The Business Risk Operations Senior Analyst is a senior individual contributor operating within a second line governance and independent validation function. This role is responsible for administering, validating, and documenting key risk and control activities that support regulatory compliance, audit readiness, and the ongoing maturity of the organizations GRC program. A primary responsibility includes the independent governance and validation of User Access Reviews (UA - Rs), including reconciliation and review of user and privileged access to ensure adherence to least-privilege principles and overall control effectiveness. Under the direction of the VP, Business Risk & Information Security Officer, this role supports oversight activities across vendor due diligence, CUEC management, contract and NDA coordination, business continuity program administration, and documentation governance. The Business Risk Operations Senior Analyst exercises independent judgment to identify and challenge control weaknesses, incomplete evidence, documentation gaps, and missed deadlines. The role partners with stakeholders to coordinate remediation efforts and escalates risks, providing clear and actionable recommendations when appropriate. ESSENTIAL FUNCTIONS & RESPONSIBILITIES User Access Review (UAR) Governance Administers end-to-end User Access Reviews (UA - Rs) as independent governance control, including scheduling, evidence collection, reconciliation, validation, and documentation. Validates user and privileged access against approved roles, entitlements, and least-privilege standards, including review of access provisioned through Microsoft Entra security groups. Identifies and documents access exceptions related to provisioning, transfers, terminations, and excessive access; tracks remediation through resolution and maintains audit-ready evidence. Ensures UAR artifacts meet regulatory, audit, and internal retention requirements. GRC Control Administration & Independent Validation Administers and validates the execution of recurring risk and control activities supporting FFIEC, NCUA, and GLBA compliance requirements. Maintains control documentation, evidence repositories, and GRC system records to support audits, examinations, and management oversight. Performs procedural control validation and limited control testing to confirm execution and evidence sufficiency; does not design controls or perform technical configurations. Identifies control execution gaps, documentation deficiencies, and missed timelines; challenges first-line control execution and escalates issues with clear corrective action recommendations. Contract, NDA & Lifecycle Tracking Reviews vendor contracts and ND - As to ensure inclusion of required risk and security provisions (e.g., GLBA, breach notification, audit rights, data protection, and service level agreements). Partners with vendor owners to remediate contractual gaps and ensure compliance requirements are met. Routes agreements to Legal for review when required. Tracks contract execution, expiration, and renewal milestones; identifies and escalates issues that may impact compliance or onboarding timelines. Maintains contract and NDA documentation in alignment with audit and regulatory expectations. Business Continuity Program Administration Coordinates business continuity plan updates with business unit owners to ensure alignment with program standards and ongoing accuracy. Schedules, documents, and tracks business continuity testing activities, including tabletop exercises. Maintains business continuity documentation, test results, issue tracking, and remediation evidence for audit and regulatory review. Vendor Due Diligence & Third-Party Risk Management Supports vendor due diligence and Third-Party Risk Management (TPRM) activities, partnering with internal stakeholders to ensure adherence to program requirements and timelines. Coordinates vendor onboarding and ongoing due diligence in accordance with internal policy and established standards. Performs risk-focused reviews of third-party relationships to support risk tiering and oversight, including the collection and validation of required documentation. Reviews due diligence artifacts (e.g., SOC reports, certifications, regulatory attestations) for completeness and follow-up requirements; tracks remediation items through resolution. Partners with vendor owners to obtain updated information and address documentation gaps impacting onboarding, renewals, or compliance deadlines. Identifies, documents, and tracks Complementary User Entity Controls (CUE - Cs); monitors implementation status, evidence retention, and remediation progress. JOB SPECIFICATIONS Demonstrated working knowledge of User Access Review (UAR) governance, including least privilege principles, role-based access controls, and independent validation of user and privileged access. Experience reviewing and validating access-related evidence, including user listings and security group assignments from identity platforms (e.g., Microsoft Entra), to identify exceptions and required follow-up actions. Proven ability to administer, validate, and document the execution of GRC control activities with limited supervision, applying sound judgment to identify gaps, inconsistencies, and control execution issues. Experience working within GRC and vendor management systems to track activities, maintain evidence, and support audit, compliance, and management oversight processes. Strong experience conducting risk-focused contract and NDA reviews, ensuring inclusion of required security, regulatory, and risk provisions prior to execution. Working knowledge of business continuity program support, including documentation maintenance, testing coordination, and remediation tracking. Experience supporting vendor due diligence and third-party risk management (TPRM) processes, including review of SOC reports, certifications, and attestations for completeness and follow-up actions. Strong organizational, analytical, and time management skills, with the ability to prioritize and manage multiple concurrent deliverables and deadlines. Ability to identify and challenge incomplete documentation, missed timelines, and control execution issues; escalates concerns with clear, actionable recommendations. Strong written and verbal communication skills, with a high level of attention to detail. Self-motivated, detail-oriented, and accountable, with the ability to operate effectively in a fast-paced, control-driven environment. EDUCATION, TRAINING & EXPERIENCE Bachelors degree in Risk Management, Information Systems, or a related field, or equivalent relevant work experience. 46 years of experience supporting risk management, GRC, internal controls, information security governance, or compliance programs within a regulated environment. Demonstrated experience performing or supporting User Access Reviews (UA - Rs), including reconciliation of user and privileged access, review of role-based access, and validation of least-privilege principles. Experience working with identity or access management data sources (e.g., Microsoft Entra or similar platforms) to support access validation and evidence collection. Experience administering and maintaining GRC platforms or similar systems used to track controls, evidence, remediation activities, and compliance workflows. Experience reviewing vendor contracts and ND - As for required risk, security, and compliance provisions and supporting remediation of contractual gaps. Working knowledge of business continuity program support, including plan maintenance, testing coordination, and documentation tracking. Experience supporting vendor due diligence and Third-Party Risk Management (TPRM) activities, including review of SOC reports, certifications, and attestations. General familiarity with financial institution regulatory expectations and frameworks (e.g., GLBA, FFIEC, NCUA guidance). Experience supporting internal audits, regulatory examinations, or control reviews preferred.