Senior Enterprise Risk Manager

True Anomaly
Long Beach, US
On-site

Job Description

Your Mission

We are seeking a Senior Enterprise Risk Manager to build, lead, and mature two distinct but interconnected lines of effort: Enterprise Risk Management (ERM) and Third-Party Vendor Risk Management (TPVRM). This is a foundational leadership role for a seasoned risk professional who thrives in fast-moving, mission-critical environments and understands the unique demands of operating at the intersection of defense, aerospace, and commercial SaaS.

The ideal candidate brings deep experience navigating regulated government environments-including RMF, DoD IL5/IL6, and CMMC-and is fluent in industry-standard risk quantification and assessment methodologies such as FAIR (Factor Analysis of Information Risk) and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation). They pair that expertise with a startup mindset that enables them to build programs from the ground up, not just maintain inherited ones. You will work cross-functionally with engineering, security, legal, compliance, product, and executive leadership to identify, assess, communicate, and mitigate risk across the enterprise and its extended supply chain.

Responsibilities:

Enterprise Risk Management

  • Design, implement, and continuously mature a scalable enterprise risk management program aligned to NIST RMF, ISO 31000, and applicable DoD frameworks.
  • Apply FAIR methodology to quantify cyber and operational risk in financial terms, enabling data-driven prioritization and executive-level risk decision-making.
  • Leverage OCTAVE or similar threat-centric methodologies to lead structured risk assessments that identify critical assets, threat profiles, and organizational vulnerabilities.
  • Establish and maintain an enterprise risk register, risk appetite statements, and risk tolerance thresholds in collaboration with executive leadership and the Board (as applicable).
  • Lead recurring risk identification, assessment, and prioritization processes across business units, ensuring alignment between operational risk posture and strategic objectives.
  • Develop and maintain executive-ready risk dashboards, KPI/KRI reporting, and program metrics using tools such as Jira, Confluence, GRC platforms, and MS Project.
  • Conduct and coordinate internal audits and risk assessments to ensure adherence to DoD compliance standards, including NIST SP 800-53 Rev. 5, NIST SP 800-171, RMF (IL5 and IL6), and CMMC Level 3.
  • Support audit readiness activities including pre-assessment preparation, evidence collection, POA&M management, and post-audit remediation planning.
  • Develop, implement, and mature information security and enterprise risk policies, standards, and guidelines based on industry best practices.
  • Serve as a primary point of contact for internal stakeholders, executive leadership, and external assessors, certification bodies, and government partners.

Third-Party Vendor Risk Management

  • Build and lead a formalized Third-Party Vendor Risk Management program, establishing vendor classification tiers, risk assessment methodologies, and ongoing monitoring cadences.
  • Define and operationalize vendor onboarding risk assessments, including security questionnaires, compliance validations, and contractual risk controls (e.g., SLAs, right-to-audit clauses, data handling requirements).
  • Maintain a vendor risk inventory and lifecycle management process covering initial due diligence through offboarding, ensuring continuous visibility into third-party risk exposure.
  • Collaborate with legal, procurement, and supply chain teams to embed risk criteria into vendor selection, contract negotiation, and renewal processes.
  • Monitor third-party vendors for changes in risk posture, including cybersecurity incidents, financial instability, regulatory actions, and ITAR/export control concerns.
  • Develop vendor risk reporting and executive-level dashboards to provide ongoing transparency into third-party exposure across critical suppliers and technology partners.
  • Ensure TPVRM program alignment with applicable regulatory requirements including CMMC supply chain requirements, DFARS clauses, and DoD IL environment authorization boundaries.

Cross-Functional Leadership

  • Build, mentor, and provide technical guidance to junior risk team members and project contributors across both lines of effort.
  • Drive alignment across engineering, security operations, product compliance, IT operations, legal, and business operations teams on risk priorities and remediation timelines.
  • Track program milestones, identify dependencies and blockers, and drive timely course corrections with a bias toward action.
  • Continuously improve program workflows, reporting processes, and team coordination for scalable, repeatable, and consistent risk program execution.
  • Proactively track emerging regulatory, threat, and supply chain risk requirements and update program posture accordingly.

Qualifications

  • 10+ years of experience in enterprise risk management, GRC, cybersecurit

Skills & Requirements

Technical Skills

Enterprise risk managementThird-party vendor risk managementFair methodologyOctaveNist rmfIso 31000Risk quantificationRisk assessmentRisk communicationRisk mitigationRisk dashboardsKpi/kri reportingInternal auditsRisk policiesVendor risk managementVendor onboardingVendor lifecycle managementProgram managementRegulatory complianceThreat assessmentSupply chain risk managementCommunicationLeadershipTeamworkStrategic thinkingProblem-solvingDefenseAerospaceCommercial saasRegulatory compliance

Employment Type

FULL TIME

Level

senior

Posted

4/26/2026

Apply Now

You will be redirected to True Anomaly's application portal.

Sign in and we'll score your resume against this role.