IT Risk Analyst

Come work with us:

Metropolitan Commercial Bank (the “Bank”) is a full-service commercial bank based in New York City. The Bank provides a broad range of business, commercial, and personal banking products and services to individuals, small businesses, private and public middle-market and corporate enterprises and institutions, municipalities, and local government entities.

Metropolitan Commercial Bank was named one of Newsweek’s Best Regional Banks and Credit Unions 2024. The Bank was ranked by Independent Community Bankers of America among the top ten successful loan producers for 2023 by loan category and asset size for commercial banks with more than $1 billion in assets. Kroll affirmed a BBB+ (investment grade) deposit rating on January 25, 2024. For the fourth time, MCB has earned a place in the Piper Sandler Bank Sm-All Stars Class of 2024.

Metropolitan Commercial Bank operates banking centers and private client offices in Manhattan, Boro Park, Brooklyn and Great Neck on Long Island in New York State.

The Bank is a New York State chartered commercial bank, a member of the Federal Reserve System and the Federal Deposit Insurance Corporation, and an equal housing lender. The parent company of Metropolitan Commercial Bank is Metropolitan Bank Holding Corp. (NYSE: MCB).

Position Summary:

We are seeking a highly motivated and analytical Risk Analyst to join our Line 2 Information Security team. This position plays a critical role in supporting the Bank’s IT Risk & Cyber Resilience functions, including IT risk assessments, user access reviews, business continuity, and operational resilience practices. The role reports to the VP of IT Risk & Cyber Resilience, under the broader direction of the Chief Information Security Officer (CISO). This position is ideal for professionals with 1-4 years of relevant experience in cybersecurity, risk management, audit or IT governance, and who hold or are pursuing an advanced degree.  

We have a flexible work schedule where employees can work from home one day a week.

Essential duties and responsibilities:

• IT Risk Assessments:
  • Assists in the planning, execution, and documentation of IT risk assessments against minimum security standards, for the entire IT asset inventory.
  • Review control environments, identify control gaps, and work with first-line partners to ensure risk mitigation plans are in place

• Internal IT Controls Testing and Validation
  • Execute validation testing of IT internal controls to ensure design and operating effectiveness across infrastructure, applications, databases, and systems.
  • Apply risk analysis principles to determine testing scope, focus, objectives, and rationale.
  • Develop testing strategies, including the selection of samples, sample sizes, and testing methodologies.
  • Analyze testing results, identify exceptions, and recommend actionable steps to address control deficiencies and strengthen internal processes.
  • Prepare thorough working papers and document control testing findings to ensure accuracy and alignment with standards.

• User Access review Governance:
  • Coordinate and oversee the user access review process across business applications and infrastructure.
  • Ensure alignment with access control policies and identity governance best practices.

• Business Continuity Planning (BCP):
  • Support the development, maintenance, and testing of business continuity and resilience plans.
  • Work with business units to ensure plan completeness and alignment with enterprise resilience strategies.

• Operational Outage Investigations:
  • Assist in root cause analysis and risk review of IT outages and incidents and determine if BCPs need to be updated.
  • Track remediation efforts and document lessons learning for reporting to senior leadership.

• Governance Reporting:
  • Develop and maintain risk metrics, dashboards, and material for the IT and IS Steering Committee and Operational Risk Management Committee.
  • Draft risk summaries and escalation reports for senior management, auditors, and regulators, where appropriate.

• Policy Framework Support:
  • Support the development and refinement of policies, standards, and procedures related to IT and Cyber Risk Management, Business Continuity, and security governance.

Required knowledge, skills and experience:

• Graduate degree in Information Technology, Information Security, Risk Management, Finance, or Accounting.
• Candidates with IT audit or IT controls and/or audit experience preferred.
• Experience and or education in IT controls testing, risk management, or IT audit.
• Strong knowledge of IT internal controls, infrastructure, and applications.
• Familiarity with IT risk frameworks such as NIST, COBIT, or ISO 27001.
• Ability to analyze and document control deficiencies, root causes, and remediation efforts.
• Proficiency in Microsoft Office Suite (Excel, Word, PowerPoint).
• Strong analytical, verbal, and written communication skills with attention to detail.
• Ability to interact effectively with IT teams, risk management partners, and stakeholders.
• Exposure to Third-Party Risk Management (TPRM) or vendor IT controls assessment.

Preferred knowledge, skills and experience:

• Certifications (e.g., CISA, CRISC) are a plus.

Potential Salary: $90,000 - $100,000 annually

This salary range only reflects base wages and does not include benefits, bonus, or incentive pay. Salary bands are purposefully wide ranging to encompass the different factors considered in determining where a candidate falls in the range, including but not limited to, seniority, performance, experience, education, and any other legitimate, non-discriminatory factor permitted by law.

Metropolitan Commercial Bank provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state, or local laws.

This applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.