Senior Technology Risk Analyst – Monitoring and Testing

The Enterprise Technology & Security (ETS) Risk Senior Analyst leads the identification, assessment, and mitigation of technology-related risks, ensuring the organization's risk management practices are robust and effective. Serving as a key contributor within a first-line risk team, this role works directly with Risk Managers to execute control monitoring and testing that aligns with the bank's risk appetite framework, regulatory expectations, and industry standards. You will oversee end-to-end testing execution, apply advanced risk judgment, and mentor analysts to strengthen testing consistency and documentation quality. This role requires the ability to influence stakeholders through data-driven insights, proactively identify emerging risks, and drive continuous improvements in monitoring, analytics, and automation. This role requires strong professional judgment, high quality documentation, and timely communication to support a resilient control environment and informed risk decisions. The Senior Analyst applies deep knowledge of frameworks such as Cybersecurity Risk Institute (CRI) Profile, NIST 800-53, and NIST Cybersecurity Framework to assess risk and drive meaningful improvements in the bank's security and technology risk posture.

• Lead planning and execution of control monitoring and testing across multiple complex technology and cybersecurity processes, ensuring adherence to methodology, timelines, and quality standards.

• Independently perform and/or oversee control design and operating effectiveness testing; review workpapers and evidence for completeness, accuracy, and audit readiness.

• Assess material controls and evaluate whether enhanced controls and remediation actions are effective to support issue validation and closure.

• Ensure testing results are documented clearly and accurately in the system of record and supporting tools, producing audit-ready documentation suitable for QA, Internal Audit, and Regulatory review.

• Proactively escalate significant control deficiencies, emerging risks, and delivery risks; drive follow-up with stakeholders to achieve timely resolution.

• Lead issue validation testing to confirm remediation effectiveness and provide evidence-based recommendations to support issue closure.

• Support and/or lead Risk and Control Self-Assessments (RCSAs), including creation and validation of process maps that reflect key processes, risks, and controls.

• Lead identification and prioritization of opportunities to enhance testing through automation, data analytics, and improved key control metrics (KRIs/KCMs); partner with stakeholders to support implementation.

• Strengthen continuous monitoring by refining metrics, improving coverage, and leveraging trend and anomaly analysis to increase risk signal and reduce noise.

• Build and expand trusted relationships across business and technology stakeholders; influence outcomes through compelling, fact-based analysis and clear recommendations.

• Mentor junior analysts on risk methodology, documentation standards, and analytical techniques.

• Stay current on regulatory changes, emerging technology risks, and evolving industry frameworks.

• Proactively pursue ongoing professional development, including relevant certifications, industry training, etc. to maintain current knowledge in a rapidly evolving field. 

Required:

• 5–7 years of progressive experience in IT risk management, information security, or internal audit.

• Working knowledge of control frameworks including CRI Profile, NIST 800-53, NIST CSF, COBIT, and/or ITIL.

• Experience conducting or supporting RCSAs, control testing, and risk assessments in a regulated environment.

• Strong analytical and problem-solving skills with the ability to interpret complex data and translate findings into actionable recommendations.

• Demonstrated ability to manage multiple concurrent priorities with minimal oversight.

• Strong interpersonal and written communication skills; able to convey technical risk concepts to non-technical stakeholders.

• Proficiency with GRC platforms (e.g., Archer), ITSM tools (e.g., ServiceNow, Jira), and security tools (e.g., Splunk, Qualys, DataDog, Wiz, and/or CyberArk).

• Experience with cloud platforms such as AWS, Azure

• Familiarity with reporting tools (Tableau, PowerBi)

Preferred:

• Experience in a regulated financial institution or banking environment.

• Familiarity with cloud infrastructure risk, cyber recovery, or third-party risk management.

• Prior experience responding to regulatory exams or supporting audit remediation.

• Bachelor's degree in Information Technology, Cybersecurity, Business, or a related field required; Master's degree preferred.

• One or more of the following certifications are preferred:
• CISA (Certified Information Systems Auditor)
• CRISC (Certified in Risk and Information Systems Control)
• CISM (Certified Information Security Manager)
• AWS Cloud Practitioner or Microsoft Azure Fundamentals

Hours & Work Schedule

• Hours per Week: 40 
• Work Schedule: Monday-Friday
• Hybrid: 4 days per week onsite, 1 day remote

Equal Employment Opportunity

Citizens, its parent, subsidiaries, and related companies (Citizens) provide equal employment and advancement opportunities to all colleagues and applicants for employment without regard to age, ancestry, color, citizenship, physical or mental disability, perceived disability or history or record of a disability, ethnicity, gender, gender identity or expression, genetic information, genetic characteristic, marital or domestic partner status, victim of domestic violence, family status/parenthood, medical condition, military or veteran status, national origin, pregnancy/childbirth/lactation, colleague’s or a dependent’s reproductive health decision making, race, religion, sex, sexual orientation, or any other category protected by federal, state and/or local laws. At Citizens, we are committed to fostering an inclusive culture that enables all colleagues to bring their best selves to work every day and everyone is expected to be treated with respect and professionalism. Employment decisions are based solely on merit, qualifications, performance and capability.

Equal Employment and Opportunity Employer

Job Applicant Data Privacy Policy

Background Check

Any offer of employment is conditioned upon the candidate successfully passing a background check, which may include initial credit, motor vehicle record, public record, prior employment verification, and criminal background checks. Results of the background check are individually reviewed based upon legal requirements imposed by our regulators and with consideration of the nature and gravity of the background history and the job offered. Any offer of employment will include further information.