GRC/Compliance Analyst (Internal Only Posting)

Role Overview

We are looking for a sharp, detail-oriented GRC & Compliance Analyst. In this role you will own the end-to-end lifecycle of our compliance and vendor risk programs — from SOC 2 audit coordination and enterprise risk register management to AI governance, regulatory compliance, and third-party risk assessments (TPRM).

Key Responsibilities

SOC 2 Compliance & Audit Management

• Own the end-to-end SOC 2 audit lifecycle using Sprinto — control mapping, evidence collection, and annual audit coordination with external auditors (CertPro).
• Administer the Sprinto platform: maintain control ownership, track remediation items, and liaise with IT (identity and access-related controls).
• Coordinate cross-functional evidence collection across engineering, product, and operations teams to meet audit timelines.
• Manage the system description document review and sign-off process; respond to customer diligence and SOC 2 attestation inquiries.

Vendor & Third-Party Risk Management (TPRM)

• Own the vendor risk assessment program — intake, risk scoring, report production, and lifecycle tracking for all third-party suppliers.
• Manage new vendor onboarding: risk questionnaires, and external vendor security document requests.
• Produce Vendor Risk Assessment Summary Reports with clear risk ratings and actionable recommendations for stakeholders.
• Coordinate with internal assessment teams (Sweta and assessors) and maintain the full intake-to-report cycle.
• Own continuous monitoring of our vendor risk portfolio and regular report creation of our risk for management review.

AI Governance

• Maintain and evolve the company's AI data classification framework (RED/YELLOW tier model) and Acceptable Use Policy.
• Manage the AI Exception Register; own intake and triage of AI Tool Request & Disclosure Forms, including RED-tier escalation.
• Conduct enterprise AI governance assessments for AI vendors as an extension of the TPRM program.
• Oversee the tool review process and document outcomes for compliance records.

Enterprise Risk Management

• risk register reviews across all business functions; conduct structured risk interviews with functional leads.
• Identify cross-functional risk themes and produce consolidated risk summaries for CFO reporting.
• Own technology residual risk reviews in partnership with the IT function; maintain the enterprise risk register.

Security Incident Response

• Monitor vendor security incidents; prepare briefings for senior leadership (CFO/CEO) when disclosures are received.
• Own the compliance response and documentation for internal incidents, working alongside IT for technical containment and triage.

Research & Analysis

• Collect, update, and analyze data for assigned global locations and supplier targets using both primary and secondary sources.
• Read and interpret annual reports, financial statements, and economic indicators (GDP, inflation, trade data) to assess location and supplier risk.
• Produce high-quality professional research reports, event alerts, and risk briefings with actionable client guidance.
• Monitor global news and geopolitical developments; issue timely event alerts for clients as situations develop.
• Leverage AI tools to improve research, analysis, and reporting efficiency.
• Maintain the Legal, Statutory & Regulatory Requirements Register— covering obligations across the US, Ireland, and India.
• Steward ISMS documentation within the SharePoint Resilience folder; expand and update documentation as the regulatory landscape evolves.

Requirements

Qualifications & Experience

• Postgraduate degree (MBA, MA, MSc, or equivalent) from a recognized university — disciplines such as business, law, economics, international relations, or information security are preferred.
• 2–4 years of experience in GRC, compliance, risk management, or business/market research, ideally within a B2B SaaS, BFSI, IT, or BPO environment.
• Demonstrated experience with SOC 2 audits, TPRM programs, or regulatory compliance frameworks (ISO 27001, ISMS).

Skills & Knowledge

• Sound understanding of compliance frameworks: SOC 2, ISO 27001/ISMS, and vendor risk methodologies.
• Ability to read and interpret financial statements, annual reports, and macroeconomic indicators (GDP, CPI, inflation).
• Strong secondary research skills; able to extract and synthesize information from multiple public sources efficiently.
• Excellent written communication: capable of producing client-ready reports, risk summaries, and policy documents.
• Proficiency in MS Word, MS Excel, and MS PowerPoint. Experience with Sprinto, Looker, or comparable GRC/BI tools is an advantage.
• Familiarity with AI governance concepts and data classification frameworks is a plus.
• Strong multi-tasking ability, fast learner, comfortable working with strict deadlines in a fast-paced, global environment.

Interpersonal & Behavioral

• High attention to detail and strong analytical judgement — able to distinguish material risk from noise.
• Excellent interpersonal skills; comfortable liaising across engineering, legal, finance, and executive stakeholders.
• Proactive and self-directed; raises issues early and proposes solutions rather than waiting for direction.