Risk Manager

Risk Manager

REMOTE

Job Summary

We are seeking an experienced Risk Manager to lead the assessment and management of application security risk across the enterprise. This role is responsible for evaluating the holistic security posture of applications, synthesizing results from architecture reviews, control and risk assessments, and security testing activities, and making the final Application Risk Review (ARR) disposition. The Risk Manager serves as the authoritative decision-maker ensuring security risks are properly identified, assessed, documented, and treated in alignment with organizational risk appetite.

Key Responsibilities

• Assess the end-to-end security posture of applications, incorporating findings from:
  • Security architecture reviews
  • CRS (Control & Risk Self-Assessment or equivalent risk frameworks)
  • SRT (Security Risk Testing / Security Review Testing) outcomes
• Analyze and correlate technical, architectural, and procedural risks to determine overall application risk
• Own and deliver the final ARR (Application Risk Review) disposition, including risk acceptance, mitigation, or rejection decisions
• Evaluate risk severity, likelihood, and business impact to ensure alignment with enterprise risk tolerance
• Partner with application owners, security architects, engineering, and compliance teams to clarify findings and remediation plans
• Ensure identified risks are clearly documented, tracked, and governed through remediation or formal risk acceptance
• Provide risk-based guidance and recommendations to application and business stakeholders
• Review compensating controls and validate risk mitigation effectiveness
• Escalate high or critical risks to senior leadership and risk committees as required
• Ensure alignment with security policies, standards, and regulatory requirements
• Support internal and external audits by providing risk assessment artifacts and evidence
• Continuously improve risk assessment methodologies and ARR processes

Required Qualifications

• Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field (or equivalent experience)
• 7+ years of experience in information security, application security, or technology risk management
• Proven experience performing holistic application security risk assessments
• Strong understanding of:
  • Secure application architecture and design principles
  • Control and risk assessment methodologies (CRS or equivalent)
  • Security testing practices (SAST, DAST, SCA, penetration testing)
• Experience owning or contributing to ARR or formal risk disposition processes
• Ability to assess both technical and business risk impacts