Overview

The Governance Risk and Compliance Analyst oversee third-party and internal risk assessments to support enterprise information security and governance, risk, and compliance (GRC) initiatives. This position manages vendor due diligence, maintains an accurate risk register, partners with internal stakeholders on mitigation strategies, and drives continuous improvement of the risk and compliance framework.

 

Pay Range: $87,000 - $105,000

 

What We Offer:

• Tuition Waiver: Enjoy a tuition waiver after 6 months of employment for you AND your immediate family offered at UTI and Concorde campuses
• Paid Time Off: Competitive paid time off programs for employees (Vacation, Sick, Flexible)
• Retirement Matching: 50% match on the first 6% of your contributions after 90 days
• Paid Parental Leave: 4 weeks of paid leave for both birthing and non-birthing parents to bond with a new baby
• Competitive Insurance: Health, vision, and dental coverage for you and your dependents
• Pet Insurance: Competitive coverage for your furry family members through ASPCA
• Health Plan Enrollment: Eligibility starts first of the month following completing one full month of employment

Responsibilities

• Execute comprehensive risk assessments aligned with the organization’s risk management framework to identify, evaluate, and prioritize potential threats
  • Support the third-party onboarding process by assessing business criticality and evaluating the security posture of prospective vendors and partners
  • Conduct periodic due diligence reviews of existing third-party relationships based on risk tiering, ensuring ongoing compliance and risk mitigation
  • Collaborate with risk owners to develop, implement, and monitor mitigation strategies, while tracking progress and ensuring timely remediation
• Maintain and continuously update the third-party inventory, ensuring accurate records of vendors, partners, and regulatory entities
• Contribute to the enhancement of the organization’s risk management and compliance programs by supporting the development and refinement of policies, processes, and controls
  • Stay informed on evolving risk and compliance standards, frameworks, and best practices, and recommend integration of relevant updates into internal processes
  • Manage and maintain the enterprise risk register, ensuring timely updates and tracking of risk review cycles and deadlines
  • Lead risk assessments required as part of regulatory and industry compliance efforts such PCI DSS and GLBA
• Assist in the development and reporting of key performance indicators (KPIs) and metrics to measure the effectiveness of GRC initiatives
• Support risk committee operations by preparing meeting materials, capturing minutes, and coordinating stakeholder updates
• Evaluate policy exception requests in collaboration with Information Security team members, ensuring appropriate risk considerations are addressed
• Drive process improvement and innovation by identifying opportunities to streamline workflows and automate manual tasks
• Provide support across a range of GRC functions including security control testing, audit readiness, documentation of procedures, and compliance assessments
• Other duties as assigned

Qualifications

Education & Experience

• HS Diploma or GED (required)
• Bachelor's degree in information security, Computer Science, or another relevant field (preferred)
• Minimum of four (4) years of experience in governance, risk management, compliance or another relevant field (required)
• Experience conducting internal and external risk assessments, including those aligned with regulatory requirements such as GLBA and PCI (required)
• Experience developing and tracking metrics and KPIs to evaluate risk and compliance performance (preferred)
• Experience using GRC tools to streamline processes and improve efficiency; implementation experience (preferred)
• Experience using Comply for GRC activities. (preferred)

Skills

• Strong understanding of common security controls and alignment to key regulations and standards such as NIST, FERPA, GLBA, HIPAA, PCI, and SOX (required)
• Strong understanding of risk management principles and common frameworks
• Knowledge of cloud-based security tools and controls (e.g. Azure, O365, AWS)
• Skilled in writing risk statements and maintaining an enterprise risk register
• Proficiency with NIST frameworks for risk management and controls
• Familiarity with regulatory and industry audits or assessments, including GLBA, PCI, SOX, and HIPAA
• Communicate clearly and effectively with peers and stakeholders
• Demonstrate active listening and empathy in interactions
• Participate in presentations or facilitates small group discussions
• Manage multiple tasks in a dynamic environment
• Make timely decisions that keep the organization moving forward
• Apply effective and efficient processes with a focus on continuous improvement
• Build open and comfortable relationships with diverse groups
• Learn actively from both successes and failures while solving new problems

Abilities

• Able and willing to:
  • Communicate, think, learn, and reason
  • Use computers and computer systems (including hardware and software) to process transactions, store documents, enter data, or perform assigned tasks
  • Safely ambulate and/or maneuver when on-site at Company locations
  • Demonstrate and utilize active listening, inductive reasoning, information ordering and category flexibility
• Ability to use good judgment, problem-solving and decision-making skills
• Ability to maintain confidentiality and manage sensitive information with discretion
• Ability to work in a fast-paced environment where deadlines are essential and multiple projects are worked simultaneously
• Ability to gain, understand and apply information and data as it relates essential functions of the position
• Ability to foster long-term relationships with stakeholders

Work Environment

• • Work is performed indoors in a climate-controlled environment when on site at assigned company location. Employees must be able to safely ambulate when on company premises.
  • This position is designated as Remote. Employees must meet minimum technical standards for eligibility and participation.
  • No travel required