CareFirst Careers

Director, IT Risk & Compliance

Resp & Qualifications

This position is accountable for identifying, communicating, assessing, monitoring, and reporting on the controls necessary to assess the overall IT Risk, ensure that appropriate mitigation is in place, and ensure alignment of delivery and operations with regulatory and contractual obligations in coordination with the Enterprise Integrated Risk Management function.   This position is responsible for assessing the IT risks to which the company is exposed, measuring the financial, economic, operational, and strategic impact of potential risks; and directing the development, maintenance, monitoring, and reporting of appropriate risk mitigation strategies across IT. Directly accountable for ensuring the integrity of the risk management program for IT and assisting with the compliance process for all functional areas of IT under the direction of the Director of Enterprise Risk Management and Compliance.

This position shall also be accountable for the business continuity plan for IT, coordination of third-party risk for IT in partnership with IT Vendor Management, IT Audit Coordination, and IT response to external RFPs.  Security Governance and Compliance and Disaster Recovery are not within the scope of accountability for this position but are critical coordination points.
Principle Accountabilities:

This position is responsible for supporting a culture consistent with CareFirst’s mission, values, ethics and Code of Conduct.  Through their day to day actions, this position shall demonstrate and convey risk and compliance adherence principles and practices to encourage adoption and acceptance of those practices.
The incumbent’s accountabilities will include, but are not limited to, the following:

Compliance Program Management
• Develops a comprehensive IT Control Framework against national standards as the foundation of the IT Risk Management function incorporating control frameworks from across IT and the enterprise.
• Ensure the complete mapping across control frameworks to obligations, assessments/audits, and corrective measures.
• Oversees the implementation and management of the division’s Compliance program to ensure compliance and alignment with Federal, State regulatory statutes and contractual obligations.
• Develops and manages a compliance program to effectively implement, revise and test controls and continuously reviews and improves departmental policies and procedures to achieve greater efficiencies and effectiveness.
• Provide interpretation of regulations and regulatory rules/guidelines to demonstrate MA and its delegated entities are in compliance with state and federal standards.  With regard to compliance-related policies, the Director will gather and organize applicable insurance laws and regulations (mandates) into a central content repository and ensure that a department policy, procedure and audit criteria to measure compliance exists for each law/regulation. 
• Continuously analyzes and aligns all functional area policies, procedures, SOPs, workflows, and systems and ensure they are in compliance and alignment with regulations and remain updated and current. 
• Reviews complex business processes, systems, workflows, SOPs and policies, procedures to identify, document, and elevate the presence of risks and trends within, that may be non-compliant with contracts and or statutory requirements.
• Works directly with the division’s Training teams to ensure training content incorporates necessary procedures, SOPs, workflows, etc. applicable to the policies.
• Reviews and makes recommendations for workforce management related to productivity and overtime. 
• Reviews internal controls, both manual and automated, and/or management controls in each functional area to remove any risk or exposure. 
• Analyzes controls for strengths and weaknesses and ensures that special focus is allocated to the specific risk areas creating the highest exposure to the division.  
• Support Audits and manages the activities related to reviewing audit findings with stakeholders.
Works with division’s management to establish and implement corrective action plan as an outcome of any audit findings.

Audit and Assessment Coordination
• Acts as the coordinator of Audits and Assessments representing IT.  Ensures the documentation, tracking, and reporting of management action plans.
• Maps findings and corrective action to the IT control framework.
• Ensure the proactive tracking of progress, issues, and risks related to corrective actions with reporting to stakeholders and management.
• Act as the Program Manager across corrective action plans ensuring that responsible parties are appropriately and timely meeting agreed upon commitments.
• Coordinate IT’s responses and follow-up to company-wide and external audits/assessments.
• Plan and conduct an annual IT Risk Assessment (note that this differs from a Security Assessment which is managed elsewhere but does encompass the results of the Security Assessment).
• Maintain a library of IT responses to Audits and Assessments both as a history of those responses as well as an inventory of approved responses. 
• Continually assess changes in control state with prior Audit, Assessment, and RFP responses/contracts to ensure adequate visibility to changes in control state relevant to the audits, assessments, and contractual commitments identifying any material changes.

