CareFirst Careers

Integrated Risk Management Program Manager

Resp & Qualifications


The Integrated Risk Management (IRM) department is responsible for the education, empowerment, and governance of business owners in identifying and managing enterprise risks in a consistent and integrated manner.  IRM, facilitated by the Integrated Compliance teams and business owners across the enterprise, establishes frameworks for effectuating consistency within operational and enterprise risk management.  The IRM Program Manager is a catalyst for change, providing leadership and subject matter expertise for establishing and maturing the enterprise risk management program, risk mitigation and controls critical to the success of the overall organization.  Specifically, the IRM Program Manager is responsible for identifying and mitigating enterprise risks; managing controls and safeguards to minimize the impact of potential and existing risks affecting the organization; ensuring compliance with laws, regulations, and organization frameworks; coordinating, collaborating and managing resources, both people and funding, cross-functionally; and monitoring and effectuating remediation of issues identified.  This requires strong collaboration and partnership with business owners and stakeholders across the enterprise. 


PRINCIPAL ACCOUNTABILITIES: Under the direction of the Integrated Risk and Compliance Program Director, responsibilities include, but are not limited to:

The IRM Program Manager manages a complex program of strategic workflows and assessments that span organizational boundaries and involve varying levels of risk to the organization, including business processes and applications that are supported by external vendors and multiple business areas which have significant impact to CareFirst.  Utilizes a comprehensive understanding of business processes, controls, risks, and strategy to ensure effective risk mitigation and control implementation.  Manages all aspects of the program to include risk management, process improvement, and enablement of cross-functional business owners to design, implement and assess business processes and controls to effectively mitigate existing and potential risks affecting CareFirst.  Communication skills are required to persuade, gain cooperation, provide formal presentations to various sized groups and to reach consensus and resolve conflict. Manages the delivery efforts of Managers and Directors of other Departments and will provide leadership and influence for VP levels and above in the management of risks and development of controls and related business processes.

Establish Standards and Frameworks for Standardization and Consistent Understanding

  • Collaborate with Integrated Compliance teams and key subject matter resources across all relevant risk domains to define and establish frameworks (e.g., Compliance, Risk Assessment, Risk Governance) and definitions for key data elements.  Maintain frameworks to meet industry standards (e.g., NIST, HITRUST).
  • Serve as the subject matter expert in risk assessment and risk management processes and perform effective challenge and governance of the implementation of corporate standards and frameworks implemented by the Integrated Compliance teams and business owners.

Oversight, Monitoring, and Execution of Assessments

  • Provide advisory support in the completion of divisional risk assessments.
  • Govern, support, and mentor associates in the completion of third-party risk assessments and control self-assessments to ensure the adequacy of controls in place to safeguard the organization, including tracking, monitoring, and managing issues identified. 
  • Manage parallel assessments of existing controls, process-level risks, and business processes to ensure timely, complete, and accurate assessments by the IRM team, business owners, and Integrated Compliance teams.

Enterprise Risk Management and Advisory Support

  • Partner with business owners across the enterprise to serve as the subject matter expert in the identification of issues and concerns, provide the appropriate level of support, and proactively identify risk management, control efficiency and effectiveness, and process improvement opportunities to improve the enterprise risk culture. 
  • Utilize expertise to identify and document, in a centralized risk register, evolving risks and threats pertaining to operational risks, including third party risks, and provide in-depth understanding of “if, how, and when” the risks/threats should be addressed.
  • Collaborate with business owners to establish and maintain an inventory of processes, controls, process-level risks, and areas for improvement to ensure efficiency in the control and process environment across the enterprise.
  • Assist in and validate the root cause analysis performed for ineffective and inefficient controls, identify applicability of the root cause impact and presence in all applicable business processes and divisions, and collaborate with and influence business owners impacted in all relevant business areas/divisions to ensure the streamlined and efficient implementation of controls which effectively mitigate risks and the root cause identified.

Governance, Risk & Compliance (GRC) Program

  • Provide support, oversight, and governance to Integrated Compliance teams to ensure compliance with the established Common Compliance Framework (CCF).

Provide Oversight and Governance of Third-Party Risks

  • Provide support, oversight, and governance to Integrated Compliance teams to ensure compliance with the Third-Party Risk Management (TPRM) framework and standards to ensure that controls in place surrounding data protection, privacy, and access (among other areas) are compliant with CareFirst standards and risk appetite
  • Facilitate due diligence on third party controls in place both at CareFirst and at the third party, in collaboration with subject matter resources across all relevant risk domains to determine residual risk of third-party relationships.

