GRC Analyst – Enterprise & Third Party Risk

Role Summary

Working as part of the Information Security Team, the GRC Analyst – Enterprise & Third Party Risk will support and lead internal risk assessments, exception reviews, and third-party risk management activities. This role plays a critical part in identifying, assessing, and monitoring risks across internal systems and third-party vendors while ensuring that exceptions to policy are appropriately evaluated and documented. The ideal candidate will bring strong analytical capabilities and a proactive approach to governance, risk, and compliance.

Responsibilities

• Conduct internal risk assessments across business units, systems, applications and processes to identify potential security, operational, and compliance risks.
• Develop and maintain the internal risk register and facilitate periodic risk reviews with control owners and business stakeholders.
• Evaluate risk exception requests, perform risk-based analysis, and ensure appropriate documentation, approval, and tracking.
• Lead and support third-party risk management activities including vendor due diligence, risk assessments, contract reviews, and ongoing monitoring.
• Partner with procurement, legal, and business stakeholders to embed security and risk requirements into vendor lifecycle processes.
• Assist in defining and maintaining IT and organizational policies, standards, and procedures related to security, risk, and compliance.
• Support internal and external audits (e.g., HIPAA, SOX, GDPR) by collecting evidence and addressing audit findings and recommendations.
• Collaborate with IT and business teams to assess the adequacy and effectiveness of internal controls and drive remediation efforts.
• Conduct periodic gap assessments and ensure controls are maintained to support ongoing compliance.
• Stay abreast of changes in regulatory requirements and industry best practices related to risk management, third-party governance, and cybersecurity.

Qualifications

• Required: Bachelor’s degree in Information Security, Risk Management, or a related field; or equivalent work experience.
• Required: Minimum of 4 years of experience in Information Security Risk Management, Third-Party Risk, or GRC functions.
• Required: Strong understanding of internal control assessments, exception management, and third-party/vendor risk practices.
• Required: Familiarity with legal and regulatory compliance standards such as HIPAA, SOX, GDPR, etc.
• Required: Knowledge of security and risk frameworks such as NIST Cybersecurity Framework, ISO 27001, and CIS Controls.
• Required: Excellent communication skills with the ability to collaborate effectively across technical and non-technical teams.
• Preferred: Industry certifications such as CISA, CRISC, CISSP are highly desirable.
• Preferred: Experience using GRC or IRM platforms (e.g., Compyl, AuditBoard, RSA Archer, LogicGate, or similar).
• Preferred: Experience in healthcare or life sciences industry is a plus.

Education

• Bachelor’s degree in Information Security, Risk Management, or a related field; or equivalent work experience.

Additional Requirements

• Must possess the ability to sit and/or stand for long periods of time.
• May be required to lift routine office supplies and use standard office equipment.
• This position may require periodic travel and availability during evenings, weekends, or holidays depending on business needs.