Business Risk Operations Senior Analyst
Lighthouse Credit Union · Dover, NH · 1 mo ago
FinanceFull-time
User Access Review (UAR) Governance
- Administers end-to-end User Access Reviews (UARs) as independent governance control, including scheduling, evidence collection, reconciliation, validation, and documentation.
- Validates user and privileged access against approved roles, entitlements, and least-privilege standards, including review of access provisioned through Microsoft Entra security groups.
- Identifies and documents access exceptions related to provisioning, transfers, terminations, and excessive access; tracks remediation through resolution and maintains audit-ready evidence.
- Ensures UAR artifacts meet regulatory, audit, and internal retention requirements.
GRC Control Administration & Independent Validation
- Maintains control documentation, evidence repositories, and GRC system records to support audits, examinations, and management oversight.
- Performs procedural control validation and limited control testing to confirm execution and evidence sufficiency; does not design controls or perform technical configurations.
- Identifies control execution gaps, documentation deficiencies, and missed timelines; challenges first-line control execution and escalates issues with clear corrective action recommendations.
Vendor Due Diligence & Third-Party Risk Management
- Supports vendor due diligence and Third-Party Risk Management (TPRM) activities, partnering with internal stakeholders to ensure adherence to program requirements and timelines.
- Coordinates vendor onboarding and ongoing due diligence in accordance with internal policy and established standards.
- Performs risk-focused reviews of third-party relationships to support risk tiering and oversight, including the collection and validation of required documentation.
- Reviews due diligence artifacts (e.g., SOC reports, certifications, regulatory attestations) for completeness and follow-up requirements; tracks remediation items through resolution.
- Pairs with vendor owners to obtain updated information and address documentation gaps impacting onboarding, renewals, or compliance deadlines.
- Identifies, documents, and tracks Complementary User Entity Controls (CUECs); monitors implementation status, evidence retention, and remediation progress.
Job Specifications
- Demonstrated working knowledge of User Access Review (UAR) governance, including least privilege principles, role-based access controls, and independent validation of user and privileged access.
- Experience reviewing and validating access-related evidence, including user listings and security group assignments from identity platforms (e.g., Microsoft Entra), to identify exceptions and required follow-up actions.
- Proven ability to administer, validate, and document the execution of GRC control activities with limited supervision, applying sound judgment to identify gaps, inconsistencies, and control execution issues.
- Experience working within GRC and vendor management systems to track activities, maintain evidence, and support audit, compliance, and management oversight processes.
- Strong experience conducting risk-focused contract and NDA reviews, ensuring inclusion of required security, regulatory, and risk provisions prior to execution.
- Working knowledge of business continuity program support, including documentation maintenance, testing coordination, and remediation tracking.
- Experience supporting vendor due diligence and third-party risk management (TPRM) processes, including review of SOC reports, certifications, and attestations for completeness and follow-up actions.
- General familiarity with financial institution regulatory expectations and frameworks (e.g., GLBA, FFIEC, NCUA guidance).
- Experience supporting internal audits, regulatory examinations, or control reviews preferred.