Job Description

Working with Us
Challenging. Meaningful. Life-changing. Those aren’t words that are usually associated with a job. But working at Bristol Myers Squibb is anything but usual. Here, uniquely interesting work happens every day, in every department. From optimizing a production line to the latest breakthroughs in cell therapy, this is work that transforms the lives of patients, and the careers of those who do it. You’ll get the chance to grow and thrive through opportunities uncommon in scale and scope, alongside high-achieving teams. Take your career farther than you thought possible.

Bristol Myers Squibb recognizes the importance of balance and flexibility in our work environment. We offer a wide variety of competitive benefits, services and programs that provide our employees with the resources to pursue their goals, both at work and in their personal lives. Read more: careers.bms.com/working-with-us

Senior IT Risk Analyst / IT Risk Advisor — Risk Operations

The Senior IT Risk Analyst / IT Risk Advisor, IT Risk Operations is a senior judgment and advisory role within BMS's IT Risk function. Operating within a modern, automation-enabled risk operating model, this role moves well beyond transactional risk processing. The Senior Analyst serves as the primary human accountability layer for complex, high-tier, and exception-level risk determinations — while also providing advisory support to leadership, cross-functional partners, and senior stakeholders on risk posture, emerging risk signals, and the continuous evolution of BMS's integrated risk framework.

This role is suited for an experienced risk professional who is energized by higher-value problem solving, operates comfortably in ambiguity, and is ready to shape how IT risk is practiced at scale in a leading global pharmaceutical company.

Key Responsibilities

Senior Risk Judgment & Advisory

• Serve as the senior analytical authority for complex, high-tier risk cases — including Cyber Risk, AI risk, cross-jurisdictional privacy complexity, and novel technology types not clearly addressed by existing framework

• Provide risk advisory support to IT leadership, BISOs, Legal/Privacy, and business stakeholders — translating complex risk landscapes into clear, actionable guidance

• Own the integrity of the risk determination record for high-profile or sensitive programs; provide independent review where risk signals are ambiguous or where determinations carry material business or regulatory consequence

• Guide analysts on when to accept, challenge, escalate, or override risk outputs — serving as a calibration resource and quality anchor for the team

Framework Stewardship & Continuous Monitoring

• Monitor patterns across risk assessments — override rates, exception volumes, flag frequencies — to identify systematic accuracy issues, framework gaps, or emerging risk themes

• Support continuous monitoring initiatives and contribute to the evolution of BMS's integrated risk framework (Scope Screening → Regulatory Classification → Risk-Tiered Controls) as the operating model matures

• Identify where the risk tiering model, control library, or assessment logic may need refinement; articulate improvement recommendations with supporting evidence to Risk Leads and leadership

• Contribute to periodic reviews of auto-approved projects, leading structured assessments where findings may have broader programmatic implications

Stakeholder Leadership & Cross-Functional Engagement

• Lead engagement with senior project sponsors, IT architects, Legal/Privacy SMEs, and Compliance teams on high-risk or high-complexity assessments

• Represent the IT Risk function in cross-functional forums; provide subject matter expertise on regulatory risk implications (GDPR, EU AI Act, GxP, NIST frameworks)

• Build and maintain strong partnerships across IT, Legal, Privacy, Cybersecurity, and Business functions; act as a trusted advisor rather than a compliance gatekeeper

• Support escalation resolution between Risk Leads, BISOs, Privacy SMEs, and project teams; facilitate closure on disputes involving risk determinations and framework interpretation

Operational Excellence & Governance

• Ensure audit-ready documentation standards across the team; review and validate complex SNOW and GRC records for accuracy, completeness, and audit defensibility

• Contribute to or lead training initiatives for analysts on evolving framework components, updated risk tiering logic, and operational workflow changes

• Support governance reporting; prepare executive-quality risk summaries, trend analyses, and control attestation packages for senior leadership and compliance audiences

• Provide UAT support for framework and tooling updates — including validating that risk outputs align with expected SME-level determinations

Mentorship & Team Development

• Provide mentorship and guidance to junior analysts; support calibration, quality review, and professional development within the team

