Back to jobs
New

IT Risk Analyst

New York, NY

Come work with us:

Metropolitan Commercial Bank (the “Bank”) is a full-service commercial bank based in New York City. The Bank provides a broad range of business, commercial, and personal banking products and services to individuals, small businesses, private and public middle-market and corporate enterprises and institutions, municipalities, and local government entities.

Metropolitan Commercial Bank was named one of Newsweek’s Best Regional Banks and Credit Unions 2024. The Bank was ranked by Independent Community Bankers of America among the top ten successful loan producers for 2023 by loan category and asset size for commercial banks with more than $1 billion in assets. Kroll affirmed a BBB+ (investment grade) deposit rating on January 25, 2024. For the fourth time, MCB has earned a place in the Piper Sandler Bank Sm-All Stars Class of 2024.

Metropolitan Commercial Bank operates banking centers and private client offices in Manhattan, Boro Park, Brooklyn and Great Neck on Long Island in New York State.

The Bank is a New York State chartered commercial bank, a member of the Federal Reserve System and the Federal Deposit Insurance Corporation, and an equal housing lender. The parent company of Metropolitan Commercial Bank is Metropolitan Bank Holding Corp. (NYSE: MCB).

Position Summary:

We are seeking a highly motivated and analytical Risk Analyst to join our Line 2 Information Security team. This position plays a critical role in supporting the Bank’s IT Risk & Cyber Resilience functions, including IT risk assessments, user access reviews, business continuity, and operational resilience practices. The role reports to the VP of IT Risk & Cyber Resilience, under the broader direction of the Chief Information Security Officer (CISO). This position is ideal for professionals with 1-4 years of relevant experience in cybersecurity, risk management, audit or IT governance, and who hold or are pursuing an advanced degree.  

We have a flexible work schedule where employees can work from home one day a week.

Essential duties and responsibilities:

  • IT Risk Assessments:
    • Assists in the planning, execution, and documentation of IT risk assessments against minimum security standards, for the entire IT asset inventory.
    • Review control environments, identify control gaps, and work with first-line partners to ensure risk mitigation plans are in place
  • Internal IT Controls Testing and Validation
    • Execute validation testing of IT internal controls to ensure design and operating effectiveness across infrastructure, applications, databases, and systems.
    • Apply risk analysis principles to determine testing scope, focus, objectives, and rationale.
    • Develop testing strategies, including the selection of samples, sample sizes, and testing methodologies.
    • Analyze testing results, identify exceptions, and recommend actionable steps to address control deficiencies and strengthen internal processes.
    • Prepare thorough working papers and document control testing findings to ensure accuracy and alignment with standards.
  • User Access review Governance:
    • Coordinate and oversee the user access review process across business applications and infrastructure.
    • Ensure alignment with access control policies and identity governance best practices.
  • Business Continuity Planning (BCP):
    • Support the development, maintenance, and testing of business continuity and resilience plans.
    • Work with business units to ensure plan completeness and alignment with enterprise resilience strategies.
  • Operational Outage Investigations:
    • Assist in root cause analysis and risk review of IT outages and incidents and determine if BCPs need to be updated.
    • Track remediation efforts and document lessons learning for reporting to senior leadership.
  • Governance Reporting:
    • Develop and maintain risk metrics, dashboards, and material for the IT and IS Steering Committee and Operational Risk Management Committee.
    • Draft risk summaries and escalation reports for senior management, auditors, and regulators, where appropriate.
  • Policy Framework Support:
    • Support the development and refinement of policies, standards, and procedures related to IT and Cyber Risk Management, Business Continuity, and security governance.

Required knowledge, skills and experience:

  • Graduate degree in Information Technology, Information Security, Risk Management, Finance, or Accounting.
  • Candidates with IT audit or IT controls and/or audit experience preferred.
  • Experience and or education in IT controls testing, risk management, or IT audit.
  • Strong knowledge of IT internal controls, infrastructure, and applications.
  • Familiarity with IT risk frameworks such as NIST, COBIT, or ISO 27001.
  • Ability to analyze and document control deficiencies, root causes, and remediation efforts.
  • Proficiency in Microsoft Office Suite (Excel, Word, PowerPoint).
  • Strong analytical, verbal, and written communication skills with attention to detail.
  • Ability to interact effectively with IT teams, risk management partners, and stakeholders.
  • Exposure to Third-Party Risk Management (TPRM) or vendor IT controls assessment.

Preferred knowledge, skills and experience:

  • Certifications (e.g., CISA, CRISC) are a plus.

Potential Salary: $90,000 - $100,000 annually

This salary range only reflects base wages and does not include benefits, bonus, or incentive pay. Salary bands are purposefully wide ranging to encompass the different factors considered in determining where a candidate falls in the range, including but not limited to, seniority, performance, experience, education, and any other legitimate, non-discriminatory factor permitted by law.

Metropolitan Commercial Bank provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state, or local laws.

This applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.

Apply for this job

*

indicates a required field

Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Education

Select...
Select...
Select...
Select...
Select...

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Metropolitan Commercial Bank’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.