Senior GRC Analyst

Who We Are Flagship Pioneering is a scientific innovation engine that invents and builds companies that change the world. We bring together the greatest scientific minds with entrepreneurial company builders and assemble the capital to allow them to take courageous leaps in human health, sustainability, and beyond. What sets Flagship apart is our ability to advance biotechnology by uniting life science innovation, company creation, and capital investment under one roof in a way that is largely without precedent. Our team of scientists, entrepreneurial leaders, and professional capital managers are each aligned around an institutionalized process that enables us to innovate and create breakthroughs for the benefit of people and planet. Many of the companies Flagship has founded have addressed humanity’s most urgent challenges: vaccinating billions of people against COVID-19, curing intractable diseases, improving human health, preempting illness, and feeding the world by improving the resiliency and sustainability of agriculture. Flagship has been recognized twice on FORTUNE’s “Change the World” list, an annual ranking of companies that have made a positive social and environmental impact through activities that are part of their core business strategies, and has been named four times to Fast Company’s annual list of the World’s Most Innovative Companies. About the Role Flagship's GRC program has matured from build to operate. We have a functioning GRC system of record in Jira, active compliance tracks across HITRUST, NIST 800-171, ISO 27001, and SOC 2, and a TPRM workflow in production. What we need now is a hands-on practitioner who can execute against that infrastructure — someone who is as comfortable running a vendor risk assessment in Jira as they are prepping evidence packages for an audit. This is not a policy-writing or director-level role. It is a technical execution role for someone who gets things done. What You'll Do Own day-to-day execution of the GRC system of record in Jira — maintaining control records, updating compliance status, logging implementation and auditor notes, and keeping the SOR current across all active frameworks Run TPRM assessments end-to-end: intake, questionnaire review, risk scoring, CISO decision documentation, and post-approval tracking Coordinate audit evidence collection and control testing activities across HITRUST, ISO 27001, SOC 2, and NIST 800-171 frameworks, working directly with the external audit firm Maintain the compliance calendar and drive sprint-by-sprint execution against framework deadlines Manage sub-processor and DPA tracking for portfolio company privacy programs, including gap identification and remediation follow-up Support DSR and privacy program operations, including data inventory maintenance and deletion workflow tracking Build and maintain GRC automation using AI tools (Claude, Jira automation, Zapier) to reduce manual burden on recurring compliance tasks Produce clear, accurate reporting on compliance posture for the CISO and cross-functional stakeholders What We're Looking For 3–6 years of hands-on GRC experience, ideally in a fast-moving tech or life sciences environment Direct experience working in Jira as a compliance or GRC tool — not just a project management tool; you should understand issue types, custom fields, bulk operations, and reporting Working knowledge of at least two of: HITRUST CSF, ISO 27001, NIST 800-171/CMMC, SOC 2, HIPAA Experience running vendor risk assessments — intake to decision — not just filling out questionnaires Comfort with AI-assisted work: you should already be using tools like Claude or ChatGPT to accelerate your GRC work, not learning to do so for the first time Strong written communication — you'll be producing evidence narratives, audit responses, and control documentation that external auditors and regulators will read Ability to operate with high autonomy; the CISO will provide direction but not ... (truncated, view full listing at source)