IT Risk & Compliance Analyst

Type of position: Permanent role

Location: Toronto GTA, ON

Working Organization: 3 DAYS ONSITE, 2 DAYS REMOTE

---

Your new role

As an IT Risk and Compliance Analyst 3, you will play a senior role in executing and enhancing the organization’s IT Risk and Compliance program. Working closely with the Director, you will help design, implement, and monitor risk and control initiatives aligned with regulatory requirements, internal policies, and client expectations.

You will act as a key subject‑matter expert, collaborating with cross‑functional partners to assess technology risk, support audits, and ensure consistent, high‑quality compliance practices across infrastructure, applications, cloud platforms, and related processes.

Key responsibilities include:

• Leading the execution and ongoing effectiveness of the IT Risk and Compliance program, ensuring technology risks are identified, assessed, monitored, and reported.
• Maintaining the IT risk register, capturing assessment results, emerging risks, and control trends.
• Preparing IT risk reporting, including KRIs, KPIs, dashboards, and analysis to support management oversight, audits, and client discussions.
• Performing control testing, identifying gaps and deficiencies, validating remediation actions, and tracking issues to closure.
• Acting as the primary point of contact for IT risk and compliance matters during internal audits, external audits, client assessments, and third‑party reviews (e.g., PCI DSS, CSA CCM, ISO 27001).
• Reviewing, validating, and maintaining audit and assessment evidence to ensure accuracy, completeness, and traceability.
• Executing ongoing IT risk and compliance activities such as access and privilege reviews, firewall rule reviews, SOC report reviews, social engineering simulations, and exception tracking.
• Reviewing penetration testing and vulnerability assessment results, validating remediation actions, and monitoring findings through resolution.
• Supporting the issue management lifecycle, including documentation of findings, corrective action validation, and risk acceptance where applicable.
• Collaborating with Legal, Privacy, Vendor Management, Enterprise Risk, Corporate Security, and Sales to support contract reviews, vendor assessments, and client due‑diligence activities.
• Reviewing IT policies, architecture artefacts, and solution designs to assess alignment with security and control requirements.
• Providing technical guidance to support consistent assessment practices, strong professional judgment, and high‑quality deliverables across the team.

What you'll need to succeed

• Post‑secondary diploma or university degree in a related discipline, or an equivalent combination of education, training, and experience.
• Relevant professional certifications such as CISA, CISSP, CISM, CRISC, CGEIT, CCSK, CCSP, or equivalent are preferred.

Experience

• Minimum five (5) years of hands‑on experience executing IT risk assessments, technical control testing, or audit support activities within IT Risk Management, Information Security, IT Audit, or IT Risk and Compliance functions.
• Experience working in banking, financial services, or other highly regulated enterprise environments.
• Demonstrated experience assessing technical evidence, evaluating control effectiveness, and supporting internal and external audits.

Skills & Knowledge

• Strong understanding of the technology threat landscape and applicable regulatory and security expectations.
• Solid working knowledge of industry‑recognized frameworks and standards, including:
• PCI DSS
• NIST SP 800‑53
• ISO/IEC 27002
• COBIT
• AICPA Trust Services Criteria (SOC 2)
• CSA Cloud Controls Matrix (CCM)
• Government of Canada Protected B requirements
• Experience using GRC tools to support IT risk assessments, control testing, issue management, and reporting.
• Awareness of emerging trends in IT risk management, cloud security, compliance, and third‑party risk.
• Strong analytical, documentation, and stakeholder engagement skills.