Director, IT Governance, Risk, and Compliance (GRC)

About The Position

Requirements

• Bachelor’s degree in Information Systems, Computer Science, or a related field
• 10+ years of experience in IT governance, compliance, validation, risk, or quality roles within a regulated life sciences environment
• Demonstrated experience supporting GxP, SOX, and Annex 11 compliance
• Strong understanding of IT system validation, change control, and documentation requirements
• Hands-on experience creating and maintaining IT policies, SOPs, and governance frameworks
• Experience supporting internal and external audits and regulatory inspections
• Proven ability to operate as a senior individual contributor with ownership and accountability
• Strong project management skills with the ability to manage multiple initiatives concurrently
• Excellent written and verbal communication skills, with the ability to translate regulatory requirements into practical implementation
• Detail-oriented, risk-aware, and pragmatic in approach

Nice To Haves

• Experience in a clinical-stage or commercializing biotech or pharmaceutical company
• Familiarity with FDA regulations (e.g., 21 CFR Part 11) and global regulatory expectations
• Experience partnering closely with Quality, Clinical Operations, Finance, and Legal teams
• Exposure to enterprise systems such as QMS/eQMS, RIMS, CTMS, ERP, or financial systems
• Formal project management training or certification (e.g., PMP) a plus

Responsibilities

• IT Governance & Policy Management
• Own the development, maintenance, and enforcement of IT policies, SOPs, work instructions, and department- and company-wide processes
• Establish and maintain a scalable IT governance framework aligned with company growth and regulatory expectations
• Ensure policies and procedures align with industry best practices and regulatory standards, including NIST, GxP, and SOX
• Partner with IT and business stakeholders to operationalize governance requirements across the organization
• IT Risk Management
• Lead IT risk identification, assessment, and mitigation activities across systems and processes
• Support enterprise risk management initiatives as they relate to IT, cybersecurity, and regulated systems
• Ensure IT risks are documented, tracked, and addressed in a risk-based and pragmatic manner
• Align IT risk management practices with recognized frameworks such as NIST
• Regulatory Compliance
• Serve as the primary IT owner for external regulatory compliance initiatives, including SOX, GxP, EU Annex 11, and other applicable U.S., EU, and UK regulations
• Ensure IT controls are designed, implemented, and operating effectively to support audit and inspection readiness
• Act as a key IT liaison during internal audits, external audits, and regulatory inspections
• Manage IT-related audit responses, findings, and corrective and preventive actions (CAPAs)
• IT Validation & Quality Oversight
• Oversee IT system validation activities for new and existing systems in regulated environments
• Ensure validation documentation, testing, approvals, and traceability are completed in a compliant and inspection-ready manner
• Own or support IT change control processes, ensuring changes are properly assessed, approved, tested, and documented
• Partner closely with Quality and system owners to ensure validation activities meet regulatory and company standards
• IT Project Management
• Provide governance and oversight for IT initiatives, ensuring delivery aligns with compliance, risk, and business priorities
• Integrate compliance, validation, and risk considerations into project planning and execution
• Coordinate with internal teams and external vendors to drive accountability and delivery
• Track project risks, dependencies, and milestones, escalating issues as appropriate
• Vendor & Third-Party Oversight
• Support IT vendor qualification and oversight activities in partnership with Quality
• Participate in vendor assessments and audits as needed, including occasional travel with Quality for inspections
• Ensure vendor-managed systems and services meet Tango’s governance and compliance expectations