Information Risk Management Analyst III

The Information Risk Management Analyst III will play a critical role within the second line of defense by leveraging Generative AI (Gen AI) to optimize contract review processes and validate first-line defense activities in vendor risk assessments. This role ensures strong oversight and governance by challenging controls where gaps or deficiencies exist and confirming policy compliance across the Global Wealth and Asset Management (GWAM) segment.

The successful candidate will also support the Control Self-Assessment (CSA) process by validating business-critical operational evidence and contributing to ongoing control evaluations.

Key Responsibilities

- Execute and refine Gen AI prompt-based assessments of vendor contracts, aligning outputs with management evaluations.

- Review and validate controls, identifying gaps in first-line evidence and ensuring compliance with third-party risk policies.

- Verify the consistency and accuracy of Gen AI results against critical policies and standards.

- Develop comprehensive user guides for Gen AI deployment, documenting best practices and usage protocols.

- Support Control Self-Assessment (CSA) processes by reviewing and validating evidence related to critical operations.

- Assist in second-line reviews of third-party onboarding, exit strategies, offboarding transition plans, and long-term vendor relationship monitoring as capacity allows.

- Provide expert oversight and challenge of technology risk controls, ensuring adherence to global and local standards and managing exceptions appropriately.

- Monitor technology risk assessment results, identify risk gaps, track corrective actions, and recommend mitigation strategies.

- Collaborate closely with Business, Central Functions, and global IRM teams to align risk management efforts with organizational goals.

Story Behind the Need

GWAM’s Information Risk Office seeks a Cybersecurity Generalist skilled in multiple facets of Information Risk Management (IRM). This role offers an excellent opportunity to develop deep expertise in Independent Oversight by partnering with diverse business areas to enhance Client cybersecurity posture. The candidate will serve as a domain expert across cybersecurity, technology risk, privacy, third-party risk, and business continuity, applying global risk standards and frameworks to protect organizational assets and operations.

Candidate Requirements / Must-Have Skills

- 5+ years of advanced experience in Information Security, Business Resiliency, Technology Risk, and third‑party/vendor risk management.

- 2+ years of hands‑on experience with Generative AI technologies and their integration into cybersecurity and risk frameworks.

- Deep understanding of IRM best practices across multiple domains, including cybersecurity and technology risk.

- Exceptional communication skills to convey complex technical concepts clearly to non‑technical and executive audiences.

- Strategic thinker with demonstrated ability to navigate complex risk environments and recommend informed risk treatment decisions.

- Significant experience providing Independent Oversight and advisory consulting in risk management for Business and Central Functions.

- Strong knowledge of IT and cybersecurity frameworks such as ISO 27001, NIST CSF, NIST 800 series, COBIT, and ITIL.

Nice‑to‑Have Skills

- Familiarity with cloud platforms, particularly Microsoft Azure.

- Professional certifications such as CISSP, CISA, CISM, or business continuity certifications.

- Experience with security software, IT audit tools, and compliance platforms.

- Knowledge of regulatory environments in U.S., Canada, and Asia.

Education

- Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, Business, or related field required.

#J-18808-Ljbffr