GRC Analyst – Enterprise & Third Party Risk
Caris Life Sciences · Irving, TX · 3 wk ago
Information TechnologyFull-time
Job Responsibilities
- Conduct internal risk assessments across business units, systems, applications and processes to identify potential security, operational, and compliance risks.
- Develop and maintain the internal risk register and facilitate periodic risk reviews with control owners and business stakeholders.
- Create dashboards, reports, and metrics to communicate risk status, trends, and program effectiveness to leadership.
- Evaluate risk exception requests, perform risk-based analysis, and ensure appropriate documentation, approval, and tracking.
- Lead and support third-party risk management activities including vendor due diligence, risk assessments, contract reviews, and ongoing monitoring.
- Partner with procurement, legal, and business stakeholders to embed security and risk requirements into vendor lifecycle processes.
- Afford assistance in defining and maintaining IT and organizational policies, standards, and procedures related to security, risk, and compliance.
- Support internal and external audits (e.g., HIPAA, SOX, GDPR) by collecting evidence and addressing audit findings and recommendations.
- Collaborate with IT and business teams to assess the adequacy and effectiveness of internal controls and drive remediation efforts.
- Conduct periodic gap assessments and ensure controls are maintained to support ongoing compliance.
- Stay abreast of changes in regulatory requirements and industry best practices related to risk management, third-party governance, and cybersecurity.
- Assist with the creation and delivery of security awareness training related to risk, vendor management, and compliance requirements.
- Participate in the development and maintenance of business continuity, disaster recovery, and incident response processes from a risk perspective.
Required Qualifications
- Bachelor’s degree in Information Security, Risk Management, or a related field; or equivalent work experience.
- Minimum of 4 years of experience in Information Security Risk Management, Third-Party Risk, or GRC functions.
- Strong understanding of internal control assessments, exception management, and third-party/vendor risk practices.
- Familiarity with legal and regulatory compliance standards such as HIPAA, SOX, GDPR, etc.
- Knowledge of security and risk frameworks such as NIST Cybersecurity Framework, ISO 27001, and CIS Controls.
- Excellent communication skills with the ability to collaborate effectively across technical and non-technical teams.
- Ability to translate technical risks into business impacts for non-technical audiences.
- Strong analytical and problem-solving abilities with experience interpreting risk data to drive decision-making.
- Demonstrated ability to manage multiple assessments or projects simultaneously in a fast-paced environment.
- Experience writing policies, standards, procedures, or risk documentation.
- Proficiency in Microsoft Excel, PowerPoint, and other data/reporting tools commonly used to support risk analysis and presentations.
- Ability to work independently with minimal supervision while maintaining a high attention to detail.
Preferred Qualifications
- Industry certifications such as CISA, CRISC, CISSP are highly desirable.
- Experience using GRC or IRM platforms (e.g., Compyl, AuditBoard, RSA Archer, LogicGate, or similar).
- Experience with SOC 2, PCI-DSS, HITRUST, or other security compliance frameworks.
- Experience in healthcare or life sciences industry is a plus.
- Background supporting cloud security or assessing cloud service providers (AWS, Azure, GCP).
- Experience conducting business impact analyses (BIA) or participating in business continuity/disaster recovery planning.
- Prior involvement in incident response processes or evaluating post-incident risk implications.
- Strong understanding of contract language related to security, privacy, liability, and service-level obligations.
- Familiarity with quantitative risk analysis methodologies (e.g., FAIR).
- Experience working in organizations undergoing rapid growth, security transformation, or compliance maturity improvements.