Job Overview: The GRC Analyst II is responsible for working across the organization with all levels of individuals as well as with external auditors to implement and execute on a comprehensive Security Governance and Compliance program. This role is responsible for coordinating and reporting on IT portions of internal and external audits, review findings and work with the impacted areas to develop, track, and complete remediation plans. The GRC analyst will work with the GRC leaders to execute and maintain a robust IT compliance program that proactively manages audits and assessments and risks to the enterprise. These roles will also contribute to the Identity and Access Governance program, security policy and standard development, and cyber security awareness program.

Job Responsibilities: Core Responsibilities

• Conducts regular access reviews on critical systems to ensure access is appropriate.
• Ensures overall compliance with regulatory requirements, including but not limited to PCI, SOX, HIPAA, etc.
• Conducts assessments to identify gaps and make sound recommendations for improvement. Identify acceptable levels of residual risk, and assist with action plans, policy, and procedural changes for risk mitigation.
• Conduct and monitor the enterprise security awareness program; ensure compliance across the organization.
• Determine threats, identify risks and vulnerabilities to the organization, maintains and updates control framework.
• Maintains the GRC team’s security awareness program to help create security awareness trainings, and track results through metrics.
• Assists with the build out of an enterprise GRC technology platform, development, and documentation of application functionality.
• Assist with the development of the Identity and Access Governance function and drive the execution and implementation of the program.
• Prepares documentation and reports requiring minimal revision by management.
• Meets with various management groups to facilitate efficient and effective compliance projects and services.
• With minimal supervision, holds discussions with management regarding control weaknesses and prepare reports to management communicating results including recommendations to improve technology and business practices.
• Identifies opportunities and provides solutions for improvement, such as automation, to compliance processes.
• Monitors progress and status of multiple concurrent assigned compliance projects to ensure completion within budgeted timeframes, reporting any timing issues to management in a timely manner.
• Collaborates with internal and external auditors.
• Performs other duties as assigned.

Job Requirements: Education/ Certifications:

• Bachelor’s degree in computer information systems, Information Technology, Accounting, and Finance or related field is preferred. Experience:
• 3-5 years of experience in security governance, risk, and compliance, or related field preferred.

Knowledge/Skills/ Abilities

• Must possess a strong working knowledge in the following areas: operating systems, applications, operations (batch processing, monitoring) networking and telecommunications, databases, and logical security.
• In-Depth knowledge of internal control concepts, principles, risk analysis, Sarbanes-Oxley Compliance, PCI Compliance, HIPAA, Privacy, process improvement and techniques, including COSO and COBIT frameworks
• Requires excellent analytical and communications skills to learn customer business objectives, evaluate risks and plan, supervise and control compliance and other activities.
• Proficient in MS Office tools (Excel, Word, etc.)
• Must have excellent verbal, written and presentation skills, a high degree of personal integrity and ability to work under limited supervision. Supervisory skills, ability to work well with others in a team environment and ability to produce results through others is required.
• Must be capable of working under minimum supervision, planning, and conducting compliance assignments and directing the activities of staff as required.

Work Environment: Remote Role:

• This position is classified as remote where the associate will perform remote work from their primary residence. Remote associates are welcome to work from the office but are not required to do so. While remote associates are not required to work from an office on a regular basis, they may be required to come to the office or other UNFI locations for necessary business reasons or if directed to do so by their manager.

Travel (minor):

• This position may require the associate to travel to company offices, distribution centers, or other locations for specific meetings or other business reasons.

Physical Environment/Demands: Office Roles:

• Most work is performed in a temperature-controlled office environment.
• Incumbent may sit for long periods of time at a desk or computer terminal.
• While performing the duties of this job, the employee is regularly required to sit; use hands to finger, handle, or feel; reach with hands and arms; and talk or hear.
• Incumbent may use calculators, keyboards, telephones, and other office equipment in the course of a normal workday.
• Stooping, bending, twisting, and reaching may be required in the completion of job duties.

The above statements are intended to describe the general nature of the work performed by the employees assigned to this job. All employees must comply with Company policy and applicable laws. The responsibilities, duties and skills required of personnel so classified may vary within each department and/or location.