Senior Security Risk Specialist, Global Benefits Risk & Compliance

Description The Benefits Experience and Technology Risk team (BXT Risk) is responsible for managing employee benefits risk activities in countries where we do business. As a Senior Security Risk Specialist on the BXT Risk team, you will serve as a subject matter expert and strategic contributor to our benefits third-party risk ecosystem, working across the organization with US benefits policy, process, and system owners to define strategies, evaluate complex risks, and drive scalable solutions that mitigate risks introduced by third-party vendors and service providers supporting the organization's US health and financial employee benefit programs. This role requires both tactical execution and strategic thinking. You will independently lead complex third-party risk assessments, influence vendor security and compliance strategies across the organization, shape how the team scales its risk management capabilities, and drive alignment across diverse stakeholders with potentially conflicting priorities. You will create predictable process paths and repeatable mechanisms that multiple teams utilize, mentor junior team members, and advise managers and directors on third-party risk matters affecting employee benefits programs. Key job responsibilities Third-Party Risk Strategy And Assessment Lead complex third-party vendor risk assessments across multiple benefits programs and vendor relationships, evaluating security, privacy, and compliance posture against federal, state, and local regulatory requirements Define and iterate on risk assessment methodologies, frameworks, and mechanisms to scale for diverse vendor requirements and evolving regulatory expectations (e.g., quantitative risk models, vendor risk questionnaires, continuous monitoring approaches) Identify long-term risks associated with third-party vendors and influence business strategy to proactively mitigate them before they materialize into risk events Make diligent, independent decisions on how to engage vendors, auditors, and regulators on third-party risk matters with minimal oversight Drive comprehensive benefits compliance management related to third-party service delivery, ensuring adherence to federal, state, and local regulatory requirements including HIPAA, ERISA, ACA, and COBRA Lead risk and control assessments of vendor-managed processes, determine state of compliance, analyze risk exposure, and author reports detailing methodology, results, and remediation plans Program Leadership And Scalable Solutions Own and drive third-party risk review programs associated with benefits program launches, modifications, vendor onboarding, and transitions across the organization Create predictable process paths, workflows, and repeatable mechanisms (e.g., for vendor security control design, testing, implementation, and validation) that multiple teams utilize to deliver consistent risk management outcomes Identify opportunities to simplify approaches throughout the organization and across project boundaries; decouple dependencies and prevent duplicate or wasted effort Define business problems, set objectives, analyze data, drive improvements, and influence resource allocation for third-party risk initiatives Develop mechanisms to inspect, monitor, and improve third-party risk delivery over time; hold the team to a high standard for both solutions and practices Escalate when risks or blockers emerge, propose viable recommendations to resolve them, identify the correct owners, and track issues to resolution Vendor Systems, Process, And Compliance Oversight Develop deep understanding of the employee benefits solutions utilized by Amazon and the third-party vendors that support them; drive business requirements for vendor system implementations and enhancements Lead collaboration with vendors and external teams to evaluate security controls, negotiate remediation timelines, and ensure employee-centered benefits experiences are delivered securely Understand the builder and stakeholder experience with security compliance and proactively seek to align third-party risk processes with existing workflows Author written narratives to define strategy, evaluate trade-offs, anticipate risks, and recommend solutions on third-party risk that influence the organization and external partners Stakeholder Engagement, Influence, And Communication Drive business and technical discussions across the organization to make decisions on how to align with diverse, potentially conflicting, third-party risk and compliance expectations Advise managers and directors on third-party risk matters; communicate effectively with leaders up to three levels above on risk posture, compliance gaps,