Job Abstract

JOB SUMMARY

This job prepares and performs governance, risk, and compliance (GRC) risk monitoring and executes risk treatment processes and activities.  This includes monitoring, tracking, and reporting on risk across second line of defense functions (i.e., privacy, compliance, information security, quality, legal) and supporting a broad range of frameworks including NIST, HITRUST, PCI, HIPAA, SOC, MAR, CMS, JCAHO, NCQA, the BCBSA, etc.  The incumbent is responsible for preparing information and execution of continuous monitoring of enterprise policies, standards, procedures/controls, business continuity/disaster recovery plans, etc. aimed to detect, prevent, and respond to risks across the enterprise risk taxonomy.  Prepares and maintains suite of multi-disciplinary risk monitoring reports. Applies risk decisioning criteria and exception handling criteria, and ensures risk treatment solutions are delivered according to contractual and other service-level obligations.  Consults, prepares and executes monitoring activities related to corrective action measures based on internal or external audits/examinations.  Proactively seeks input on quality and effectiveness of own work.  Adheres to standard practices and procedures, and to assists with determining the realization of measurable risk treatment outcomes. May take on special assignments.  Demonstrates a proactive mindset and approach and feels comfortable working in a highly matrixed environment.

ESSENTIAL RESPONSIBILITIES

• Prepares information and reports which support the execution of a monitoring function intended to prevent, detect, and respond to risks, in partnership with business units and Senior Risk Partners (SRPs).  Works with business units and other ERG constituents to prioritize monitoring activities and reporting needs. 
• Prepares and executes reporting and monitoring activities pertaining to known issues as well as threat and vulnerability scan reporting on applications, networks, operating systems, etc. to identify risk. 
• Monitors current compliance environment including corporate policies and procedures and other rules and regulations through trend and other data analysis.  Prepares ad-hoc and other reports pulling data from various sources and/or run system reports.  Conducts simple and assists with complex analysis on reports and data sets to ensure systems and/or results meet expected thresholds/tolerances.
• Monitors Corrective Action / Remediation Plans, as necessary;  reviews and analyzes results against expectations/benchmarks; prepares and assists with communications of outcomes to management including Senior Risk Partners (SRPs). Applies relevant reporting and data analysis techniques to all work products.  
• Executes against and assists with providing ongoing feedback on risk treatment methodology in partnership with Risk Strategy (avoid, accept, transfer, mitigate).  Collaborates with other areas of Risk Operations to prioritize, to escalate, and to improve risk intelligence and risk assessment activities. 
• Prepares and reviews research; implements novel approaches to training and education on GRC process automation, reporting, and monitoring.  Contributes to knowledge management repositories and other communities of practice.
• Other duties as assigned or requested.

EDUCATION

Required

• Bachelor's Degree in Accounting, Business, Computer Science, Data Science, Finance, HIM, IT or related field

Substitutions

• 6 years of related and progressive experience in lieu of Bachelor's degree

Preferred

• None

EXPERIENCE

Required

• 3 years with governance, risk, and compliance technology or related reporting and monitoring experience, preferably with the Archer GRC suite and/or in a healthcare or healthcare related industry, with increasing responsibility
• 1 year of interacting with regulators, auditors, and oversight bodies

Preferred

• 1 year of report design, multi-disciplined data aggregation and analysis
• 1 year of continuous controls and process monitoring

LICENSES or CERTIFICATIONS

Required

• None

Preferred (any of the following)

• Certified Public Accountant (CPA)
• Certified Information Systems Auditor (CISA)
• Juris Doctorate (JD)
• Certified Information Privacy Professional (CIPP)

SKILLS

• Strong knowledge of business and technology processes, risk and control frameworks, and assessment methodologies, particularly as applied to healthcare (payer and provider) business processes
• Strong knowledge of how to leverage reporting and monitoring tools, technologies, and techniques to drive efficient and effective GRC processes across payor/provider industries
• Demonstrated resource and project planning capabilities, decision making skills, history of results-oriented delivery, and effective team work across a global and diverse team of staff
• Strong written and verbal communication skills for diverse audiences (senior management, board, peer, and team)
• Demonstrated relationship building skills and ability to influence with and without authority in a matrixed organization

Language (Other than English):

None

Travel Requirement:

0% - 25%

PHYSICAL, MENTAL DEMANDS and WORKING CONDITIONS

Position Type

Office-based

Teaches / trains others regularly

Occasionally

Travel regularly from the office to various work sites or from site-to-site

Rarely

Works primarily out-of-the office selling products/services (sales employees)

Never

Physical work site required

Yes

Lifting: up to 10 pounds

Constantly

Lifting: 10 to 25 pounds

Occasionally

Lifting: 25 to 50 pounds

Rarely

Disclaimer: The job description has been designed to indicate the general nature and essential duties and responsibilities of work performed by employees within this job title. It may not contain a comprehensive inventory of all duties, responsibilities, and qualifications required of employees to do this job.

Compliance Requirement: This job adheres to the ethical and legal standards and behavioral expectations as set forth in the code of business conduct and company policies.

As a component of job responsibilities, employees may have access to covered information, cardholder data, or other confidential customer information that must be protected at all times.  In connection with this, all employees must comply with both the Health Insurance Portability Accountability Act of 1996 (HIPAA) as described in the Notice of Privacy Practices and Privacy Policies and Procedures as well as all data security guidelines established within the Company’s Handbook of Privacy Policies and Practices and Information Security Policy. 

Furthermore, it is every employee’s responsibility to comply with the company’s Code of Business Conduct. This includes but is not limited to adherence to applicable federal and state laws, rules, and regulations as well as company policies and training requirements.

Highmark Health and its affiliates prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, age, religion, sex, national origin, sexual orientation/gender identity or any other category protected by applicable federal, state or local law. Highmark Health and its affiliates take affirmative action to employ and advance in employment individuals without regard to race, color, age, religion, sex, national origin, sexual orientation/gender identity, protected veteran status or disability. 

EEO is The Law

Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled/Sexual Orientation/Gender Identity (https://www.eeoc.gov/sites/default/files/migrated_files/employers/poster_screen_reader_optimized.pdf)

We endeavor to make this site accessible to any and all users. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact number below.

For accommodation requests, please contact HR Services Online at HRServices@highmarkhealth.org

California Consumer Privacy Act Employees, Contractors, and Applicants Notice