Sr. Analyst (Governance, Risk, and Compliance)

Job Summary

The Sr. Analyst, Governance, Risk, and Compliance (GRC) plays an important role in the GRC delivery framework, ensuring Black & Veatch's compliance with contractual and regulatory requirements, assessing control design and operation against common standards and frameworks, and assisting with third-party/supply chain risk management. The candidate will also promote a culture of risk awareness across the enterprise among other responsibilities. With an emphasis on cyber, contract and regulatory compliance risk management, the ideal candidate should be able to contribute to measuring success and identifying improvement opportunities and capabilities development in these areas.

This role is ideal for a detail-oriented professional with a passion for cyber and compliance risk management who is comfortable operating independently and not strictly by run books and procedures. Independent and critical thinking is absolutely necessary to be successful in this role as is a desire to drive efficiencies in function delivery and day-to-day tasks.

Key Responsibilities

Contract Risk Management

• Proven experience assessing client contract provisions related to data security, breach reporting, right to audit, security practice, and certification requirements
• Understanding of cyber resilience requirements across geographies and market sectors and industries

Regulatory Compliance Risk Management

• Request and review documentation and evidence from control owners to certify and validate compliance to regulatory requirements and best practice
• Monitor regulatory and legal landscape at a global scale and maintain awareness of compliance requirements
• Support independent certification and audit by working with D&IT peer groups and lines of business to collect documentation and evidence

IT Governance

• Act as an informed voice in development of policy and ensure alignment with regulatory, legal, and contractual requirements
• Assist establishment and enforcement of standards of practice documentation to be referenced by architecture and operations teams
• Contribute process and subject matter expertise in governance forums and cross-functional committees

Supplier/Third Party Risk Management

• Contribute subject matter expertise through third party risk assessment process
• Identify and communicate risk of vendor engagements and mitigation actions to business owners and D&IT stakeholders
• Assist review of client security requirements in contracts and aggregate relevant clauses to inform contractual risk

Cyber Risk Management

• Support establishment, collection, and ongoing improvement of metrics to measure effectiveness of cyber risk management and provide data-driven insight to decision makers and control owners
• Collaborate with peer D&IT groups to collect KPI's, KRI's and drive efficiency through automation and other means

Miscellaneous:

• Assist development of user training aligned with cyber threat landscape, establish and implement metrics, and propose enhancements
• Support internal audit
• Assist with security certification/attestations/audits to demonstrate control effectiveness to independent service auditors/assessors and C3PAO's
• Assist in development of mitigation plans and monitoring progress of actions.
• Collaborate with members of the GRC team to ensure timely and quality deliverables to internal and external customers
• Contribute subject matter expertise in review and response to internal and external sourced GRC related requests

Management Responsibilities

Preferred Qualifications

• Bachelor's degree in information systems, Information Security, or a related field
• 7-10 years of experience in GRC executing or auditing against standards, frameworks, and industry regulations
• Demonstrated experience supporting GRC functions for US-based global companies
• Strong desire to create task and functional efficiencies through use of technology and tools, especially GenAI
• Proven ability to assess alignment of internal policy, process, control design and operations, and cyber risk management with regulatory standards and frameworks
• Strong collaboration with IT teams
• Familiarity with industry standards and frameworks (e.g., NIST CSF, ISO 27001, AICPA SOC)
• Solid understanding of information security principles and concepts

Preferred Qualifications

• Strong analytical, organizational, and communication skills
• Professional certifications such as CRISC, CISSP or others
• Working knowledge of cyber and privacy laws and regulations
• Experience with GRC platforms and risk management methodologies
• Ability to work independently and collaboratively as required

Minimum Qualifications

Certifications

Work Environment/Physical Demands

Competencies

Salary Plan

Job Grade