Risk Project Management

Establish Standards and Frameworks for Standardization and Consistent Understanding

  • Support the development and delivery of enterprise-wide training and awareness materials that educate associates and leadership on best practices, pervasive operational risk management issues, risk management tools and processes, and lessons learned.

Oversight, Monitoring, and Execution of Assessments

  • Maintain documentation for re-performance ability, including leveraging the Governance Risk and Compliance (GRC) tool and repository (e.g., Clarity).
  • Identify and maintain a repository of best practices and tools/accelerators related to third party risk assessments, operational risk assessments, and control self-assessments. 

Governance, Risk & Compliance (GRC) Program

  • Support the development of enterprise reporting and dashboards for monitoring and analysis of process-level risks, controls, issues, risk management, and compliance activities. 

Provide Oversight and Governance of Third-Party Risks

  • Support maintenance of the centralized repository for third party relationships including accountable business owners, inherent risk, and tier for each respective third-party relationship. 
  • Inventory and evaluate the inherent risk score and operational criticality for all third-party relationships.


  • Identify Enterprise risks and support the implementation of controls and development of mitigation strategies to mitigate identified risks by influencing and supporting business across divisions and teams, which will involve the coordination of resources, both funding and people, cross-functionally.
  • Forge relationships with business owners across the enterprise to understand issues and concerns, provide the correct level of support, and proactively identify risk management, control efficiency and effectiveness, and process improvement opportunities. 
  • Set high expectations for interacting with and providing significant influence of others, within the IRM team, as well as business owners and stakeholders across the enterprise for all audit activities, risk assessments and process improvements to support control objectives with cross-functional impacts. 
  • Drive commitment and exercise autonomy by being an independent thinker with consideration of the values of ethics and integrity, while being flexible an adaptable to business needs. 
  • Support, guide, and mentor IRM staff in the completion of activities and goals for the IRM department.
  • Triage and escalate unmitigated risks or lack of compliance or collaboration from business owners and/or leadership to the Integrated Risk Management Program Director for resolution or further escalation to Executive Leadership and/or the Audit & Compliance Committee.


SUPERVISORY RESPONSIBILITY: This position will have supervisory responsibility for individuals within the Integrated Risk Management function, as well as resources across the organization to effectuate the implementation of appropriate controls and risk mitigation strategies.  This position will lead a team of matrixed direct and/or indirect reports consisting of 2-100 associates and contractors, including external audit firms, contractors, and vendor consultants based on project needs, with risk management and compliance skillsets.  This position will also be responsible for managing contractors and vendor consultants based on project needs against a Contract and Statement of Work, against a set of deliverables and defined payment milestones.  This position will be responsible for building cross-functional alliances and influencing the prioritization and execution of activities supporting the improvement in the overall control environment and operational risk management.       



  • BA/BS degree or equivalent with 8+ years of work experience in a risk management, third party risk management, audit, compliance, security governance or legal services role.
  • Out of the 8 years of experience required, at least 5 years must be in a combination of Program/Project Management execution of multiple related development projects simultaneously with direct and/or matrix staff management.



  • Strong capabilities and experience in performing independent assessments, including compliance & legal reviews, contract reviews, testing controls, and developing & reviewing assessment reports.
  • Experienced problem solver who works independently and within a team using interpersonal skills, including excellent oral and written communication skills, and has a strong ability to influence and collaborate to achieve a mutually beneficial outcome
  • Excellent written skills are required to prepare reports/documents for internal presentations as well as presentation to various Senior Leadership committees.  Advanced planning, organization, analytics and business acumen are required to understand and present the implications of various decisions. 
  • Proficient in MS Office, Project Management tools, financial/budget management systems (e.g., Oracle). 
  • Understands and possesses general project management skills relevant to performing assessment functions and responsibilities. 
  • Ability to work effectively in a fast-paced environment with frequently changing priorities, deadlines and workloads that can be varied for extended periods of time.  Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence.
  • Ability to exercise sound judgment.
  • Ability to communicate with tact to all levels of staff.
  • Demonstrated initiative, trustworthiness and integrity.


  • Understanding of legal requirements and health insurance operations
  • Relevant risk or business certification (e.g., CPA, CIA, CISA, CISM)
  • Knowledge of organization and operations of the business areas being supported



Department: Integrated Risk Management

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 08/29/2019

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.


The employee is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects. The employee must frequently talk and hear.  Weights of up to 25 pounds are occasionally lifted.

The physical demands described here are representative of those that must be met by an employee to perform the essential duties and responsibilities of the position successfully.  Requirements may be modified to accommodate individuals with disabilities.  Travel among CareFirst sites is required.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Learn more about Business Operations