Business Risk Operations Senior Analyst

OUR LEADERSHIP PHILOSOPHY
At Lighthouse Credit Union, we believe all individuals, regardless of position level, are considered leaders. By providing a framework that balances clarity with adaptability, our Leadership Competencies aim to foster a culture of continuous growth and agile leadership. Lighthouse Credit Union is committed to embracing change, nurturing leadership talent, and ensuring our performance management practices are aligned with our vision of fostering a resilient and forward-thinking organization. As such, we all hold ourselves accountable to the following:

LEADERSHIP COMPETENCIES

Demonstrates Interpersonal Awareness & Skills
A cornerstone of our collaborative work environment, this competency emphasizes effective communication, relationship building and teamwork. It also supports creating a positive work environment that values individual contributions and fosters teamwork. As an individual leader, you will demonstrate active listening, clear communication and contribute beneficially to team dynamics.

Embraces Change & Learning
This competency focuses on adaptability, personal development and the advocacy and embracing of progressive change. You will be challenged to explore continuous learning opportunities to achieve excellence and foster a culture of growth and innovation. As an individual leader, you will actively engage in personal development, embrace change enthusiastically and support team members in their growth. You will also demonstrate flexibility and adaptability in response to changing circumstances.

Utilizes Critical & Creative Thinking
Underlining the importance of innovative problem solving, challenging the status quo and strategic thinking, this competency is vital for driving excellence and leadership. This competency challenges team members to take initiative beyond one's immediate responsibilities. As an individual leader, you will actively look for and share opportunities for improvement, show open-mindedness to new ideas and professionally challenge inefficient processes. You will also actively contribute to defining solutions and promoting innovation.

Takes Personal Ownership
This competency focuses on taking responsibility for performance goals, proactive collaboration and accountability. It highlights the significance of each team member taking ownership of their role and contributions while demonstrating leadership qualities regardless of their position. As an individual leader, you will be actively engaged in setting and achieving performance goals, take responsibility for personal action and decisions and seek opportunities for self-improvement and skill development.

POSITION SUMMARY
The Business Risk Operations Senior Analyst is a senior individual contributor operating within a second line governance and independent validation function. This role is responsible for administering, validating, and documenting key risk and control activities that support regulatory compliance, audit readiness, and the ongoing maturity of the organization's GRC program. A primary responsibility includes the independent governance and validation of User Access Reviews (UARs), including reconciliation and review of user and privileged access to ensure adherence to least-privilege principles and overall control effectiveness. Under the direction of the VP, Business Risk & Information Security Officer, this role supports oversight activities across vendor due diligence, CUEC management, contract and NDA coordination, business continuity program administration, and documentation governance. The Business Risk Operations Senior Analyst exercises independent judgment to identify and challenge control weaknesses, incomplete evidence, documentation gaps, and missed deadlines. The role partners with stakeholders to coordinate remediation efforts and escalates risks, providing clear and actionable recommendations when appropriate.

ESSENTIAL FUNCTIONS & RESPONSIBILITIES

User Access Review (UAR) Governance
* Administers end-to-end User Access Reviews (UARs) as independent governance control, including scheduling, evidence collection, reconciliation, validation, and documentation.
* Validates user and privileged access against approved roles, entitlements, and least-privilege standards, including review of access provisioned through Microsoft Entra security groups.
* Identifies and documents access exceptions related to provisioning, transfers, terminations, and excessive access; tracks remediation through resolution and maintains audit-ready evidence.
* Ensures UAR artifacts meet regulatory, audit, and internal retention requirements.

GRC Control Administration & Independent Validation
* Administers and validates the execution of recurring risk and control activities supporting FFIEC, NCUA, and GLBA compliance requirements.
* Maintains control documentation, evidence repositories, and GRC system records to support audits, examinations, and management oversight.
* Performs procedural control validation and limited control testing to confirm execution and evidence sufficiency; does not design controls or perform technical configurations.
* Identifies control execution gaps, documentation deficiencies, and missed timelines; challenges first-line control execution and escalates issues with clear corrective action recommendations.

Contract, NDA & Lifecycle Tracking
* Reviews vendor contracts and NDAs to ensure inclusion of required risk and security provisions (e.g., GLBA, breach notification, audit rights, data protection, and service level agreements).
* Partners with vendor owners to remediate contractual gaps and ensure compliance requirements are met.
* Routes agreements to Legal for review when required.
* Tracks contract execution, expiration, and renewal milestones; identifies and escalates issues that may impact compliance or onboarding timelines.
* Maintains contract and NDA documentation in alignment with audit and regulatory expectations.

Business Continuity Program Administration
* Coordinates business continuity plan updates with business unit owners to ensure alignment with program standards and ongoing accuracy.
* Schedules, documents, and tracks business continuity testing activities, including tabletop exercises.
* Maintains business continuity documentation, test results, issue tracking, and remediation evidence for audit and regulatory review.

