GRC Analyst

About Fullscript

Fullscript is an industry-leading health technology company dedicated to helping people get better. Starting in 2011 with the goal of simplifying practitioner access to trusted products, our platform has evolved to support over 125,000 practitioners with clinical insights, lab interpretations, patient analytics, education, and access to high-quality supplements. More than 10 million patients rely on Fullscript to stay connected to their care plans and adhere to treatment protocols. We build smarter, more human-centric tools that save time, streamline decisions, and foster strong connections between practitioners and patients, allowing them to focus on optimal care.

We invite you to bring your ideas, determination, and compassion to shape the future of care with us.

Fullscript is actively seeking a GRC Analyst (Risk) to join our expanding Security team. This pivotal role will establish and scale foundational risk management practices across the organization. The Security team encompasses product security, governance, risk, compliance, security operations, and incident response. This position is crucial for transitioning Fullscript’s risk management from an ad hoc, reactive model to a structured, proactive, and measurable enterprise risk program. You will collaborate closely with teams company-wide to identify, assess, and track security and operational risks, providing leadership with clear visibility into Fullscript’s risk posture.

What you'll do

Enterprise Risk Management

• Identify, document, and assess security and operational risks across business units.
• Maintain a comprehensive and up-to-date enterprise risk register.
• Apply a consistent methodology for evaluating risk likelihood, impact, ownership, and treatment.
• Partner with risk owners to ensure risks are clearly articulated and appropriately managed.

Risk Governance & Decision Support

• Ensure risk acceptance, mitigation, and transfer decisions are documented, traceable, and aligned with Fullscript’s risk appetite.
• Track remediation efforts and follow up with stakeholders to ensure timely risk reduction.
• Produce clear, data-driven risk reporting and dashboards to support leadership and executive decision-making.

Third-Party Risk Management

• Support and manage Fullscript’s third-party risk management program.
• Conduct risk assessments for vendors and partners, including onboarding and periodic reviews.
• Collaborate with Procurement, Legal, Security, and Engineering to ensure third-party risks are identified and addressed.

Cross-Functional Collaboration

• Partner with Security, Engineering, IT, Legal, Compliance, and business teams to surface emerging risks.
• Act as a trusted partner and advisor on risk-related questions across the organization.
• Help drive clarity around risk ownership and accountability.

Program Development & Continuous Improvement

• Help define, document, and refine risk management processes, standards, and procedures.
• Contribute to policies and controls that support effective risk governance.
• Support audit, compliance, and regulatory activities by providing risk context and evidence.

What you bring to the table

Risk & GRC Foundations

• Experience in governance, risk management, compliance, security operations, IT risk, or a related field.
• Understanding of security and operational risk concepts and common risk management frameworks.
• Ability to assess technical and non-technical risks and translate them into business impact.

Analytical & Communication Skills

• Strong analytical and problem-solving skills, with the ability to identify patterns and trends in risk data.
• Experience creating clear documentation, reports, and dashboards for technical and non-technical audiences.
• Strong verbal and written communication skills.

Collaboration & Growth Mindset

• Ability to work cross-functionally and influence without direct authority.
• Willingness to ask questions, seek feedback, and continuously improve processes.
• Comfortable operating in a growing, evolving environment where programs are being built and scaled.

Judgment & Decision-Making

• Strong situational awareness and judgment when evaluating risk trade-offs.
• Ability to support and influence risk decisions with data and context.

Bonus if you have

• Experience with third-party risk management programs.
• Familiarity with frameworks such as NIST, ISO 27001, SOC 2, CIS, or HITRUST.
• Experience supporting audits or executive and board-level risk reporting.
• Background in security operations, compliance, or incident response.

What We Can Offer You

• Generous PTO and competitive pay.
• Fullscript’s RRSP match program for financial health.
• Flexible benefits package and workplace wellness program.
• Training budget and company-wide learning initiatives.
• Discount on Fullscript catalog of products.
• Ability to work Wherever You Work Well (in-office, at home, or a bit of both).

Key skills/competency

• Enterprise Risk Management
• Risk Assessment
• Third-Party Risk
• GRC Frameworks (NIST, ISO 27001, SOC 2)
• Security Operations
• Compliance Management
• Data-driven Reporting
• Cross-functional Collaboration
• Policy Development
• Incident Response