Senior Risk Program Manager

Summary

Join CircleCI's Governance, Risk, and Compliance (GRC) team as a Senior Risk Program Manager and drive technical risk excellence. Collaborate with various teams to transform risk initiatives into sustainable programs, supporting business growth and compliance. Leverage your risk expertise and program management skills to shape GRC strategy and solve complex challenges. The GRC team acts as the second line of defense, working with Security, IT, Engineering, and Finance to manage risk and ensure compliance. This role involves designing and maintaining a risk register, developing a control portfolio, mitigating audit findings, enhancing vendor risk management, and improving GRC tooling. You will also support SOC 2 and FedRAMP accreditations and stay updated on risk management practices.

Requirements

• A diligent, analytical program manager with 8+ years of experience in Security/GRC, managing technical risk across multiple audit areas in a cloud/SaaS environment
• Experienced in implementing and maintaining comprehensive risk registers and control portfolios
• Skilled at assessing and mitigating findings across diverse audits with sound judgment
• Knowledgeable about FedRAMP, NIST 800-53, NIST 800-37, SOX, and other relevant industry standards
• An effective communicator, able to convey messages clearly to diverse audiences including compliance professionals, engineers, and developers
• Detail-oriented with a focus on documenting methods, workflows, and processes to drive efficiency
• Someone who understands GRC's role within broader security and risk management contexts
• Familiar with project management and GRC software tools

Responsibilities

• Design and maintain a comprehensive risk register spanning company operations
• Develop and oversee a control portfolio in partnership with Security, IT, and Finance teams to contextualize and support risk treatment
• Identify, track, prioritize, and work with owning teams to mitigate audit findings across multiple disciplines
• Enhance vendor risk management and prevent shadow IT
• Collaborate across teams to address documentation gaps, report findings, and escalate issues appropriately
• Enhance GRC tooling capabilities through improvements to existing systems and evaluation of new solutions
• Participate in daily GRC triage and support activities
• Provide support to maintain our SOC 2 and FedRAMP accreditations, in addition to SOX ITGC and customer-driven reviews
• Stay current with US and international risk management practices to scale CircleCI's GRC efforts

Preferred Qualifications

Industry certifications (CRISC, CISM, PMP, CISSP, or similar) are beneficial