Director - Risk Management - Audit

At Moody's, we unite the brightest minds to turn today’s risks into tomorrow’s opportunities. We do this by striving to create an inclusive environment where everyone feels welcome to be who they are - with the freedom to exchange ideas, think innovatively, and listen to each other and customers in meaningful ways.

If you are excited about this opportunity but do not meet every single requirement, please apply! You still may be a great fit for this role or other open roles. We are seeking candidates who model our values: invest in every relationship, lead with curiosity, champion diverse perspectives, turn inputs into actions, and uphold trust through integrity.

The Moody’s Analytics (MA) Banking Risk Management team oversees the Banking segment’s risk management framework to safeguard sensitive business data, ensure regulatory compliance, protect against security threats, and meet customer requirements for controls assurance. As a trusted partner to both internal stakeholders and external customers, the team collaborates with Corporate Risk Management and Moody’s Shared Services to reduce risk while enabling business priorities.

The Director - Banking Risk Management will lead risk management and compliance efforts for Moody’s Analytics Banking software products and services, focusing on SOC1/SOC2 and ISO audits, customer audits, and risk remediation activities. This role will also serve as a key liaison for customer inquiries regarding technology and cyber due diligence assessments, while driving strategic risk awareness across the organization.

• Lead the preparation, coordination, and execution of SOC1/SOC2 and ISO audits, including gathering relevant documentation, conducting internal assessments, and liaising with external auditors.
• Ensure compliance with ISO standards (e.g., ISO 27001) by maintaining and enhancing policies, procedures, and controls.
• Support customer audits by providing necessary documentation, responding to inquiries, and ensuring alignment with customer-specific requirements.

• Act as a trusted advisor to customers, addressing vendor risk assessments and technology due diligence inquiries.
• Collaborate with sales and legal teams to support RFP submissions, contract negotiations, and customer risk reviews, ensuring accurate and timely responses on information security controls.
• Engage with teams across Moody’s in sales, product management, development, and operations to provide customers with the information needed to complete their reviews.

• Track and oversee risk remediation activities, ensuring timely and effective resolution of identified risks.
• Monitor compliance with policies, procedures, and regulatory requirements while identifying areas for improvement and automation.
• Contribute to Moody’s third-party risk management framework and support its implementation within the Banking segment.

• Maintain accurate and up-to-date records of audit activities, findings, and remediation efforts.
• Create customer-facing documentation and reports on Moody’s software products’ information security controls.

• Strong knowledge of IT and cybersecurity controls, frameworks, and standards, including SOC1, SOC2, NIST, ISO 27001, COBIT, and C5.
• Familiarity with software development practices, enterprise technology operations, and public cloud environments (e.g., AWS, GCP, Azure).
• Experience conducting audits such as SOC1/SOC2, ISO audits, and customer audits.

• 6 to 9 years of experience in IT audit, enterprise risk management, information security, or vendor risk management.
• Proven track record of managing compliance programs and risk remediation activities.
• Proven experience mentoring, coaching, or managing junior staff, with the ability to inspire and develop talent within a high-performing team.

• Excellent verbal and written communication skills, with the ability to handle negotiations and complex conversations with clients and auditors.
• Strong analytical, problem-solving, collaboration, and project management skills.
• Highly organized, detail-oriented, and capable of prioritizing and meeting deadlines in a dynamic environment.
• Familiarity with Governance, Risk, and Compliance (GRC) platforms.

• Professional certifications such as CISA (Certified Information Systems Auditor), CRISC (Certified in Risk and Information Systems Control), CISSP (Certified Information Systems Security Professional), or PMP (Project Management Professional), or equivalent experience.

For US-based roles only: the anticipated hiring base salary range for this position is $143,800.00 - $208,600.00, depending on factors such as experience, education, level, skills, and location. This range is based on a full-time position. In addition to base salary, this role is eligible for incentive compensation. Moody’s also offers a competitive benefits package, including not but limited to medical, dental, vision, parental leave, paid time off, a 401(k) plan with employee and company contribution opportunities, life, disability, and accident insurance, a discounted employee stock purchase plan, and tuition reimbursement.

Moody’s is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, sex, gender, age, religion or creed, national origin, ancestry, citizenship, marital or familial status, sexual orientation, gender identity, gender expression, genetic information, physical or mental disability, military or veteran status, or any other characteristic protected by law. Moody’s also provides reasonable accommodation to qualified individuals with disabilities or based on a sincerely held religious belief in accordance with applicable laws. If you need to inquire about a reasonable accommodation, or need assistance with completing the application process, please email accommodations@moodys.com. This contact information is for accommodation requests only, and cannot be used to inquire about the status of applications.

For San Francisco positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the San Francisco Fair Chance Ordinance.

This position may be considered a promotional opportunity, pursuant to the Colorado Equal Pay for Equal Work Act.

Click here to view our full EEO policy statement. Click here for more information on your EEO rights under the law. Click here to view our Pay Transparency Nondiscrimination statement. Click here to view our Notice to New York City Applicants.
Candidates for Moody's Corporation may be asked to disclose securities holdings pursuant to Moody’s Policy for Securities Trading and the requirements of the position. Employment is contingent upon compliance with the Policy, including remediation of positions in those holdings as necessary.

For more information on the Securities Trading Program, please refer to the STP Quick Reference guide on ComplianceNet

Please note: STP categories are assigned by the hiring teams and are subject to change over the course of an employee’s tenure with Moody’s.