Grc Risk Analyst Jobs in Michigan (NOW HIRING)

Job Summary

The Sr. Cybersecurity Risk Analyst is responsible for leading and maturing the organization's cybersecurity risk management program. This role is accountable for identifying, assessing, and communicating cybersecurity risks across the enterprise, while driving alignment with regulatory requirements, including CMMC. The position will play a key role in building and maintaining the enterprise risk register, developing a third-party risk management program, and partnering with IT teams to establish and maintain secure standards and practices.

The ideal candidate combines strong analytical skills with practical experience in governance, risk, and compliance, and can translate technical risk into actionable business decisions.

Location: Onsite out of our Grand Rapids, MI office.

Work Authorization: Applicants must be currently authorized to work.

Principal Duties and Responsibilities

Risk Management and Governance

• Lead the development and ongoing maintenance of the enterprise cybersecurity risk register, including risk identification, classification, ownership, and tracking.

• Conduct and lead risk assessments for systems, applications, projects, and business initiatives.

• Develop and implement risk management processes, methodologies, and reporting metrics.

• Facilitate risk review sessions with business and IT stakeholders to ensure accountability and transparency.

• Develop and track risk mitigation and remediation plans to closure.

Regulatory Compliance (CMMC and Related Frameworks)

• Support and maintain the organization's CMMC compliance program, including control mapping, evidence collection, and audit readiness.

• Partner with internal stakeholders (IT, Legal, HR, Plant Operations) to ensure alignment with CMMC and other regulatory requirements.

• Assist in preparing documentation and responses for assessments, audits, and regulatory inquiries.

• Monitor evolving compliance requirements and translate them into actionable internal controls.

Third-Party Risk Management

• Develop and mature a third-party cybersecurity risk management program.

• Conduct security risk assessments of vendors, SaaS providers, Software, and external partners.

• Evaluate vendor security posture, shared responsibility models, and contractual security requirements.

• Partner with procurement and legal teams to integrate security requirements into vendor onboarding and contracting processes.

Security Standards and IT Partnership

• Collaborate with IT and engineering teams to develop, implement, and maintain cybersecurity standards and secure configuration baselines.

• Ensure security requirements are embedded into system design, architecture, and operational processes.

• Provide risk-based guidance on system hardening, segmentation, and control implementation.

• Support the development of policies, standards, and procedures that are practical, enforceable, and auditable.

Reporting and Communication

• Communicate risk findings, trends, and recommendations to technical and non-technical stakeholders, including leadership.

• Develop reporting for executive audiences, including risk summaries, metrics, and program maturity updates.

• Support audit committee and leadership reporting as needed.

Continuous Improvement

• Stay current on cybersecurity threats, regulatory changes, and industry best practices.

• Identify opportunities to improve risk visibility, coverage, and program efficiency.

• Mentor junior analysts and contribute to the maturity of the GRC function.

Qualifications

Required

• Bachelor's degree in Information Security, Computer Science, or related field (or equivalent experience).

• 5+ years of experience in cybersecurity risk, governance, or compliance roles.

• Experience building or maintaining a cybersecurity risk register and risk management processes.

• Strong understanding of security frameworks (e.g., NIST, CMMC, ISO 27001).

• Experience conducting third-party/vendor risk assessments.

• Strong analytical, problem-solving, and risk evaluation skills.

• Ability to translate technical risks into business impact.

• Strong written and verbal communication skills.

Preferred

• Experience supporting CMMC assessments or similar regulatory compliance programs.

• Familiarity with manufacturing or operational technology (OT) environments.

• Experience developing security standards or working closely with infrastructure and engineering teams.

• Professional certifications such as CISSP, CISM, CRISC, or similar.