Under the direction of and in collaboration with the GRC Manager, the Sr. GRC Analyst, Third-Party & Human Risk Management (TPHRM) is a Risk focused, highly analytical role that ensures all Human and Third-Party risk to Clayco is identified, quantified, documented, and treated to an acceptable level across the Clayco organization. This role will assume ownership of the Third-Party Risk Management (TPRM) process to gather details on the security practices and compliance levels for each third-party being considered or contracted for a solution or services to assess the potential for compromise due to a control gap or exploitable misconfiguration as well as non-compliance with legal and regulatory requirements.. Additional contribution will be expected for internal assessments and 3rd Party audits to gather and submit discovery and transactional responses and artifacts.The Sr. GRC Analyst will also assume ownership of Human Risk Management (HRM) including the delivery of comprehensive security awareness education, the end-to-end execution of phishing simulation programs, and the technical maintenance and life-cycle management of security awareness platforms. Beyond simple training, the position focuses on Human Risk Management (HRM), using data-driven insights to identify high-risk user groups and implementing targeted interventions to proactively mitigate human-centric threats to cultivate a security-first culture internally through education and behavioral change. Additional responsibilities will be assigned as deemed necessary. Any travel is usually planned in advance, but issues may arise which warrant immediate travel to one or more satellite locations. The Specifics of the Role 3Assumes operational ownership of the 3rd Party Vendor Risk Management program identifying, assessing, and mitigating risks associated with external vendors, suppliers, and service providers3Conducts due diligence on new and existing vendors by reviewing security questionnaires, SOC reports, compliance certifications, and other supporting attestations3Captures, analyzes, and recommends treatment, assignment, and tracking of identified issues3Collaborates with legal and stakeholder teams to ensure contracts include specific clauses for data protection, service-level agreements (SLAs), and AI governance3Documents and communicates all relevant findings and recommendations to stakeholders3Tracks, monitors, and reports on execution of remediation action plans and escalates inadequate responses or progress3Assumes ownership of the Security Awareness program determining appropriate topics, themes, scopes, and timing of cyber awareness communications, events, and content delivery3Conducts regular, simulated social engineering exercises to assess and improve employee recognition of real-world attacks3Develops engaging, simple materials-such as infographics, newsletters, and videos-that translate complex technical risks into laymans terms3Maintains Security Awareness training and simulation platforms to support content delivery and End User interaction, including support for any Client-side functionality (i.e., Report Phish button)3Plans, coordinates, and executes activities for Cybersecurity month3Partners with Employee Relations, Legal, and Marketing to ensure security messaging is integrated into the broader corporate culture3Tracks Key Risk Indicators (KRIs) such as actual phishing click-through rates, failed simulations, and missed training as well as Key Performance Indicators (KPIs) like suspicious email reporting, passed simulations, and successful training completion status to measure program effectiveness for leadership Requirements 36-8+ years experience in Risk & Compliance Assessment, Audit & Reporting, or similar functions, preferably within the Information Security or Technology fields33-4+ years working specifically in Information Security roles involving Risk Analysis, Information System Security Assessment, and/or Security Awareness and Human Risk Management3Bachelors degree in Information Technology or related field, or equivalent experience3Required Certifications: Certified in Risk & Information Systems Control (CRISC), SANS Security Awareness Professional (SSAP), and Certified Third-party Risk Professional Certification (CTPRP) (Current status, or obtained within 9 months of assuming role)3Strong experience leveraging auditing principles and methods to evaluate policies, processes, systems, and vendors to identify business risks and control gaps3Strong knowledge of Regulations, Frameworks, and Standards such as NIST 800-171/CSF/RMF, ISO27001, CIS Critical Security Controls, etc.3Strong, technical knowledge of modern Systems, Services, Cloud Applications/Platforms, Identity Services, and Data Storage/Handling and their areas of Risk and Threat exposure3Experience with administering, maintaining, and leveraging a Risk Register to track and communicate identified Risk and its required remediation3Knowledge of statistics, reporting and analytical tools to analyze and solve complex problems3Proficiency in necessary productivity tools (i.e., Microsoft Excel, PowerPoint, Word etc.) for analytics and presentations3Operate with strong integrity with ability to manage projects of a confidential nature3Ability to translate technical or abstract concepts into a narrative that is easily understood3Ability to thrive in fast-paced environment. Some Things You Should Know. 3No other builder can offer the collaborative design-build approach that Clayco does. 3We work on creative, complex, award-winning, high-profile jobs. 3The pace is fast! 3This position is classified as a safety-sensitive role in accordance with applicable state and federal laws. Candidates selected for this position will be subject to a comprehensive background check, which includes mandatory drug testing. Benefits 3Discretionary Annual Bonus: Subject to company and individual performance. 3Comprehensive Benefits Package Including: Medical, dental and vision plans, 401k, generous PTO and paid company holidays, employee assistance program, flexible spending accounts, life insurance, disability coverage, learning & development programs and more! Compensation 3The salary range for this position considers a wide range of factors in making compensation decisions including but not limited to: Education, qualifications, skills, training, experience, certifications, internal equity, and location. Compensation decisions are dependent on the facts and circumstances of each case.