Senior Risk and Compliance Analyst

Job Title

This job works collaboratively to support of all risk and compliance assessment activities of Highmark Health across a broad range of frameworks including NIST, HITRUST, PCI, HIPAA, SOC, MAR, CMS, JCAHO, etc. The incumbent will partner with the organizational risk and business partners, the technology organization, and global delivery teams to meet Highmark Health's mission requirements in a manner consistent with the enterprise risk appetite. This individual must have a proactive mindset and approach, and feel comfortable working in a highly matrixed environment.

Essential Responsibilities

• Plan and conduct risk assessment activities according to the appropriate framework, including but not limited to NIST, HITRUST, PCI, HIPAA, SOC, MAR, CMS, JCAHO, in order to identify, assess, prioritize, evaluate and address financial, information security, privacy, and other areas of risk.
• Prepare draft reports and other management reporting deliverables.
• Review all work prepared by less experienced team members to ensure audit quality standards are consistently met in all forms of documentation.
• Review and interpret inherent risk assessment results, engagement risks, and develop assurance plans (e.g., on-site audit, contract review, financials assessment, purchasing data analysis) to address relevant risk areas and to ensure proper controls are implemented.
• Lead development of project plans to support risk assessment and decisioning in coordination with business owners and other stakeholders within task-based budgets.
• Collaborate and communicate with Information Security, Privacy, Procurement, Audit, Compliance, and other teams across the Enterprise to align risk management objectives, practices and procedures.
• Interface with business areas, technical staff, project teams, and third parties to execute cross-functional risk assurance projects. Lead the communication of assessment results and findings with multiple stakeholder groups and provides consultation and direction throughout.
• Interpret complex data flow/ information sharing activities, customer integrations, and information safeguards into simplified and high-level terminology and/or process/data flows.
• Maintains risk management reporting dashboards in RSA Archer applications in order to keep information complete, accurate, and current. Prepare and assist with the delivery of risk assurance reports to management.
• Ensure risk questionnaires and other risk assessments are distributed and completed on-time and prepares initial impact assessments.
• Ensure compliance requirements are met across the Enterprise. Assist in training and mentoring team members on multi-faceted engagements, platform customer dependencies, and interpretation of complex contract agreements.
• Collaborate with lead in providing input and consultation on risk and assurance reporting. Collaborate and consult with other areas (e.g., Procurement, Privacy, Information Security, Legal) throughout the engagement lifecycle. Assist in providing timely feedback on interpretations regarding authoritative guidance.
• Proactively reviews updates made to departmental desk-level procedures, risk assessment methodology, assessment procedures, questionnaires, training, etc. and is responsible for monitoring compliance with departmental metrics, internal control activities, contractual obligations, regulatory requirements, and responding to customer inquiries / audits.
• Other duties as assigned or requested

Education

Required

• Bachelor's Degree in Accounting, Finance, Business Administration/Management, Information Technology, Pre-Law, or related field

Substitutions

• 6 years of related and progressive experience in lieu of Bachelor's degree

Preferred

• Master's Degree in Accounting, Finance, Business Administration/Management, Information Technology, Pre-Law, or related field

Experience

Required

• 5 years in Audit and Compliance
• To Include:
• 3 years of Business Process Design
• 3 years of Project Management

Preferred

• None

Licenses or Certifications

Required

• None

Preferred (any of the following)

• Certified Public Accountant (CPA)
• Certified Information Systems Analyst (CISA)
• Certified Information Privacy Professional (CIPP)
• Certified Information Systems Security Professional (CISSP)

Skills

• Demonstrate expert knowledge of business and technology processes, risk and control frameworks, and assessment methodologies, particularly as applied to healthcare (payer and provider) business processes.
• Knowledge of relevant regulatory guidelines, vendor management, sourcing and procurement, and completing assessments of vendors
• Excellent resource and project planning capabilities, decision making skills, history of results-oriented delivery, and effective team building across a cross-campus and diverse team of management and staff.
• Strong written and verbal communication skills for diverse audiences (senior management, board, peer, and team).
• Strong relationship building skills and ability to influence with and without authority in a matrixed organization.
• Leadership qualities with an ability to motivate and inspire a group of individuals to achieve superior results.
• High capacity to think analytically, interpret information / observations, apply judgment and make effective, strategic decisions.

Language (Other than English):

None

Travel Requirement:

0% - 25%

Physical, Mental Demands and Working Conditions

Position Type

Office-based

Teaches / trains others regularly

Occasionally

Travel regularly from the office to various work sites or from site-to-site

Rarely

Works primarily out-of-the office selling products/services (sales employees)

Never

Physical work site required

Yes

Lifting: up to 10 pounds

Constantly

Lifting: 10 to 25 pounds

Occasionally

Lifting: 25 to 50 pounds

Rarely