Overview
This role (Analyst Level III/IV) reports into Technology GRC leadership and focuses on Policy Exception Management and Metrics & Monitoring. The GRC Analyst executes defined processes, gathers and validates evidence, and produces recurring metrics and reporting under the guidance of senior team members.
The role works alongside AI agents in a human-in-the-loop model, using AI-assisted workflows to streamline exception intake, evidence collection, and metrics production while reviewing results for accuracy.
Responsibilities
Policy Exception Management
- Operate the policy exception intake process, ensuring exceptions are logged, risk-rated, time-bound, and routed for appropriate approval.
- Track exception status and maintain alignment to approved policies and standards to support regulatory defensibility.
Metrics & Monitoring
- Collect, validate, and produce recurring GRC metrics (KRIs, KCIs, KPIs) and dashboards that provide visibility into risk posture, remediation progress, and compliance health.
- Support trend analysis and prepare inputs for governance and committee reporting.
AI-Augmented Delivery
- Use AI-assisted workflows (human-in-the-loop) to streamline exception processing, evidence collection, and metrics production, reviewing outputs for accuracy.
Evidence Collection & Compliance Support
- Collect and validate control evidence, support audit requests, and help track compliance obligations and remediation tasks across frameworks (SOC 2, PCI DSS, SOX ITGC).
- Maintain accurate documentation in the GRC platform to support audit-ready reporting.
Qualifications
- - Bachelor's degree in Information Technology, Cybersecurity, Risk Management, Business, or a related field, or equivalent experience.
- Minimum 2+ years in GRC, IT audit, compliance, or a related analytical role.
- Working knowledge of policy/exception processes and metrics or reporting production.
- Comfort using AI-assisted tools to support data gathering and documentation, with attention to validating output.
- Familiarity with NIST CSF 2.0, COBIT 2019, and COSO ERM concepts.
- Strong attention to detail, organization, and written communication.
- Progress toward relevant certifications a plus (e.g., CRISC, CISA).
- Exposure to GRC tooling (e.g., ServiceNow IRM, AuditBoard, Vanta, Drata) and evidence collection.
- Foundational knowledge of compliance frameworks (SOC 2, PCI DSS, ISO 27001) and control concepts; CompTIA Security+ or progress toward GRC certifications a plus.
- Preferred experience in the Property Management, Multifamily Housing, SaaS, FinTech, or PropTech industries.
