ETS Risk Analyst II

ETS Risk Analyst II – Monitoring and Testing

The Enterprise Technology & Security (ETS) Risk Analyst II plays a critical role in the identification, assessment, and mitigation of technology and security related risks across the organization. Working within a first-line risk team, this role partners directly with Risk Managers to execute control monitoring and testing that aligns with the bank's risk appetite framework, regulatory expectations, and industry standards including Cybersecurity Risk Institute (CRI) Profile, NIST 800-53, and NIST Cybersecurity Framework. You will independently assess control effectiveness, monitor key risk indicators, and analyze results to identify trends, control gaps, and areas for improvement. This role requires strong professional judgment, high quality documentation, and timely communication to support a resilient control environment and informed risk decisions. This is an excellent opportunity for an early-career risk professional looking to build foundational expertise in technology and security risk within a growing regulated financial institution.

• Partner with Risk Managers to execute the control monitoring and testing program across multiple complex technology and cybersecurity processes.

• Independently perform control design and operating effectiveness testing in accordance with established methodologies and timelines.

• Assess material controls and determine whether enhanced controls are effective to support issue validation and closure.

• Document testing results clearly and accurately in the system of record and supporting tools, producing audit ready documentation suitable for QA, Internal Audit, and Regulatory review.

• Support the analysis of monitoring and testing results to identify themes, trends, root causes, and emerging issues.

• Escalate control deficiencies, emerging risks, and potential delays in a timely and professional manner.

• Support issue management activities, including testing to validate remediation and support issue closure 

• Participate in Risk and Control Self Assessments (RCSAs), including creation and validation of process maps that reflect key processes, risks, and controls 

• Maintain awareness of emerging risks and evolving technologies (e.g., artificial intelligence, automation, and data driven processes) and assess their impact on control design, effectiveness, and monitoring approaches.

• Contribute to the continuous monitoring program by leveraging automated testing, key control metrics, and trend analysis to improve risk insight and control coverage.

• Identify, evaluate, and prioritize opportunities to enhance control testing through automation, data analytics, and improved key control metrics, partnering with stakeholders to support implementation.

• Build effective working relationships with business and technology stakeholders to stay informed of process changes and emerging risks.

• Develop understanding of internal policies, infrastructure processes, and evolving industry risk trends.

• Proactively pursue ongoing professional development, including relevant certifications, industry training, etc. to maintain current knowledge in a rapidly evolving field.

Required:

• 3–5 years of experience in IT, information security, risk management, or internal audit.

• Foundational understanding of technology risk concepts, control frameworks (NIST 800-53, NIST CSF, CRI Profile, COBIT, or ITIL), and risk management lifecycle.

• Familiarity with GRC platforms (e.g., Archer) and IT service management tools (e.g., ServiceNow, Jira).

• Ability to analyze and interpret data from security and operational monitoring tools.

• Strong written and verbal communication skills, with the ability to translate technical risk findings into clear documentation.

• Demonstrated ability to manage multiple priorities in a fast-paced environment with attention to detail.

• Proficiency in Microsoft Office Suite (Excel, Word, PowerPoint).

Preferred:

• Experience in a regulated financial services or banking environment.

• Familiarity with cloud environments (AWS, Azure) or infrastructure risk concepts.

• Exposure to audit response, regulatory exam support, or corrective action tracking.

• Bachelor's degree in Information Technology, Cybersecurity, Business, or a related field required.

• One or more of the following certifications are preferred:
• CompTIA Security+

• AWS Cloud Practitioner or Microsoft Azure Fundamentals

• CISA (Certified Information Systems Auditor)

• CRISC (Certified in Risk and Information Systems Control)

Hours & Work Schedule

• Hours per Week: 40
• Work Schedule: Monday - Friday
• Hybrid: 4 days per week onsite

Equal Employment Opportunity

Citizens, its parent, subsidiaries, and related companies (Citizens) provide equal employment and advancement opportunities to all colleagues and applicants for employment without regard to age, ancestry, color, citizenship, physical or mental disability, perceived disability or history or record of a disability, ethnicity, gender, gender identity or expression, genetic information, genetic characteristic, marital or domestic partner status, victim of domestic violence, family status/parenthood, medical condition, military or veteran status, national origin, pregnancy/childbirth/lactation, colleague’s or a dependent’s reproductive health decision making, race, religion, sex, sexual orientation, or any other category protected by federal, state and/or local laws. At Citizens, we are committed to fostering an inclusive culture that enables all colleagues to bring their best selves to work every day and everyone is expected to be treated with respect and professionalism. Employment decisions are based solely on merit, qualifications, performance and capability.

Equal Employment and Opportunity Employer

Job Applicant Data Privacy Policy

Background Check

Any offer of employment is conditioned upon the candidate successfully passing a background check, which may include initial credit, motor vehicle record, public record, prior employment verification, and criminal background checks. Results of the background check are individually reviewed based upon legal requirements imposed by our regulators and with consideration of the nature and gravity of the background history and the job offered. Any offer of employment will include further information.