and implement scalable improvements to advance program maturity
• Design and deliver executive-level risk reporting, dashboards, and Key Risk Indicators (KRIs) that drive decision-making
• Lead preparation of materials for Risk Committees and senior leadership forums
• Establish and enforce governance processes for risk acceptance, escalation, and tracking
• Ensure audit-ready documentation of risk decisions, control effectiveness, and program outputs
• Continuously improve reporting quality, automation, and visibility of enterprise risk
• Lead compliance assessments across frameworks (e.g., NIST CSF, ISO 27001, PCI-DSS, SOC), ensuring alignment with business and regulatory requirements
• Own coordination of internal and external audits, including stakeholder alignment and evidence management
• Drive remediation efforts to closure, ensuring accountability and measurable reduction of control gaps
• Own and continuously improve policy, standards, and procedure frameworks
• Evaluate control effectiveness and recommend enhancements to strengthen the control environment
• Own and mature the third-party risk lifecycle, including intake, risk tiering, due diligence, and ongoing monitoring
• Partner with Legal, Procurement, and business stakeholders to assess vendor risk and define appropriate controls
• Establish and enforce risk-based due diligence standards and assessment methodologies
• Track and report on third-party risk posture, including remediation and risk acceptance decisions
• Identify opportunities to streamline and scale the TPRM process
• Provide risk advisory for new systems, technologies, and business initiatives, ensuring alignment with security and compliance requirements
• Drive control design and documentation in partnership with security and engineering teams
• Ensure governance processes evolve in line with regulatory requirements and business changes
• Influence stakeholders to adopt risk-informed practices and control improvements
• Lead cross-functional initiatives to improve risk awareness, engagement, and adoption across the organization
• Develop and deliver playbooks, training, and guidance to enhance risk literacy
• Mentor and guide junior team members, fostering capability development and consistency
• Identify and implement process improvements across the GRC program to increase efficiency and effectiveness
• Serve as a trusted advisor to stakeholders on risk prioritization and trade-off decisions

Benefits

• medical, dental and vision insurance
• paid holidays
• vacation and sick time
• company paid basic life insurance
• voluntary life insurance
• parental leave
• 401k Plan (with a current employer match of 3%)
• flexible spending and health savings account options
• wellness offerings