GRC ENGINEER

ROLE: GRC ENGINEER & RISK ANALYTICS PROFESSIONAL
LOCATION: Hybrid, Plano, Texas, United States
DURATION: Long term contract.

Description:
We are seeking a handson GRC Engineer & Risk Analytics professional who will implement and scale a NISTaligned control and risk framework in OneTrust while also conducting targeted risk and control assessments to validate design and operating effectiveness. Reporting to the TFSB CISO, you will connect process, data, and automation so department leaders can seeand reducerisk in nearreal time through rolebased dashboards and scorecards. Youll partner with Security Engineering, IT, Audit, and business control owners to streamline assessments, evidence collection, POA&M tracking, and reporting.
Focus split: approximately 70% OneTrust configuration, integrations, data modeling, and dashboards; approximately 30% targeted assessments and facilitation.
Module ownership on Day 1: OneTrust Integrated Risk Management (IRM) and ThirdParty Risk Management (TPRM).

What youll be doing:
Model the control framework in OneTrust: map NIST CSF and NIST 80053 control families, control objectives, test procedures, evidence types, and ownership.
Configure assessment templates (application/infrastructure, inherent/residual risk, thirdparty due diligence, control attestations) with automated workflows, notifications, and approvals.
Stand up a POA&M lifecycle (defect creation, risk acceptance, due dates, escalations, verifications) and connect to tickets for remediation traceability.
Build rolebased dashboards and departmental scorecards that surface KRIs/KPIs (e.g., control coverage, overdue actions, risk heatmaps, SLA adherence).
Establish data taxonomy and metadata (assets, business processes, data classifications) aligned to controls and obligations to support consistent analytics.
Own the endtoend thirdparty risk workflow in OneTrust: inherent risk profiling, tiering, questionnaire selection, and residual risk calculation.
Design and maintain duediligence questionnaires and control attestations; streamline evidence collection and followups via automated reminders and SLAs.
Track remediation and POA&Ms for vendors; manage risk acceptances, exceptions, and expirations with clear ownership and timelines.
Publish vendor scorecards and portfoliolevel insights for department leaders; highlight concentration risk, critical suppliers, and overdue actions.
Integrate TPRM data with IRM objects (assets, processes, controls) to show endtoend exposure and dependencies.
Integrate OneTrust with CMDB, Risk reporting platforms to autoenrich risks, controls, and assets.
Define data quality rules and reconciliation checks; implement connectors or API jobs to keep dashboards nearrealtime and reduce manual evidence collection.
Partner with Analytics to publish curated Power BI datasets for executives and technical teams.
Conduct spot assessments and control testing to validate design and operating effectiveness and calibrate automation.
Translate FFIEC/GLBA/SOX and policy requirements into measurable controls and departmentowned obligations; document rationales and residual risk.
Facilitate remediation planning with control owners; track POA&Ms and risk acceptances to closure with clear RACI and deadlines.
Create playbooks, test scripts, and user guides; run enablement sessions for control owners and assessors to drive adoption.

What youll deliver in the first 612 months:
A fully modeled NIST-aligned control catalog in OneTrust IRM and TPRM, complete with owners, testing procedures, evidence, and mapped obligations.
35 data integrations operational (for instance, CMDB, Archer, Posture Management) enabling automated evidence and asset-to-control mapping.
Departmental scorecards along with an executive dashboard (showing trendlines, heatmaps, top risks, overdue actions, and risk reduction by department).
Enhanced assessment throughput with a reduced cycle time (targeting a 3040% improvement from baseline).
Improved on-time completion of POA&M (targeting an increase of 2030%) with a decrease in repeat findings through structured root-cause identification.
Published and operational governance framework artifacts (including a governance calendar, defined roles, training materials, and standard operating procedures).

Requirements:
5+ years handson experience implementing/administering GRC platforms (OneTrust preferred; Archer/ServiceNow GRC acceptable with commitment to OneTrust rampup).
Working knowledge of NIST CSF and NIST 80053 and how to translate obligations into measurable controls and tests.
Experience configuring questionnaires, workflows, object models, APIs, and building rolebased dashboards.
Data skills in Power BI, SQL, or Python for data prep/transformations that feed analytics.
Ability to tell the risk storytranslate technical signal into businessrelevant insights for department leaders.
Bachelors degree or equivalent practical experience.
--
--
Thanks & Regards,
Pallavi Reddy| Technical Recruiter
Thoughtwave Software and Solutions
Desk: , EXTN:167
Email: