Senior GRC Analyst
Description
Who We Are Flagship Pioneering is a scientific innovation engine that invents and builds companies that change the world. We bring together the greatest scientific minds with entrepreneurial company builders and assemble the capital to allow them to take courageous leaps in human health, sustainability, and beyond. What sets Flagship apart is our ability to advance biotechnology by uniting life science innovation, company creation, and capital investment under one roof in a way that is largely without precedent. Our team of scientists, entrepreneurial leaders, and professional capital managers are each aligned around an institutionalized process that enables us to innovate and create breakthroughs for the benefit of people and planet. Many of the companies Flagship has founded have addressed humanity’s most urgent challenges: vaccinating billions of people against COVID-19, curing intractable diseases, improving human health, preempting illness, and feeding the world by improving the resiliency and sustainability of agriculture. Flagship has been recognized twice on FORTUNE’s “Change the World” list, an annual ranking of companies that have made a positive social and environmental impact through activities that are part of their core business strategies, and has been named four times to Fast Company’s annual list of the World’s Most Innovative Companies.
About the Role
Flagship's GRC program has matured from build to operate. We have a functioning GRC system of record in Jira, active compliance tracks across HITRUST, NIST 800-171, ISO 27001, and SOC 2, and a TPRM workflow in production. What we need now is a hands-on practitioner who can execute against that infrastructure — someone who is as comfortable running a vendor risk assessment in Jira as they are prepping evidence packages for an audit. This is not a policy-writing or director-level role. It is a technical execution role for someone who gets things done.
What You'll Do
Own day-to-day execution of the GRC system of record in Jira — maintaining control records, updating compliance status, logging implementation and auditor notes, and keeping the SOR current across all active frameworks Run TPRM assessments end-to-end: intake, questionnaire review, risk scoring, CISO decision documentation, and post-approval tracking Coordinate audit evidence collection and control testing activities across HITRUST, ISO 27001, SOC 2, and NIST 800-171 frameworks, working directly with the external audit firm Maintain the compliance calendar and drive sprint-by-sprint execution against framework deadlines Manage sub-processor and DPA tracking for portfolio company privacy programs, including gap identification and remediation follow-up Support DSR and privacy program operations, including data inventory maintenance and deletion workflow tracking Build and maintain GRC automation using AI tools (Claude, Jira automation, Zapier) to reduce manual burden on recurring compliance tasks Produce clear, accurate reporting on compliance posture for the CISO and cross-functional stakeholders
What We're Looking For
3–6 years of hands-on GRC experience, ideally in a fast-moving tech or life sciences environment Direct experience working in Jira as a compliance or GRC tool — not just a project management tool; you should understand issue types, custom fields, bulk operations, and reporting Working knowledge of at least two of: HITRUST CSF, ISO 27001, NIST 800-171/CMMC, SOC 2, HIPAA Experience running vendor risk assessments — intake to decision — not just filling out questionnaires Comfort with AI-assisted work: you should already be using tools like Claude or ChatGPT to accelerate your GRC work, not learning to do so for the first time Strong written communication — you'll be producing evidence narratives, audit responses, and control documentation that external auditors and regulators will read Ability to operate with high autonomy; the CISO will provide direction but not day-to-day supervision Nice to Have CISA, CRISC, CISM, or equivalent certification Experience with privacy program operations (CCPA, GDPR, DSR workflows) Familiarity with Drata, Vanta, or similar compliance automation platforms Experience supporting a portfolio company or multi-entity compliance program Why This Role You'll own a real compliance program, not support someone else's. The CISO is your direct partner, not a distant approver. You'll use modern tools — Jira, Claude, Zapier — to do GRC work that most teams still do in spreadsheets. And you'll have visibility into a genuinely diverse security environment spanning drug discovery AI, clinical platforms, and life sciences infrastructure. We are an equal opportunity employer . All qualified applicants will be considered for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law. We recognize that great candidates often bring unique strengths without fulfilling every qualification . If you have some of the experience listed above but not all, please apply anyway. We are dedicated to building diverse and inclusive teams and look forward to learning more about your background and interest in Flagship. Recruitment & Staffing Agencies : Flagship Pioneering and its affiliated Flagship Lab companies (collectively, “FSP”) do not accept unsolicited resumes from any source other than candidates. The submission of unsolicited resumes by recruitment or staffing agencies to FSP or its employees is strictly prohibited unless contacted directly by Flagship Pioneering’s internal Talent Acquisition team. Any resume submitted by an agency in the absence of a signed agreement will automatically become the property of FSP, and FSP will not owe any referral or other fees with respect thereto.
#LI-NM1
The salary range for this role is $88,000 - $121,000. Compensation for the role will depend on a number of factors, including a candidate’s qualifications, skills, competencies, and experience. Flagship Pioneering currently offers healthcare coverage, annual incentive program, retirement benefits and a broad range of other benefits. Compensation and benefits information is based on Flagship Pioneering's good faith estimate as of the date of publication and may be modified in the future.