Key Responsibilities

1. Lead RMF Implementation & Governance

• Lead end-to-end implementation of NIST RMF across critical systems and applications
• Oversee development and maintenance of key artifacts (SSPs, SARs, POA&Ms)
• Define and standardize control implementation approaches across the organization
• Partner with platform teams to evaluate control design, identify security gaps, and define risk-based remediation actions

2. Enterprise Risk Assessment & Risk Register Ownership

• Lead complex risk assessments (applications, infrastructure, cloud, business processes)
• Define and refine risk assessment methodologies and scoring models
• Own and govern the enterprise risk register, ensuring accuracy and completeness
• Drive risk prioritization aligned with business impact and threat landscape
• Present risk insights and trends to senior management

3. Risk Exception Governance

• Establish and manage the risk exception framework and approval workflows
• Challenge and validate risk acceptance decisions with strong business context
• Ensure compensating controls are appropriate and documented
• Track, review, and enforce expiry and renewal of exceptions

4. Reporting, Governance & Stakeholder Management

• Develop executive-level risk dashboards, KPIs, and KRIs
• Provide actionable risk insights to leadership and business stakeholders
• Support audits, regulatory reviews, and compliance initiatives
• Influence risk-based decision-making across business and technology teams

5. Process Improvement & Maturity

• Enhance and scale cyber risk management processes and frameworks
• Introduce automation and tooling (e.g., GRC platforms like ServiceNow)
• Align practices with industry standards (e.g., NIST, ISO, FAIR where applicable)
• Mentor junior analysts and uplift team capability