What’s in it for you as an employee of QFG?
-
Health & wellbeing resources and programs
-
Paid vacation, personal, and sick days for work-life balance
-
Competitive compensation and benefits packages
-
Work-life balance in a hybrid environment with at least 3 days in office
-
Career growth and development opportunities
-
Opportunities to contribute to community causes
-
Work with diverse team members in an inclusive and collaborative environment
This job posting is for an existing vacancy
We’re looking for our next Senior Analyst, IT & Cyber GRC. Could It Be You?
The Senior Analyst, IT & Cyber GRC is the seasoned generalist and trusted advisor across Questrade Financial Group’s (QFG) IT & Cyber GRC function. Operating with breadth across governance, risk, control, and audit, the Senior Analyst is the day-to-day quality bar for the team — reviewing the work of Analysts, providing technical coaching, and bringing risk and control thinking into cross-functional initiatives early.
The role bridges governance, risk and control intent with operational execution by partnering with IT, Cybersecurity, and business teams to ensure that "built-in" security and compliance is practical, proportionate, and audit-defensible. Where deep specialist expertise is required (e.g., framework accountability, novel control architecture, regulatory interpretation), the Senior Analyst escalates to and partners with the Principal and Manager.
Need more details? Keep reading…
In this role, responsibilities include but are not limited to:
Governance, Policy, and Regulatory Strategy
-
Governance Documentation Lead: Lead the periodic review and update cycle for Technology and Cyber Governance documents (policies, standards, procedures), ensuring they remain accurate, aligned with legislative changes, and consistent with the relevant frameworks.
-
Audit & Regulatory Management: Support all audit engagements (OSFI, SOC, etc.) and perform quality-control vetting of materials to ensure a successful "audit-ready" posture.
-
Compliance Initiatives: Drive initiatives including gap assessments for new and existing policies against evolving industry requirements.
Control Advisory & Risk Partnership
-
Collaborative Control Design: Partner with IT & Cyber teams to advise on, review, and validate control designs that manage risk without hindering innovation and velocity; escalate complex or novel control architecture questions to the Principal.
-
Horizon Scanning: Maintain a forward-looking understanding of GRC practices and emerging threats to proactively manage risk. Perform analysis and issue communications to inform of organizational impact.
-
Innovative Monitoring: Identify opportunities to streamline processes through innovative solutions and automation logic.
-
Tabletop Facilitation: Coordinate and facilitate the execution of cybersecurity tabletop and simulation exercises designed by partner teams — managing scheduling, participant readiness, exercise delivery, and post-exercise documentation and remediation tracking.
Risk Assessment
-
Initiative Risk Assessments: Perform and support comprehensive risk assessments for existing processes and new strategic initiatives to identify systemic vulnerabilities.
-
Entity-Level Risk Assessments: Perform and support entity-level risk assessments across QFG’s regulated entities — identifying systemic risk exposures specific to each entity, assessing control sufficiency against entity-specific regulatory requirements, and partnering with the Manager and entity leadership on remediation roadmaps.
-
Agile Problem Solving: Take ownership of ad-hoc, high-priority activities emerging from a dynamic threat landscape.
Mentorship, Metrics & Technical Guidance
-
Strategic Mentorship & Coaching: Provide technical and craft-level coaching to the Business Analyst and Risk & Control Analyst — reviewing work product, modelling professional skepticism, and raising the quality bar of the team through peer review. This is a technical mentorship relationship, not a people-leadership role; formal performance management remains with the Manager.
-
Metrics Stewardship: Curate and quality-review IT & Cyber Risk metrics (KRIs/KPIs), ensuring the numbers, narratives, and visualizations that reach executive audiences are accurate, well-contextualized, and actionable.
-
Automation & AI Vision: Champion and curate the team’s use of AI and automation — setting practical standards for prompt engineering, output validation, and human review — to keep tooling and AI integrations aligned with GRC objectives.
So are YOU our next Senior Analyst, IT & Cyber GRC? You are if you…
Professional Experience & Education
-
Sector Expertise: Minimum of 4+ years of experience in IT and Cyber Risk, Audit, and/or GRC specifically within a regulated financial institution.
-
Academic Foundation: Formally educated in Business, Computer Science, Information Systems, Engineering, or equivalent professional experience.
Regulatory & Framework Mastery
-
Framework Proficiency: Deep understanding of a broad set of risk methodologies, frameworks, and practices—including NIST CSF, COBIT, ISO standards, CIS, COSO, ITIL, and PCI-DSS.
-
Regulatory Knowledge: Comprehensive understanding of the Canadian regulatory environment (OSFI) and global assurance frameworks (SOC 1/2).
-
Governance Development: Proven experience in developing, updating, and reviewing high-level Governance documents, including policies, standards, and procedures.
Control Design & Risk Methodology
-
Lifecycle Oversight: Extensive experience performing complex risk assessments and designing robust controls.
-
AI and Automation: Proficiency in advanced Prompt Engineering for Generative AI models to accelerate GRC artifacts (e.g., summarizing SOC reports).
-
Technical Literacy: Strong knowledge of technology platforms, including Operating Systems and Databases.
Metrics, Dashboards & Reporting
-
Executive Intelligence: Experience in developing and reporting performance and risk metrics (KPIs, KRIs, SLAs, OKRs) and building high-level dashboards for executive leadership teams.
-
Data Integrity: Ability to ensure that metrics provide an accurate reflection of the organization’s risk posture.
Professional Designations & Tools
-
Industry Credentials: Holds one or more senior-level industry certifications (e.g., CISA, CRISC, CISM, CGEIT, or CISSP).
-
Technical Enablement: Experience with using compliance automation tools to streamline GRC activities
-
Leadership: Natural ability to coach staff and provide "compliant-by-design" guidance early in the project lifecycle.
-
Strategic Ownership: Takes full accountability for initiatives from inception to sustainable closure with a "big-picture" vision.
-
Analytical Rigor: Identifies underlying systemic issues rather than just documenting symptoms.
-
Communication: Ability to distill complex technical risks into clear, actionable business narratives for all levels of the organization.
Compensation Information:
-
Base salary range: $96,000 - $120,000
-
The final compensation package will be commensurate with the successful candidate's experience, skills, and geographic location (Canada). It includes a comprehensive benefits plan and a competitive incentive (bonus) program for Full-Time Permanent roles.
Sounds like you? Click below to apply!
#LI-Hybrid #LI-JW1