IT RFP Coordination and 3rd Party Risk Management
• Coordinate all IT responses to external RFPs for products and services that CareFirst, provides to external parties.
• Maintain a library of RFP responses to track commitments and ensure consistency. 
• Continuously assess changes in the control state of IT with prior RFP responses and contractual obligations to ensure adequate visibility to changes in control state which may be material to these obligations.
• Facilitate the monitoring and adherence to contractual obligations by working with stakeholders to ensure that their controls maintain compliance and efficacy.
• Ensure that IT-owned third-party risk management is appropriately assigned across IT with controls mapped to the control framework and alignment with the Enterprise Third-party Risk Management Function.
• Coordinate the efficacy monitoring and reporting of RFP and 3rd Party Risk Management tracking any corrective actions.

IT Business Continuity Plan
• Coordinate with IT stakeholders to ensure that IT has a complete and adequate Business Continuity plan to support the ongoing operation and resumption of IT’s functions in a disaster or other disruption of services such as a large workforce outage.  Note that this role is not accountable for the technical aspects of Disaster Recovery or Large Workforce Outage.
• Ensure the timely and complete documentation of Business Continuity plans in the enterprise business continuity documentation system.
• Ensure the ongoing education and awareness within IT and its stakeholders of the aspects of the IT Business Continuity Plan and how to engage with IT during a Business Continuity event.

Reporting and Collaboration
Provide regular investigative, analytic, risk and audit reporting data to all stakeholders.  Frequent interaction and regular collaboration and coordination with all internal areas especially all SBUs, Legal, Corporate Compliance, External Mandates, CAAS (Corporate Audit and Assurance Services), and management at all levels to implement and manage the Finance Division risk management and compliance program.   Develops and maintains relationships with key internal customers (i.e., staff line management, senior executives, etc.) through visibility gained by direct meetings, participation on various corporate committees, actively participate on committees, project teams, and other cross-departmental initiatives.  Liaison with Regulatory Agency Investigators/ Auditors in collaboration with Corporate Compliance during external audits.  Liaison with Corporate Compliance and Divisional Embedded Risk and Compliance teams.  Interface with industry regulators to adopt best practices.  Consistently maintains highly professional written and verbal interaction with all levels of staff within the company and with all members within regulatory departments.  Maintain positive, responsive, respectful relationships with all regulators and stakeholders.  Serves as the subject matter expert for risk management, business processes and related systems as the representative of the Finance Division

Qualification Requirements:
• Bachelor’s degree with a focus, in IT, Audit, and/or Risk Management.
• Minimum of 5+ years of work experience in IT, risk management, health insurance compliance programs, or related fields.
• 2+ years experience in staff management.
• Generally conversant with the laws, regulations and guidelines affecting CareFirst.
• Experience in complex regulatory compliance.
• Experience in project management, business process analysis, work flow, and task analysis.
• Experience in Enterprise Risk Management.
• Experience in Business Continuity.
• Experience and deep understanding of corporate insurance programs, claim administration, and risk management strategy development. 

• The ability to effectively manage staff through leadership and the promotion of teamwork is essential. 
• Incumbent must display leadership qualities, functional expertise, and business perspective.
• Considerable judgment, tact, initiative, accuracy, trustworthiness, and integrity.
• Excellent interpersonal skills with ability to build consensus and agreement and bring resolution to contentious issues and entrenched interests.
• Ability to present and discuss regulatory compliance goals or risk management issues in a way that establishes rapport, persuades others, and gains commitment.
• Ability to research complex issues, interpret regulations and regulatory rules/guidance, and exhibit sound judgment in determining a recommendation or solution to a problem.
• Demonstrated ability to lead problem-solving discussions.
• Must be able to effectively work in a fast-paced environment, be flexible, and possess the ability to adapt to shifting priorities, to work independently as well as part of a team. Strong customer service, organizational, coordination skills and interpersonal skills for facilitating Compliance audits and insurance renewal submissions.
• Ability to gather and analyze data and generate reports.
• Knowledge of local systems (such as Facets, Oracle, PeopleSoft, SunGard, etc.) and experience with hardware and software required to understand how they interface with the compliance regulatory statutes.
• Knowledge of general accounting practices and control frameworks.
• Experienced and proficient with Word, Advanced Excel and database management and related software applications
• Excellent oral and written communications; able to communicate and make presentation to all levels of management and associates at all levels throughout the Company
• Knowledge of organization and operations of the business areas being supported.
• Understanding of legal requirements and expectations for health insurance operations.


Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 6.24.21

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.


The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights up to 25 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Not finding the right job?
Stay informed about future openings by joining one of our Talent Networks!

Learn more about Information Technology