Manager, Technology Risk

ABOUT THE ROLE

The Technology Risk Manager is a senior individual contributor responsible for driving Hinge Health’s technology risk posture across security, infrastructure, and IT. You’ll act as the primary owner for technology risk across multiple teams rather than as a pure advisor. The role has broad exposure to Security , IT, Engineering leadership, and you’re expected to confidently surface risks, drive clear risk evaluations, and collaborate with partners to land practical remediation decisions.

You’ll work closely with Application Security, Engineering , Security, and IT to translate technical vulnerabilities into business risk, maintain the Technology Risk Register, and ensure high-quality, timely remediation in a PHI-handling and heavily regulated environment.

WHAT YOU’LL DO

• Maintain and continuously refine the Technology Risk Register, documenting cyber, operational, and regulatory risks with clear ratings, owners, and mitigation plans.
• Track and drive remediation progress across engineering and IT teams, escalating and unblocking as needed to ensure risk treatment plans meet agreed SLAs.
• Regulatory Compliance & Governance (SOX & HIPAA).
• Serve as a primary interface for internal and external auditors on SOX IT General Controls (ITGC) and related technology control testing, documentation, and evidence collection.
• Coordinate and track remediation of SOX ITGC findings, ensuring clear ownership, high-quality corrective actions, and timely closure to prevent control deficiencies and material weaknesses.
• Partner with Security, Accounting, Legal/Compliance, and IT to ensure risk and control practices support HIPAA and other healthcare regulatory requirements.
• Partner with Application Security, SRE, and Infrastructure teams to aggregate, prioritize, and track code vulnerabilities, penetration-testing findings, and infrastructure risks across the SDLC.
• Analyze vulnerability trends (by system, control, and data sensitivity) to help teams focus on the highest-impact remediation work.
• Drive consistent, high-quality documentation of risk decisions, mitigations, and compensating controls.
• Design and maintain risk and control dashboards that provide senior leadership with clear insight into security posture, compliance status, and remediation velocity.
• Produce recurring executive-ready reports and narratives that translate complex technical risk into clear, non-technical language for decision-makers and risk committees.
• Recommend and refine KPIs/KRIs that measure technology risk, SOX ITGC health, and vulnerability reduction over time.

WHAT YOU BRING

• 8+ years of experience in technology risk, IT audit, cybersecurity, or information security, with recent, hands-on in SOX-driven or heavily regulated environments (e.g. public/pre-IPO, company, Big 4 IT audit/risk advisory, financial services or healthcare).
• Proven track record as a senior IC leading complex, cross-functional risk or compliance programs with high visibility to engineering and IT leadership.
• Deep experience with SOX IT General Controls (design, testing, and remediation) in cloud-first environments.
• Strong understanding of access management, change management, computer operations, and related control frameworks.
• Comfort working in PHI-handling or similarly sensitive data environments.
• Demonstrated ability to influence senior engineering and IT stakeholders: you can surface uncomfortable risks, keep discussions anchored in facts and impact, and help teams arrive at well-documented decisions.
• Excellent relationship-builder who balances assertiveness with partnership—able to challenge, negotiate trade-offs, and still maintain trust.
• Exceptional written and verbal communication skills; you distill complex technical risk into concise, executive-ready narratives and clear action plans.

PREFERRED QUALIFICATIONS

• Certifications such as CISA, CISSP, or equivalent.
• Prior Big 4 (or similar) experience in IT audit, SOX, or technology risk.
• Experience with SOX IT General Controls and broader security frameworks.

Hinge Health Hybrid Model This is a hybrid role based in the San Francisco office, requiring in-person attendance three days per week for a full 8-hour business day. On remote days, employees are expected to work during core business hours with flexibility. The office is part of a dog-friendly workplace program, and while travel is not regularly required, occasional off-site/on-site events may occur. Physical demands are minimal and primarily involve standard office activities such as sitting, typing, and video conferencing.

ABOUT HINGE HEALTH

At Hinge Health, we’re using technology to scale and automate the delivery of healthcare – starting with musculoskeletal (MSK) conditions, which affect over 1.7 billion people worldwide. With an AI-powered human-centered care model, Hinge Health leverages cutting-edge technology to improve outcomes, experiences and costs to help people move beyond their pain. The platform addresses a broad spectrum of MSK care – from acute injury, to chronic pain, to post-surgical rehabilitation – through personalized, evidence-based care.

As the preferred partner to 50+ health plans, PBMs and other ecosystem partners, Hinge Health is available to over 20 million people across more than 2,550 employers. The company is headquartered in San Francisco with additional offices in Montreal and Bangalore. Learn more at http://www.hingehealth.com

WHAT YOU'LL LOVE ABOUT US

• Inclusive healthcare and benefits: On top of comprehensive medical, dental, and vision coverage, we offer employees and their family members help with gender-affirming care, tools for family and fertility planning, and travel reimbursements if healthcare isn’t available where you live.
• Planning for the future: Start saving for the future with our traditional or Roth 401k retirement plan options which include a 2% company match.
• Modern life stipends: Manage your own learning and development
• Grow with us through discounted company stock through our ESPP with easy payroll deductions.

CULTURE & ENGAGEMENT

Hinge Health is an equal opportunity employer and prohibits discrimination and harassment of any kind. We make employment decisions without regards to race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability status, pregnancy, or any other basis protected by federal, state or local law. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. We provide reasonable accommodations for candidates with disabilities. If you feel you need assistance or an accommodation due to a disability, let us know by reaching out to your recruiter.

By submitting your application you are acknowledging we are using your personal data as outlined in the personnel and candidate privacy policy.

Beware of Phishing Attempts: We've noticed an increase in phishing where fraudsters impersonate employees and send fake job offers to steal sensitive information. We'll never ask for financial details during the hiring process and only use "@hingehealth.com http://hingehealth.com" emails. If you receive a suspicious offer, stop communication and report it to the US FBI Internet Crime Complaint Center. To verify an email from our recruiting team, forward it to security@hingehealth.com https://app.ashbyhq.com/admin/organizational-settings/theme#.