AVP IT Risk Management

Join our team - and take the next step in achieving a fulfilling career!

What We Do

At CardWorks, we aim to help people connect with possibility and opportunity using our financial servicing expertise. Building meaningful, long-term relationships with consumers, our employees, and our clients is what matters most.

Who We Are

CardWorks Servicing, LLC provides end-to end operational servicing functions for credit cards, secured cards, and installment loans.  We service consumer and small business loans across the credit spectrum and offers backup servicing and due diligence services to capital providers and trustees.

Merrick Bank is an FDIC-insured Utah Industrial Loan Bank.  Merrick operates three main business lines:  credit cards, recreational lending, and merchant services.

Carson Smithfield, LLC provides a variety of post-charge-off debt recovery services, including digital self-service, IVR, live agent, and external agency management.

Job Summary:

The AVP, IT Risk owns the oversight and governance of the Technology Risk Management Framework, ensuring effective identification, assessment, monitoring, and mitigation of technology risks across the organization. This role is responsible for independent challenge, control assurance, and risk transparency, and drives the execution of core technology risk programs, including control testing, issue management, audit coordination, and reporting.

The AVP provides credible challenge to Technology and business stakeholders, enforces adherence to risk standards, and delivers actionable risk insights to senior leadership.

Essential Functions:

Technology Risk Oversight & Control Assurance

• Provide the independent oversight and ongoing evaluation of technology controls (ITGCs, security controls, system controls)
• Lead and execute control testing strategy, including scoping, testing, and documentation of results
• Identify control gaps, deficiencies, and non-compliance, and require clear remediation actions and timelines
• Provide effective challenge to Technology on control design and remediation adequacy
• Oversee and track remediation efforts, holding stakeholders accountable for timely closure
• Develop and own monitoring and reporting over assigned areas (examples include: technology issues, incidents, and overdue risk items)

Audit & Regulatory Coordination

• Own coordination and oversight of internal audits and regulatory exams (FDIC, SOX, SOC, etc.)
• Ensure completeness, accuracy, and quality of materials provided for audits and exams
• Govern the lifecycle of audit findings, including validation of remediation and closure
• Act as a primary liaison between Risk, Audit, Technology, and Compliance
• Drive audit readiness and continuous improvement of the control environment

Business Continuity & Resilience

• Review and provide independent challenge to DR testing plans, execution, and results

• Evaluate technology resilience risks, including BIA alignment, system criticality, and recovery capabilities

• Ensure risks are appropriately identified, escalated, and remediated

Third-Party & Vendor Risk

• Review and challenge vendor risk assessments and control exceptions  

• Provide risk recommendations or escalation on vendor-related control gaps and exceptions

• Collaborate with TPRM, Security, and Legal teams on vendor risk matters

Risk Metrics & Reporting

• Deliver clear, concise, and decision-useful risk reporting to senior management

• Contribute to KRIs, dashboards, and risk reporting to improve transparency and decision-making

• Support preparation of risk reports for senior management and Board committees

• Translate technical risk findings into business-relevant insights

• Escalate material risks and emerging themes proactively

Education and Experience:

• Bachelor’s degree required; advanced degree or certifications (CISA, CISSP, CRISC, etc.) preferred

Leadership Competencies

• Demonstrates ownership and accountability for risk oversight and outcomes
• Applies independent judgment and effective challenge
• Effective collaboration and communication with cross-functional teams
• Confident communicator with senior stakeholders
• Proactive risk identification and escalation mindset

Summary of Qualifications:

Required

• 8–12+ years of experience in IT Risk, Technology Risk, Audit, Information Security, or related functions
• Knowledge of IT control frameworks (SOX, SOC, NIST, etc.) and regulatory requirements
• Experience supporting audits, control testing, and remediation tracking
• Strong analytical, problem-solving, and communication skills

Preferred:

• Experience in regulated industries
• Relevant certifications such as CISA, CRISC, or CISSP
• Experience with dashboards, KRIs, or reporting
• Hands-on technology delivery experience

Our Employee Value Proposition

• Competitive Pay, including a Bonus Target or Variable Pay Incentive Program 
• Benefits Package -Medical, Dental, and Vision (plus much more) 
• 401(k) Plan with Company Match 
• Short- & Long-Term Disability 
• Wellness Programs 
• Group Life and AD&D Insurance 
• Paid Vacation, Sick Days and bank Holidays 
• Employee Engagement Activities including Employee Appreciation Day, DEI Employee Resource Groups, Corporate Social Responsibility, Service Recognition

We offer a total rewards package comprised of a competitive base rate of pay, variable pay incentive programs based on the role, and a comprehensive benefit suite.  Offered rates of pay are determined based on job-related knowledge, relevant experience, skills, certifications, and geographic location.

We are an equal opportunity employer, and we evaluate qualified applicants without regard to race, color, religion, sex, national origin, disability, veteran status or any other legally protected characteristic.  We will conduct a thorough background check for all hires in compliance with applicable laws.