Vendor Due Diligence & Third-Party Risk Management
* Supports vendor due diligence and Third-Party Risk Management (TPRM) activities, partnering with internal stakeholders to ensure adherence to program requirements and timelines.
* Coordinates vendor onboarding and ongoing due diligence in accordance with internal policy and established standards.
* Performs risk-focused reviews of third-party relationships to support risk tiering and oversight, including the collection and validation of required documentation.
* Reviews due diligence artifacts (e.g., SOC reports, certifications, regulatory attestations) for completeness and follow-up requirements; tracks remediation items through resolution.
* Partners with vendor owners to obtain updated information and address documentation gaps impacting onboarding, renewals, or compliance deadlines.
* Identifies, documents, and tracks Complementary User Entity Controls (CUECs); monitors implementation status, evidence retention, and remediation progress.

JOB SPECIFICATIONS
* Demonstrated working knowledge of User Access Review (UAR) governance, including least privilege principles, role-based access controls, and independent validation of user and privileged access.
* Experience reviewing and validating access-related evidence, including user listings and security group assignments from identity platforms (e.g., Microsoft Entra), to identify exceptions and required follow-up actions.
* Proven ability to administer, validate, and document the execution of GRC control activities with limited supervision, applying sound judgment to identify gaps, inconsistencies, and control execution issues.
* Experience working within GRC and vendor management systems to track activities, maintain evidence, and support audit, compliance, and management oversight processes.
* Strong experience conducting risk-focused contract and NDA reviews, ensuring inclusion of required security, regulatory, and risk provisions prior to execution.
* Working knowledge of business continuity program support, including documentation maintenance, testing coordination, and remediation tracking.
* Experience supporting vendor due diligence and third-party risk management (TPRM) processes, including review of SOC reports, certifications, and attestations for completeness and follow-up actions.
* Strong organizational, analytical, and time management skills, with the ability to prioritize and manage multiple concurrent deliverables and deadlines.
* Ability to identify and challenge incomplete documentation, missed timelines, and control execution issues; escalates concerns with clear, actionable recommendations.
* Strong written and verbal communication skills, with a high level of attention to detail.
* Self-motivated, detail-oriented, and accountable, with the ability to operate effectively in a fast-paced, control-driven environment.

EDUCATION, TRAINING & EXPERIENCE
* Bachelor's degree in Risk Management, Information Systems, or a related field, or equivalent relevant work experience.
* 4-6 years of experience supporting risk management, GRC, internal controls, information security governance, or compliance programs within a regulated environment.
* Demonstrated experience performing or supporting User Access Reviews (UARs), including reconciliation of user and privileged access, review of role-based access, and validation of least-privilege principles.
* Experience working with identity or access management data sources (e.g., Microsoft Entra or similar platforms) to support access validation and evidence collection.
* Experience administering and maintaining GRC platforms or similar systems used to track controls, evidence, remediation activities, and compliance workflows.
* Experience reviewing vendor contracts and NDAs for required risk, security, and compliance provisions and supporting remediation of contractual gaps.
* Working knowledge of business continuity program support, including plan maintenance, testing coordination, and documentation tracking.
* Experience supporting vendor due diligence and Third-Party Risk Management (TPRM) activities, including review of SOC reports, certifications, and attestations.
* General familiarity with financial institution regulatory expectations and frameworks (e.g., GLBA, FFIEC, NCUA guidance).
* Experience supporting internal audits, regulatory examinations, or control reviews preferred.

WORK ARRANGEMENT:
The working arrangement for this position is hybrid. Hybrid work is an opportunity to find the right balance between working in the office and remotely, especially if it supports individual success and the needs of our organization. Hybrid schedules are determined by the hiring manager based on business unit needs and may vary by department. Although a remote work arrangement may be authorized, those working in a remote position should expect occasional travel to headquarters or other business locations as necessary for work purposes.

We know life doesn't pause when you're at work - and your benefits shouldn't either. At Lighthouse Credit Union, we offer real support for real life, with perks that help you stay healthy, grow your future, and take care of what matters most.

* Student Loan & Tuition Assistance - Whether you're paying off debt or going back to school, we help lighten the load.

* Employee Loan Discounts - Get access to lower rates on personal loans, just for being part of the team.

* Weekly Paychecks - Because waiting two weeks shouldn't be the norm.

* 401(k) with Employer Match & Profit Sharing - We invest in your future with generous contributions and immediate vesting.

* Lighthouse Leave Program - Paid time off for major life moments, from welcoming a child to caring for a loved one.

* Volunteer Time Off (VTO) - Give back to your community with paid time to serve.

* PTO + Paid Federal Holidays - Rest, recharge, and celebrate without worry.

* Balanced Schedule - All branches close by 5pm and on Sundays - no late nights or unpredictable shifts.

* Comprehensive Medical, Dental & Vision Plans - Coverage that starts quickly and fits your needs.

* HSA/FSA Options - Save pre-tax dollars for everyday health expenses.

* Discounted Pet Insurance - Because furry family members deserve care too.

* Employee Assistance Program (EAP) - Free, confidential support for life's challenges - available 24/7.

* Annual Bonus Program - Celebrate your wins, your teammates' successes, and the Credit Union's growth - together.

* Engagement Groups - Join communities like Pride at Work, Women in Leadership, Book Club, and more.

* Ongoing Training & Career Growth - We invest in your development from day one.

* Annual Summit & Team Outings - Celebrate wins and connect with coworkers across the organization.

LIGHTHOUSE CREDIT UNION IS AN EQUAL OPPORTUNITY EMPLOYER