GRC Analyst

Job Title: GRC Analyst

Department: Legal

Summary: The GRC Analyst will coordinate and collaborate with cross-functional teams of corporate, operations, and technology professionals to enhance our expanding overall governance, risk and compliance program. This includes implementing tools and practices to enhance our standards, policies, procedures, and processes related to risk management, business continuity planning, controls assurance, and external auditor engagement.

The GRC Analyst will lead and maintain GRC activities, such as: identifying, investigating, and resolving risks; developing processes, procedures, and controls; designing GRC testing to ensure it adequately supports the identification and management of risks; and creating, facilitating, and managing associated documentation. The GRC Analyst will: coordinate and participate in interviewing process owners across levels and functions; map business process and system interactions and interfaces; and evaluate and document business requirements with respect to system role designs while considering identity and access risks.

The GRC Analyst will work closely with IT, Accounting, Land, and other departments to analyze and balance the needs of the business with compliance and security objectives by using a risk management-based approach. It is expected this position will identify and assess risks associated with access to SAP and supporting systems in relation to the wholistic business process and IT control infrastructure, and work with relative business process owners to appropriately mitigate or remediate risks in accordance with Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Integrated Internal Control, COSO Enterprise Risk Management (ERM), and the National Institute of Standards and Technology (NIST) Risk Management (RMF) Frameworks.

Job Duties and Responsibilities:

Include but are not limited to:

• Partner with key stakeholders to develop, document, and implement standards, processes, programs, and best practices related to enterprise-wide risk management.
• Partner with stakeholders across the company to drive the definition, implementation and enforcement of appropriate operational, technical, data privacy, and segregation of duties (SOD) controls.
• Establish and implement standard repeatable practices for a balanced security and compliance control framework which supports business requirements.
• Facilitate the development of critical processes which ensure effective business continuity to overcome physical, operational, or technology disruptions.
• Assist in the implementation, administration, and maintenance of all aspects of the Company’s ERM plan and program.
• Maintain and manage the Company’s ERM software.
• Monitor the effectiveness of risk mitigation and management activities and recommend risk management remediation responses.
• Design, develop, and analyze SAP security roles and authorizations with an emphasis on controlling risks within the wholistic control environment.
• Evaluate the design and effectiveness of SAP controls throughout business processes.
• Work with business process and IT owners to identify SAP, SOD, GRC and security improvement opportunities.
• Provide technical expertise and guidance to business and IT personnel on the overall appropriateness of SAP security controls.
• Review SAP security notes to evaluate relevancy and risk to SAP GRC rule sets and access.
• Work with business and IT personnel to analyze and resolve access risks and issues.
• Work with External Audit to ensure SOX and integrated Audit requirements are met without gaps.
• Develop training materials, system configuration mapping, business process documentation, and facilitate training courses.
• Assist in educating and training personnel in Diamondback’s compliance requirements, risk management practices, and procedures.

Knowledge, Skills, and Abilities:

• Understanding of risk management, risk assessments, gap assessments, root cause analysis and control design.
• Comprehensive understanding of technology identity access and risk management techniques.
• Understanding of business processes and segregation of duties (SOD) frameworks.
• Comprehensive knowledge of authentication, authorization, and access control methods.
• Ability to create, read and interpret basic process, dataflow, and control diagrams and narratives.
• Understanding of basic principles and concepts of security standards set by NIST and COSO.
• Understand SOX, Internal Audit, and External Audit requirements and how they apply to SAP and integrated business processes.
• Proven analytical, problem solving, and consulting skills.
• Excellent communication skills and proven ability to work effectively with all levels of business management and IT personnel.
• Demonstrated leadership ability.
• Self-driven and proactive.
• Basic computer skills using MS Office.
• Ability to take on additional responsibility.

Required Qualifications:

• Bachelor's degree in MIS, Accounting, Business Administration, Applied Mathematics, or other related discipline.
• 3 years of experience in upstream or midstream oil and gas, electric utility, or other energy sector.
• 8 years of SAP ECC, S4 HANA, or SAP GRC (EAM & AMA) experience.
• Experience identifying, documenting, and managing SAP access risks.
• Knowledge of SAP security concepts.
• Extensive experience in job-role mapping.
• Experience in risk assessment and control identification.
• Conceptual understanding of control design and risk mitigation.
• Cross-functional project/team facilitation.
• Excellent written, interpersonal and communication skills.
• Extensive knowledge of access management tools, processes, and best practices
• Ability to effectively work with and coordinate the activities of outside consultants and auditors.

Preferred Qualifications:

• 5 years of experience working with upstream oil and gas
• 3 years of project management.
• Relevant security certification (CISSP, CISM, CISA, CIA or CRMA)
• SAP certifications or training specific to SAP GRC, EAM, ARA, etc.