GRC Analyst

We're in this for the greater good at ParetoHealth. Our mission is collective greatness, nothing less will do. Our team is a single force united in the drive to transform employee health benefits.

The company was founded in 2011 to help small and medium-sized businesses fight the rising cost of employee health benefits. We blazed the trail with financing innovations that reduce the risks in self-insurance and deliver significant savings-and we continue to lead with a growing ecosystem of partners and world-class cost control solutions.

But success is measured by more than dollars alone and we measure ours by the good that comes from knowing that every client and all their employees can count on effective, affordable healthcare for years to come.

Principal GRC Analyst

ParetoHealth

We're in this for the greater good at ParetoHealth. Our mission is collective greatness, nothing less will do. Our team is a single force united in the drive to transform employee health benefits.

The company was founded in 2011 to help small and medium-sized businesses fight the rising cost of employee health benefits. We blazed the trail with financing innovations that reduce the risks in self-insurance and deliver significant savings-and we continue to lead with a growing ecosystem of partners and world-class cost control solutions.

But success is measured by more than dollars alone and we measure ours by the good that comes from knowing that every client and all their employees can count on effective, affordable healthcare for years to come.

Position Summary

The Principal GRC Analyst will work with process owners, external auditors and other stakeholders to assess the risk environment and design and implement a compliance framework which ensures the successful management of risk throughout the organization. Supporting the team with the management of Pareto's HIPAA, HITRUST and SOC 2 Compliance programs, the Principal GRC Analyst will also help drive the transformation of the company's overall compliance program by responding to and managing the complete lifecycle of compliance audits relating to industry standards including SOC2, HIPAA, PCI, SOX and other GRC best practices.

Key Responsibilities

• Conduct internal risk assessments and maintain tracking of risks and vulnerabilities.
• Develop and implement comprehensive internal audit programs for security and business process controls, ensuring compliance with relevant standards like SOC 2, HIPAA, PCI, NIST, and COBIT.
• Evaluate the effectiveness of internal controls and risk management processes, recommending improvements where necessary.
• Serve as the primary contact for external auditors, coordinating all aspects of the audit process, including preparation, execution, and follow-up.
• Maintain and monitor a centralized audit evidence repository.
• Stay updated with changes to compliance standards and regulatory requirements, advising on necessary adjustments to internal policies and procedures.
• Prepare and present reports on audit findings and compliance status to senior management and relevant stakeholders.
• Coordinate with other stakeholders on our privacy, procurement, and corporate IT departments to ensure alignment with GRC initiatives.
• Drive the management of security policies, standards, and procedures annually to ensure they align to organizational needs.
• Provide support to the department in responding to the business units regarding day-to-day operational compliance questions.
• Proactively look for areas of improvement and provide value added advice and insight on process and controls improvements.

• Communicate with leadership to avoid surprises, highlight issues and ensure timely delivery.

Skills and Experience

• Bachelor's degree or an equivalent mix of education and experience in Information Cyber Security, Risk Management and Governance, Risk, and Compliance.
• 5 - 7+ years of direct information security experience, with a primary focus in risk and compliance.
• Strong knowledge of industry frameworks including related regulatory compliance requirements (HIPAA, SOC 2 , NIST, HITRUST, PCI, GDPR, etc.).
• Strong technical understanding of cloud security controls, storage, disaster recovery and Identity management standards.
• Minimum 3-6 years of experience in conducting and/or responding to HIPAA and SOC 2 audits.
• Strong eye for detail and ability to successfully manage third party audits, gather evidence and coordinate audit response.
• Certified as an CISA, CRISC, CISM, CISSP or working toward certification strongly preferred.
• Familiarity with GRC tools (MetricStream, OneTrust, HyperProof, etc.) methodologies and best practices.
• Experience in planning and executing multiple risk & compliance projects.
• Ability to leverage strong verbal, written communication skills to collaborate with cross-functional teams.
• Strong analytical and problem-solving skills capable of managing projects that drive business objectives.
• A team player with strong collaboration skills and the ability to work with minimal supervision.

Disclosures

ParetoHealth is an Equal Opportunity Employer and does not discriminate on the basis of race, color, religion (creed), gender, gender expression, age, national origin (ancestry), disability, marital status, sexual orientation, or military status, in any of its activities or operations. These activities include, but are not limited to, hiring and firing of staff, selection of volunteers and vendors, and provision of services. We are committed to providing an inclusive and welcoming environment for all members of our staff, clients, volunteers, subcontractors, vendors, and clients.

California Applicants: See Pareto's CCPA Notice of Collection for California Employees and Applicants for information about how Pareto Captive Services, LLC, Pareto Health, LLC, and Pareto Underwriting Partners, LLC, together with their respective subsidiaries (collectively, "Pareto") collects and uses personal information submitted by employment applicants.

---