• Model the expected analyst behavior in an automation-enabled environment: review-first, judgment-driven, override with rationale, and escalate with clarity

Qualifications & Experience

Required

• 7–10 years of progressive experience in IT risk management, cybersecurity risk, IT audit, privacy compliance, or a closely related field

• Demonstrated track record of independent, senior-level risk judgment — including experience handling complex, ambiguous, or high-stakes risk determinations

• Deep knowledge of NIST Cyber Risk Management Framework, NIST 800-53 controls library, and at least one major privacy regulatory framework (GDPR, EU AI Act, GxP, CCPA)

• Experience working with GRC platforms at an advanced level (ServiceNow GRC or equivalent); ability to review, validate, and ensure quality of records produced by others

• Strong executive communication skills; experience preparing and presenting risk findings to senior leadership or audit/compliance audiences

• Experience with AI/ML, automation, or emerging technology risk programs — including digital transformation and data privacy risk governance

Desired Candidate Characteristics

• Highly developed risk judgment — able to form defensible, well-reasoned positions on complex determinations and explain them clearly to any audience

• Advisory mindset: seen as a trusted partner by stakeholders, not just a process owner

• Comfortable with automation and system-generated risk signals as primary inputs — focused on interpreting and acting rather than manually gathering data

• Strategic thinker with an eye on where the risk function is heading, not just where it is today

• Strong influencer and collaborator; able to drive alignment across Legal, Privacy, IT, and Business without formal authority

• Passion for healthcare and the belief that excellent risk management enables better science and better patient outcomes

If you come across a role that intrigues you but doesn’t perfectly line up with your resume, we encourage you to apply anyway. You could be one step away from work that will transform your life and career.

Uniquely Interesting Work, Life-changing Careers
With a single vision as inspiring as “Transforming patients’ lives through science™ ”, every BMS employee plays an integral role in work that goes far beyond ordinary. Each of us is empowered to apply our individual talents and unique perspectives in a supportive culture, promoting global participation in clinical trials, while our shared values of passion, innovation, urgency, accountability, inclusion and integrity bring out the highest potential of each of our colleagues.

On-site Protocol

BMS has an occupancy structure that determines where an employee is required to conduct their work. This structure includes site-essential, site-by-design, field-based and remote-by-design jobs. The occupancy type that you are assigned is determined by the nature and responsibilities of your role:

Site-essential roles require 100% of shifts onsite at your assigned facility. Site-by-design roles may be eligible for a hybrid work model with at least 50% onsite at your assigned facility. For these roles, onsite presence is considered an essential job function and is critical to collaboration, innovation, productivity, and a positive Company culture. For field-based and remote-by-design roles the ability to physically travel to visit customers, patients or business partners and to attend meetings on behalf of BMS as directed is an essential job function.

Supporting People with Disabilities

BMS is dedicated to ensuring that people with disabilities can excel through a transparent recruitment process, reasonable workplace accommodations/adjustments and ongoing support in their roles. Applicants can request a reasonable workplace accommodation/adjustment prior to accepting a job offer. If you require reasonable accommodations/adjustments in completing this application, or in any part of the recruitment process, direct your inquiries to adastaffingsupport@bms.com Visit careers.bms.com/eeo-accessibility to access our complete Equal Employment Opportunity statement.

Candidate Rights

BMS will consider for employment qualified applicants with arrest and conviction records, pursuant to applicable laws in your area.

If you live in or expect to work from Los Angeles County if hired for this position, please visit this page for important additional information: https://careers.bms.com/california-residents/

Data Protection

We will never request payments, financial information, or social security numbers during our application or recruitment process. Learn more about protecting yourself at https://careers.bms.com/fraud-protection

Any data processed in connection with role applications will be treated in accordance with applicable data privacy policies and regulations.

If you believe that the job posting is missing information required by local law or incorrect in any way, please contact BMS at TAEnablement@bms.com Please provide the Job Title and Requisition number so we can review. Communications related to your application should not be sent to this email and you will not receive a response. Inquiries related to the status of your application should be directed to Chat with Ripley.

R1601016 : Senior Risk Analyst