Senior Risk Analyst - IT & Cyber Risk Assurance

General Description

The Senior Risk Analyst will play a key role in advancing the second-line IT and Cyber Risk Monitoring and Assurance Program. This position provides independent oversight and effective challenge across technology and cybersecurity risk domains, partnering with first line and control functions to strengthen risk governance, and supports senior management and committees through actionable risk insights, reporting, and regulatory readiness.  

Essential Duties and Responsibilities

IT & Cyber Risk Framework & Governance: 

• Lead the ongoing enhancement and governance of the IT & Cyber Risk and Control Matrix, ensuring alignment with regulatory requirements and industry frameworks such as NIST, COBIT, FFIEC, CCM, PCI, and others.  
• Serve as a trusted second-line advisor to IT and Cybersecurity leadership to ensure risk management practices are implemented consistently across the organization.  
• Prepare, generate, and provide materials (e.g., risk scorecards, dashboards, and metrics) required for various Risk Committees, Senior Management Team and Executives by the required due dates.  
• Independently monitor remediation commitments and provide credible challenge on timeliness, sustainability of remediation, and residual risk calculation and escalate concerns when risks remain outside of the organization’s risk appetite.  

Risk Oversight & Advisory: 

• Perform second-line review and challenge of policies, standards, risk acceptances, risk escalations, and control implementations to ensure alignment with control expectations and the IT & Cyber Risk and Control Matrix.  
• Lead the execution of the IT and Cyber Risk and Control Self-Assessments (RCSAs), including scoping, control evaluation, issue identification, action-plan development, and residual risk assessments.  
• Translate control weaknesses into clear risk statements, validate root cause, and recommend solutions aligned with the organization’s risk appetite.  
• Support regulatory exams and audits by coordinating activities, reviewing evidence packages, ensuring consistent narratives, and tracking commitments and responses through closure.  
• Develop and deliver targeted training for business and technology stakeholders (e.g., RCSA processes, risk acceptance standards, key controls, evidence expectations, etc.).  

Key Risk Indicators (KRIs): 

• Design, enhance, and govern KRIs, including metric definitions, thresholds, data lineage, data quality controls, and exception handling. 
• Perform trends analysis to identify potential issues and perform root cause analysis to provide recommendations to Management on how to better manage their IT & Cyber risk posture.  

Education

Bachelor’s degree in Business Administration, Information Technology, Computer Engineering, Computer Science, Cybersecurity or related field.  
 

Experience

• At least 5 years of working experience in IT controls testing, IT Risk, IT Audit and/or Cybersecurity positions; or in a consulting IT/Cyber role with a broad view of Information Technology or Information Security controls.  
• Demonstrated experience applying IT and cybersecurity frameworks and regulatory expectations (e.g., NIST, COBIT, FFIEC, CRI, CCM, etc.) including Policy and Standards review and control design assessments.  
• Experience with risk governance processes such as RCSAs, Issue Management, Risk Acceptances, and committee/board level reporting.  
• IT or Cyber certifications preferred (e.g. CISA, CISM, CISSP, CGEIT, CRISC) 

Other Qualifications

Values