GRC Analyst

Job Description:

Job Title: GRC Analyst

Function: Governance, Risk and Compliance (GRC)

Education:

Bachelors degree in Information Technology, Information Security, Risk Management, Business Administration, Finance, or a related discipline

Professional certifications are a plus.

Role Overview:

The GRC Analyst is responsible for identifying, assessing, monitoring, and reporting risks associated with thirdparty vendors, service providers, and outsourced relationships. The role ensures thirdparty engagements align with the organizations risk tolerance, regulatory requirements, and internal control standards.

This position plays a critical role in operational resilience, cybersecurity risk management, regulatory compliance, and governance.

Key Responsibilities:

Risk Identification:

• Conduct comprehensive assessments of potential technical risks associated with the organization's systems, infrastructure, and technology projects.
• Have good understanding and working of IT infrastructure systems and devices from a security perspective like server, virtualization, cloud, applications, databases, network switches, router, firewalls, load balancers, etc.
• Stay abreast of industry trends, emerging technologies, and potential vulnerabilities that may impact the organization's technical landscape.

Risk Assessment:

• Evaluate the potential impact and likelihood of identified risks, considering both internal and external factors.
• Work closely with technical teams to assess the security posture of systems and applications through vulnerability assessments and penetration testing.
• Have good understanding of systems and solutions like active directory (AD), email, DNS, DLP, antivirus, EDR, SIEM, etc.
• The ability to articulate the business risks associated with technical vulnerabilities and risks.

ThirdParty Risk Assessment & Monitoring

• Perform endtoend thirdparty risk assessments during onboarding, periodic reviews, and eventdriven triggers
• Assess vendor risks across multiple domains, including:
• Information Security
• Data Privacy
• Business Continuity & Disaster Recovery
• Operational Risk
• Regulatory and Compliance Risk
• Evaluate vendor responses, supporting evidence, and attestations for adequacy and accuracy

Issue Management & Remediation

• Identify control gaps, weaknesses, and risk issues arising from thirdparty assessments
• Work with vendors and internal stakeholders to define remediation plans
• Track remediation actions and validate closure evidence

Risk Reporting & Metrics

• Maintain thirdparty risk registers, risk ratings, and issue logs
• Prepare risk reports, dashboards, and key risk indicators (KRIs) for management
• Support risk committees, governance forums, and senior leadership reporting

Stakeholder & Vendor Engagement

• Partner with procurement, legal, compliance, information security, privacy, and business teams
• Act as a point of contact for thirdparty riskrelated queries
• Support contract reviews by providing risk inputs related to vendor engagements

Regulatory, Audit & Governance Support

• Support internal audits, regulatory examinations, and client due diligence requests related to thirdparty risk
• Ensure alignment with applicable regulations and frameworks (e.g., FedRAMP, RBI, GDPR, ISO, SOC)
• Assist in maintaining thirdparty risk policies, standards, and procedures

Process Improvement & Tooling

• Contribute to improvements in TPRM processes, assessment methodologies, and workflows
• Assist in enhancements or implementations of GRC platforms (e.g., Archer, ServiceNow, MetricStream)
• Support automation and data quality initiatives within the TPRM program.

Required Skills & Competencies:

Risk & Compliance Knowledge

• Strong understanding of thirdparty risk management lifecycle
• Working knowledge of technology, cyber, and operational risk concepts
• Familiarity with regulatory expectations and risk management frameworks

Tools & Technology

• Experience using GRC platforms or vendor risk tools
• Strong proficiency in Excel and reporting tools
• Ability to analyze data and produce clear, actionable insights

Communication & Collaboration

• Strong written and verbal communication skills
• Ability to engage with both technical and nontechnical stakeholders
• Effective time management and prioritization skills.

Preferred Qualifications (Nice to Have)

• Total work experience of 2-5 years in relevant field of work.
• Bachelor's or Master's degree in Computer Science, Information Security, Risk Management, System Resiliency & Availability & Software development practices and frameworks, Products and operations, Access and identity management, application security, assurance programs, or a related field.
• Professional certifications such as (one or more of these):
• CISA, CISM, CISSP, ISO 27001 Lead Implementer/Auditor
• Vendor Risk or Operational Risk certifications
• Experience in Product management, IT service/ software, BFSI, fintech, cloud service environments, or regulated industries
• Exposure to global regulatory environments (FedRamp, GDPR, FFIEC, EBA, OCC, etc.)