GRC Analyst

Job Summary:

As the GRC Analyst will manage risks related to the use of Information Technology, Information Security, Privacy, Regulatory Compliance, and Governance. The GRC Analyst will be responsible for documenting, maintaining, and reporting on governance, risk, and compliance activities. The GRC Analyst will play a strategic role in overseeing the organization's Third-Party Risk Management (TPRM) program and risk management initiatives. This position is responsible for conducting and managing comprehensive risk assessments, establishing, and maintaining risk frameworks, and ensuring that third-party vendors comply with security, legal, and regulatory requirements. The role involves leading cross-functional teams in identifying, assessing, and mitigating risks across various business processes, ensuring alignment with industry standards and regulations.

Essential Functions:

• Assist the AVP of Information Security in developing and implementing an enterprise-wide governance, risk management, and compliance program, aligning it with the agency’s goals and objectives.
• Establish policies, procedures, and controls to ensure compliance with legal and regulatory requirements, industry standards, and best practices.
• Conduct regular risk assessments to identify potential vulnerabilities, assess the impact of risks, and develop mitigation strategies.
• Collaborate with key stakeholders, such as legal, finance, IT, and operations teams, to provide guidance on compliance-related matters and promote a culture of risk awareness and ethical behavior.
• Stay updated on relevant laws, regulations, industry standards, and emerging governance, risk, and compliance trends, and communicate any changes or updates to the AVP of Information Security.
• Conduct periodic audits and reviews of internal processes to identify control weaknesses and recommend corrective actions.
• Coordinate external audits and examinations, ensuring all required documentation and information are readily available.
• Provide training and education to employees on compliance-related topics, policies, and procedures.
• Serve as the primary point of contact for external regulatory agencies and auditors, ensuring timely and accurate responses to inquiries and requests for information.
• Track and report on compliance metrics, issues, and trends to senior management and relevant stakeholders.
• Foster a culture of ethics, integrity, and accountability within the organization.
• Identification of new or emerging risks and develop mitigation plans.
• Provide technical leadership and security subject matter expertise around a wide range of technologies and business initiatives.
• Driven, energetic, team player with superior oral and written communication skills. Superior customer service and interpersonal skills to effectively relate to employee needs; ability to build working relationships promote information-sharing. Possess a high degree of originality, creativity, initiative requiring minimal supervision.
• A data analyst is responsible for gathering and interpreting data to solve a problem, and may be involved in creating an SOW for a data analysis project. 

Qualifications and Requirements:

•  The ideal candidate will possess strong leadership skills and a deep understanding of Governance, Risk, and Compliance (GRC) principles.
• Oversee Third Party Risk Management (TPRM): Lead the TPRM program by conducting thorough assessments of third-party vendors and service providers, ensuring they meet the organization’s security and compliance standards, and tracking their risk posture over time.
• Risk Assessment Leadership: Lead and conduct risk assessments (IT, operational, and cybersecurity) to evaluate the effectiveness of risk mitigation strategies and identify potential gaps or vulnerabilities. Ensure risk assessments are in alignment with frameworks such as NIST 800 Series Special Publications, the NIST Cybersecurity Framework, ISO 27001, SOC 2, NIST AI RMF, or other security standards and regulations.
• Risk Reporting and Dashboards: Develop and maintain risk dashboards and reporting tools that provide real-time insights into the organization's risk exposure, particularly in relation to third-party vendors. Communicate findings and risk metrics to senior leadership, including the AVP of Information Security and other stakeholders.
• Vendor Risk Management: Perform in-depth reviews of third-party vendor contracts, service level agreements (SLAs), and compliance documentation to ensure risk mitigation strategies are in place, including proper data protection, disaster recovery, and security control measures.
• Policy and Governance Development: Lead the creation and refinement of policies, procedures, and standards for TPRM and enterprise risk management to ensure they are up to date with industry best practices and regulatory requirements (e.g., SOX, HIPAA, GDPR, CCPA).
• Regulatory Compliance: Ensure all third-party risk management and enterprise risk management activities comply with industry-specific regulations, including but not limited to NIST, AI RMF, ISO 27001, SOX, GDPR, and CCPA.
• Continuous Improvement: Regularly evaluate the effectiveness of the TPRM and overall risk management programs, identifying areas for improvement and implementing enhancements to keep pace with emerging risks and evolving regulatory landscapes.
• Training and Awareness: Lead risk awareness and training initiatives across the organization to educate employees about third-party risks, security best practices, and risk mitigation strategies.Strong understanding of third-party risk management and cybersecurity principles, particularly in relation to vendor management and supply chain security.
• Familiarity with privacy regulons such as GDPR, and industry-specific regulations.Excellent communication and presentation skills, with the ability to translate technical risks into business terms and present findings to senior leadership.
• Strong analytical and problem-solving skills, with the ability to assess complex risk scenarios and provide actionable recommendations.
• Proven experience leading enterprise-wide risk management or TPRM programs.
• Experience conducting on-site audits or assessments of third-party vendors.
• Project management experience and strong organizational skills.
• Bachelor’s degree in Information Security, Risk Management, Business Administration, or a related field.
• Professional certifications such as CRISC, CISA, CISSP, CISM, or equivalent is highly desirable

Physical Demands:

Must be able to read, write, and communicate both verbally and in written form to express and exchange ideas. While performing the responsibilities of this job, the employee must be able to access all components of workstation and other office equipment.

Prepared for onsite emergency response situations, on-call, 24-hour response to active shooter situations, protesters and natural or unforeseen disasters.

Frequent typing, writing, bending and twisting. Must be able to lift up to 10 pounds.

Work Environment:

General office environment with moderate noise. This position involves extensive travel. A busy environment with many unscheduled interruptions. Frequent computer uses at workstation for extended periods of time. Public contact position requiring appropriate business apparel.