Director of Governance, Risk, and Compliance / TPRM

About The Position

Requirements

• 12–15+ years of progressive experience in cybersecurity, risk management, compliance, or audit.
• 5–7+ years in senior leadership roles within insurance or highly regulated financial services environments (required).
• Proven success leading enterprise GRC and TPRM programs across complex, multi-entity organizations.
• Licensed attorney (JD) or Certified Public Accountant (CPA) strongly preferred, particularly with experience in regulatory interpretation, audit, or assurance.
• Background in external audit, internal audit, or regulatory advisory highly desirable.
• MBA or equivalent advanced business degree preferred.
• Deep knowledge of NIST 800-53, ISO 27001, SOC 2, PCI DSS, and regulatory regimes such as NYDFS.
• Strong command of third-party risk methodologies and vendor lifecycle governance.
• Experience implementing and scaling GRC tooling platforms.
• Ability to design and operationalize scalable, evidence-based control frameworks.
• Executive presence with the ability to influence across Legal, Audit, Technology, Privacy, and Risk domains.
• Strong strategic and analytical thinking with the ability to translate risk into financial and operational impact.
• Exceptional communication skills, including board-level engagement.

Nice To Haves

• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CISA (Certified Information Systems Auditor)
• CGRC (Certified in Governance, Risk and Compliance)
• CIA (Certified Internal Auditor)
• CIPP / CIPM (privacy certifications)
• ISO 27001 Lead Implementer or Lead Auditor

Responsibilities

• Own and maintain the enterprise-wide information security compliance posture across all operating entities, ensuring alignment with regulatory expectations and internal risk appetite.
• Establish a defensible, evidence-driven control environment capable of withstanding regulatory scrutiny across multiple jurisdictions.
• Serve as the authoritative leader for compliance strategy across MGAs and carrier entities with differing regulatory obligations.
• Design and implement a unified GRC operating model across multiple insurance entities with varying levels of maturity.
• Establish a control-centric framework leveraging NIST 800-53, ISO 27001, SOC 2, and PCI DSS.
• Transition the organization from periodic, interview-based assessments to continuous, evidence-driven compliance measurement.
• Define and operationalize KRIs, control effectiveness metrics, and executive reporting.
• Serve as the central point of accountability for regulatory readiness, including NYDFS, state insurance regulators, and international frameworks where applicable.
• Lead enterprise-wide audit strategy (SOC 2 Type II, ISO 27001, internal audits).
• Interface directly with regulators and external auditors to ensure consistent narratives, defensible controls, and successful audit outcomes.
• Drive enterprise remediation strategies with measurable timelines and executive accountability.
• Build and scale a comprehensive TPRM program across the full vendor lifecycle.
• Establish risk tiering, due diligence, and continuous monitoring aligned with enterprise risk tolerance.
• Integrate TPRM into procurement, legal, and business operations to ensure consistent enforcement.
• Oversee risk acceptance and exception governance frameworks.
• Harmonize fragmented GRC practices across acquired entities into a centralized and scalable function.
• Drive automation strategy leveraging GRC platforms (auditboard, Drata, or equivalent) to enable real-time compliance visibility and evidence collection.
• Embed security, privacy, and identity governance into enterprise-wide control frameworks.
• Advance organizational maturity toward a “Security First” operating model.
• Provide regular reporting to executive leadership and board-level stakeholders (e.g., Audit Committee, Risk Committee).
• Collaborate daily with the Chief Privacy Officer (CPO) and Chief Risk Officer (CRO) organizations to ensure alignment across privacy, enterprise risk management, and information security compliance.
• Translate complex regulatory and technical requirements into business-aligned decision frameworks.
• Influence enterprise investment decisions through quantified risk exposure and control effectiveness.
• Lead a multi-layered global GRC and TPRM organization, including: 4 senior GRC functional leaders, A transversal offshore operations team, A dedicated outsourced delivery pod (India-based) supporting scaled compliance and assessment activities.
• Establish governance models, performance management, and operational rigor across distributed teams.
• Drive talent strategy, succession planning, and capability development aligned to enterprise scale.
• Designs, develops, and implements focused strategies.
• Leads the development of programs that are critical to the organization and ensures execution of the function.
• Provides advice and consultation to senior and executive management related to operational and/or strategic decisions and resolves critical issues.
• Actively participates in the budget and goal setting process for the department.
• Provides guidance, counseling, and continuing education opportunities to staff.
• Selects, develops, coaches, mentors, and assesses performance of staff.
• Provides guidance to consistently improve the processes of the area(s) of focus.
• Develops, implements, and maintains administrative policies and procedures.
• Provides leadership through influencing and directing the work of others to execute plans to meet strategic and operational objectives.
• Performs other duties and responsibilities as assigned.

Benefits

• Comprehensive full medical, dental and vision Insurance
• Basic Life Insurance at no cost to the employee
• Company paid short-term and long-term disability
• 12 weeks of 100% paid Parental Leave
• Health Savings Account (HSA)
• Flexible Spending Accounts (FSA)
• Retirement savings plan
• Personal Paid Time Off
• Paid holidays and company-wide Wellness Day off
• Paid time off to volunteer at nonprofit organizations
• Pet friendly office environment
• Commuter Benefits
• Group Pet Insurance
• On the job training and skills development
• Employee Assistance Program (EAP)