This description is a summary of our understanding of the job description. Click on 'Apply' button to find out more.

Role Description

As a Security Risk Analyst II, you will be responsible for supporting the organization’s Governance, Risk & Compliance program with a primary focus on conducting and managing risk assessments within ServiceNow Integrated Risk Management (IRM). This role plays a key part in evaluating security and compliance risks across business units, ensuring alignment with frameworks such as ISO 27001, PCI, NYDFS, and regulatory requirements. The analyst will collaborate with technical and business stakeholders to assess risks, identify control gaps, track remediation, and support continuous improvement of the risk management lifecycle.

What you’ll do

• Risk Assessment & Analysis
  • Perform comprehensive security and compliance risk assessments using ServiceNow IRM Risk, Policy & Compliance, and Vendor Risk modules.
  • Review and validate inherent and residual risk scoring, ensuring consistent application of risk methodologies.
  • Evaluate control effectiveness using evidence, documentation, interviews, and technical data.
  • Identify security risks, gaps, and vulnerabilities across processes, technologies, vendors, and applications.
  • Document detailed findings, recommendations, and remediation plans.
• ServiceNow IRM Administration & Optimization
  • Create, update, and manage risk records, assessments, workflows, indicators, and control attestations.
  • Support enhancements to IRM processes, playbooks, and automation capabilities.
  • Assist with platform data integrity, reporting, dashboards, and process optimization.
• Governance, Risk & Compliance Support
  • Support ongoing compliance efforts aligned to ISO 27001, PCI, NYDFS, and other regulatory frameworks.
  • Participate in internal and external audit readiness activities by gathering evidence, validating controls, and tracking requirements.
  • Maintain documentation including policies, standards, risk methodology, and control libraries.
• Stakeholder Collaboration
  • Work closely with business owners, security engineers, procurement, and IT teams to explain risks and required actions.
  • Track remediation plans, validate closure, and assist teams in interpreting control obligations.
  • Present risk findings and trends to GRC leadership and cross-functional teams.
• Reporting & Metrics
  • Produce dashboards and risk reports from ServiceNow IRM for leadership review.
  • Monitor KPIs and KRIs related to risk posture, control performance, and compliance obligations.

Qualifications

• 2+ years of experience in GRC, information security, risk management, or compliance roles.
• Hands-on experience using ServiceNow IRM (Risk, Policy & Compliance, Vendor Risk, or Audit modules).
• Strong understanding of information security and GRC frameworks (ISO 27001, PCI, NYDFS and other regulatory frameworks).
• Experience conducting or supporting risk assessments for applications, processes, or technology.
• Ability to analyze complex security issues and communicate findings clearly to technical and non-technical stakeholders.
• Familiarity with security controls, vulnerability management, and audit concepts.

Requirements

• Certifications such as Security+, CySA+, CCSK, CISA, CRISC, CGEIT, or ISO 27001 Lead Implementer/Auditor.
• Experience with risk quantification models (e.g., FAIR) a plus.
• Background supporting audits (ISO 27001, PCI, etc.).
• Experience contributing to GRC process improvements or workflow automation.
• Strong analytical and critical-thinking skills.
• Excellent written and verbal communication.
• Detail-oriented with strong documentation capabilities.
• Ability to manage multiple tasks and deadlines independently.

Other things to note

• This position is open to U.S. remote work. However, team members who reside within 20 miles of the Traverse City headquarters will follow a hybrid schedule, working from the office three days per week.
• May require travel for quarterly events.
• Familiarity with public company requirements, including Sarbanes Oxley and key regulations, if applicable.