Senior Analyst, IT & Cyber Governance, Risk & Control

About The Position

Requirements

• Minimum of 4+ years of experience in IT and Cyber Risk, Audit, and/or GRC specifically within a regulated financial institution.
• Formally educated in Business, Computer Science, Information Systems, Engineering, or equivalent professional experience.
• Deep understanding of a broad set of risk methodologies, frameworks, and practices—including NIST CSF, COBIT, ISO standards, CIS, COSO, ITIL, and PCI-DSS.
• Comprehensive understanding of the Canadian regulatory environment (OSFI) and global assurance frameworks (SOC 1/2).
• Proven experience in developing, updating, and reviewing high-level Governance documents, including policies, standards, and procedures.
• Extensive experience performing complex risk assessments and designing robust controls.
• Proficiency in advanced Prompt Engineering for Generative AI models to accelerate GRC artifacts (e.g., summarizing SOC reports).
• Strong knowledge of technology platforms, including Operating Systems and Databases.
• Experience in developing and reporting performance and risk metrics (KPIs, KRIs, SLAs, OKRs) and building high-level dashboards for executive leadership teams.
• Ability to ensure that metrics provide an accurate reflection of the organization’s risk posture.
• Holds one or more senior-level industry certifications (e.g., CISA, CRISC, CISM, CGEIT, or CISSP).
• Experience with using compliance automation tools to streamline GRC activities
• Natural ability to coach staff and provide "compliant-by-design" guidance early in the project lifecycle.
• Takes full accountability for initiatives from inception to sustainable closure with a "big-picture" vision.
• Identifies underlying systemic issues rather than just documenting symptoms.
• Ability to distill complex technical risks into clear, actionable business narratives for all levels of the organization.

Responsibilities

• Lead the periodic review and update cycle for Technology and Cyber Governance documents (policies, standards, procedures), ensuring they remain accurate, aligned with legislative changes, and consistent with the relevant frameworks.
• Support all audit engagements (OSFI, SOC, etc.) and perform quality-control vetting of materials to ensure a successful "audit-ready" posture.
• Drive initiatives including gap assessments for new and existing policies against evolving industry requirements.
• Partner with IT & Cyber teams to advise on, review, and validate control designs that manage risk without hindering innovation and velocity; escalate complex or novel control architecture questions to the Principal.
• Maintain a forward-looking understanding of GRC practices and emerging threats to proactively manage risk. Perform analysis and issue communications to inform of organizational impact.
• Identify opportunities to streamline processes through innovative solutions and automation logic.
• Coordinate and facilitate the execution of cybersecurity tabletop and simulation exercises designed by partner teams — managing scheduling, participant readiness, exercise delivery, and post-exercise documentation and remediation tracking.
• Perform and support comprehensive risk assessments for existing processes and new strategic initiatives to identify systemic vulnerabilities.
• Perform and support entity-level risk assessments across QFG’s regulated entities — identifying systemic risk exposures specific to each entity, assessing control sufficiency against entity-specific regulatory requirements, and partnering with the Manager and entity leadership on remediation roadmaps.
• Take ownership of ad-hoc, high-priority activities emerging from a dynamic threat landscape.
• Provide technical and craft-level coaching to the Business Analyst and Risk & Control Analyst — reviewing work product, modelling professional skepticism, and raising the quality bar of the team through peer review. This is a technical mentorship relationship, not a people-leadership role; formal performance management remains with the Manager.
• Curate and quality-review IT & Cyber Risk metrics (KRIs/KPIs), ensuring the numbers, narratives, and visualizations that reach executive audiences are accurate, well-contextualized, and actionable.
• Champion and curate the team’s use of AI and automation — setting practical standards for prompt engineering, output validation, and human review — to keep tooling and AI integrations aligned with GRC objectives.

Benefits

• Health & wellbeing resources and programs
• Paid vacation, personal, and sick days for work-life balance
• Competitive compensation and benefits packages
• Competitive incentive (bonus) program