Director, Risk Management (Hybrid)

PURPOSE :

The Risk Management Director oversees the operations of the IRM department, including the Governance, Risk, and Compliance (GRC) Program, Third Party Oversight and Governance, Enterprise Risk Management, and Integrated Risk and Controls.

• The Risk Management Director is a catalyst for change, providing strategic direction and leadership for establishing and maturing key functions critical to the success of the overall organization and is responsible for overseeing the performance of the enterprise risk assessment;
• identifying and mitigating risks; managing controls and safeguards to minimize the impact of potential and existing risks affecting the organization;
• providing governance over operational risk assessments; ensuring compliance with laws, regulations, and organization frameworks;

providing a mechanism for capturing the dynamic nature of risks; and monitoring and effectuating remediation of issues identified.

This requires strong collaboration and partnership with leadership, as well as Legal, Audit, Finance, Procurement, and other enterprise stakeholders.

ESSENTIAL FUNCTIONS :

Collaborate with Integrated Compliance teams and Subject Matter Resources to define and establish standards and frameworks (e.

g., Compliance, Risk Assessment, Risk Governance) and definitions for key data elements to meet industry standards (e.g., NIST, HITRUST) and assess risks across all relevant risk domains.

Support the development and delivery of enterprise-wide training and awareness materials that educate associates and leadership on best practices, pervasive operational risk management issues, risk management tools and processes, and lessons learned.

Establish standards for and provide advisory support in the completion of divisional risk assessments, as well as govern, support, and mentor associates in the completion of third party risk assessments and control self-assessments to ensure the adequacy of controls in place to safeguard the organization, including tracking, monitoring, and managing issues identified.

This will include maintaining documentation for re-performance ability, including leveraging the Governance Risk and Compliance (GRC) tool and repository (e.

g., Compliance 360). Identify and maintain a repository of best practices and tools / accelerators related to risk and control assessments.

Partner with business owners across the enterprise to identify issues and concerns, provide the appropriate level of support, and proactively identify risk management, control efficiency and effectiveness, and process improvement opportunities to improve the enterprise risk culture.

Utilize expertise to identify and document, in a centralized risk register, evolving risks and threats pertaining to enterprise and operational risks, as well as related processes and controls.

Lead and inform the Enterprise Risk & Compliance Committee to permeate and catalyze the organization in risk understanding, as well as providing transparency into the risk register.

Collaborate with Integrated Compliance teams and Subject Matter Resources to define and establish standards and frameworks (e.

g., Compliance, Risk Assessment, Risk Governance) and definitions for key data elements to meet industry standards (e.g., NIST, HITRUST) and assess risks across all relevant risk domains.

Support the development and delivery of enterprise-wide training and awareness materials that educate associates and leadership on best practices, pervasive operational risk management issues, risk management tools and processes, and lessons learned, as well as establishing and governing policies and procedures which address risk management activities .

Oversee the enterprise risk assessment process, including identifying enterprise risks, evaluating frequency, severity, and mitigation strategies and direct the development of the corporate risk map and risk register.

Define, measure and monitor risks and related risk metrics impactful to the enterprise and their associated mitigation, acceptance, transference and avoidance, as well as the impact to the enterprise risk profile.

Establish risk appetite for the company and ensure risk decisions, including alignment of strategic goals and objectives, are executed in consideration of the impact on the organization’s risk profile and appetite.

Assess and facilitate integrations between other tools / point solutions in place across the enterprise and the Corporate Compliance GRC tool in an effort to leverage efficiencies and maintain a source of truth for reporting, auditing, and risk management purposes.

Manage and oversee projects across divisions to utilize the capabilities and functionalities of the Corporate Compliance GRC tool.

Establish and effectuate the Common Compliance Framework (CCF) within the Integrated Compliance teams, including providing support, oversight, and governance to ensure compliance with the established CCF.

Oversee the management of the Corporate Compliance GRC tool administration and support for all processes / workflows / information housed within the GRC tool (e.

g., Regulatory Filings, Incident Reporting, Policy Management, TPRM Program).

Support maintenance of the centralized repository for third party relationships including accountable business owners, inherent risk, and tier / operational criticality for each respective third party relationship.

Provide support, oversight, and governance to Integrated Compliance teams to ensure compliance with the Third Party Risk Management (TPRM) framework and standards to ensure that controls in place surrounding data protection, privacy, and access (among other areas) are compliant with CareFirst standards and risk appetite throughout the third party lifecycle.

Facilitate due diligence on third party controls in place both at CareFirst and at the third party, in collaboration with subject matter resources across all relevant risk domains to determine residual risk of third party relationships include evaluation of First Tier, Downstream and Related Entity (FDR) assessment.

Manage departmental, team and project performance by mentoring and coaching, as well as establishing and monitoring goals, timelines / milestones, outcomes and as necessary corrective action measures.

The affected categories of persons are : direct and indirect reports, third-party vendors, and contractors. Prioritize work in alignment with compliance and risk management practices, business goals, organizational strategies and objectives.

Forge relationships with business owners across the enterprise to understand issues and concerns, provide the correct level of support, and proactively identify risk management, control efficiency and effectiveness, and process improvement opportunities.

Set high expectations of significant influence on other departments / divisions for all audit activities, risk assessments and process improvements to support control objectives with cross-functional impacts.

Drive commitment and continuous personal improvement, self-confidence, insight, judgment, integrity, ethics, and responsiveness, timeliness, flexibility and adaptability.

SUPERVISORY RESPONSIBILITY :

This position manages people.

QUALIFICATIONS :

Education Level : Bachelor's Degree in Risk Management, Accounting or Finance.

Experience : 10+ years of experience in risk management, audit, compliance, security, or legal.

Preferred Qualifications :

• Advanced degree in business or risk related field (e.g., MBA, ML, LLM or JD)
• Possess relevant risk or business certification (e.g., CPA, CIA, CISA, CISM)

Knowledge, Skills and Abilities (KSAs)

Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence.

Must be able to effectively communicate and provide positive customer service to every internal and external customer, including customers who may be demanding or otherwise challenging.

Department

Department : CEO

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer. It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.