Risk Management Consultant – GRC Practice

About Artemis Connection Artemis Connection is a strategic management consultancy working across the for-profit, public, and social sectors. We help clients around the world identify their most pressing strategic issues and staff teams of strategy consultants to roll up their sleeves and deliver impact. We are passionate about helping innovative and entrepreneurial leaders reach their goals through a customized, project-based approach. Our GRC practice works with organizations navigating complex regulatory environments, scaling compliance programs, and building risk frameworks that drive real decisions. Our clients include high-growth technology companies, government contractors, and mission-driven organizations that need enterprise risk programs tailored to how they actually operate, not inherited from a template or captured by a single function. Our founder is Christy Johnson, an entrepreneur, educator, and former McKinsey Engagement Manager. Our team is made up of seasoned consultants trained at organizations such as McKinsey & Company, BCG, Bain, Big 4 Strategy, and elite educational institutions.

About the Role

In this role, you will help clients build and mature enterprise risk programs that address the full spectrum of organizational exposure, including strategic, operational, financial, regulatory, and reputational risk, with cybersecurity treated as one critical dimension of a broader risk universe rather than the primary lens. This is a client-facing role that demands genuine enterprise risk fluency. You should be as comfortable discussing board risk appetite statements and third-party concentration risk as you are reviewing a cybersecurity control framework. The clients who need you most are the ones whose risk programs have been captured by a single function, usually IT or legal, and who need help building something that actually reflects how the organization operates and where it is genuinely exposed.

What You'll Do

Lead Enterprise Risk Assessments Lead enterprise risk assessments spanning strategic objectives, operational dependencies, workforce and leadership risk, regulatory exposure, supply chain and vendor concentration, financial controls, and reputational considerations. Facilitate risk identification workshops with senior leadership and help organizations move from intuition-based risk lists to structured, evidence-driven risk registers that are actually used in decision-making. Design or Mature ERM Frameworks Help clients design or mature their ERM frameworks, drawing on standards like COSO ERM, ISO 31000, and NIST RMF as appropriate to the client's context and regulatory environment. Develop risk appetite and tolerance statements, key risk indicators, and escalation protocols that give boards and executive teams meaningful visibility into the risks that matter most. Assess Technology and Information Risk Practices Cybersecurity risk will be a consistent thread across your engagements. Assess how clients identify, govern, and respond to technology and information risk. Map their environments against frameworks like NIST CSF 2.0, ISO 27001, and CMMC 2.0 where relevant, and ensure that cyber risk is translated into business impact terms that non-technical stakeholders can act on. The goal is integration, not isolation. Cyber risk should inform enterprise risk, not live in a separate silo. Assess Governance Structures Assess governance structures including risk committee charters, three-lines-of-defense models, risk ownership accountability, and the quality of risk reporting to senior leadership and boards. Where clients lack the internal structures to sustain a risk program, help them build those structures before the engagement closes. Business Development Support Contribute meaningfully to the practice's pipeline. This includes participating in proposal development, scoping and estimating new engagements, identifying expansion opportunities within existing client relationships, and representing the practice at industry events or working groups. You will not typically be expected to originate large engagements independently but should be able to identify and advance opportunities through the pipeline with principal-level support. What You Bring Required

• Minimum 5 to 7 years of experience in enterprise risk management, internal audit, management consulting, or a closely related discipline
• Hands-on experience with COSO ERM, ISO 31000, or a comparable ERM framework, demonstrated through program design or maturity assessments, not just familiarity
• Demonstrated experience working directly with senior leadership and boards, including the ability to facilitate difficult conversations about risk without losing the room
• Deep understanding of how organizational risk programs are designed, where they tend to fail, and what separates a risk register that drives decisions from one that sits unused in a SharePoint folder
• Sufficient cybersecurity literacy to engage meaningfully with IT and security teams, interpret control assessments, and translate technical findings into enterprise risk terms, including familiarity with NIST CSF, ISO 27001, or comparable frameworks
• Strong written and verbal communication skills, including the ability to distill complex risk landscapes into clear, board-ready summaries

Preferred

• Relevant professional certifications such as CRISC, CRMA, CIA, CISM, or an MBA or advanced degree in risk, finance, or a related field
• Minimum 2+ years of consulting or client-facing advisory experience
• Familiarity with sector-specific regulatory environments such as financial services, healthcare, defense, critical infrastructure, or emerging technology
• Experience with quantitative or semi-quantitative risk methodologies such as FAIR

What Makes Someone Successful Here The consultants who thrive here understand that risk management is ultimately a leadership discipline. Frameworks and tools matter, but the real work is helping organizations develop an honest picture of where they are exposed and the institutional will to do something about it. You ask good questions before you write recommendations. You can distinguish between a client who has a risk program problem and one who has a governance problem that a risk program cannot fix on its own. You communicate with precision and without jargon, and you know when a board needs a clean two-page risk summary and when they need a harder conversation. Compensation and Structure This role is structured as a project-based engagement, typically 12 months in duration with the possibility to extend based on client needs and performance. This role is remote, with occasional travel potentially required based on client needs. Compensation is competitive and commensurate with experience; details will be discussed during the interview process. Apply tot his job Apply To this Job