Governance Risk & Compliance Manager

About The Position

Requirements

• Minimum 5 years of proven experience in information security governance, risk management, and compliance roles
• Minimum 2 years of proven experience acting in a supervisor or manager capacity
• Demonstrates a risk-oriented mindset and the ability to articulate the relationship between technology risk, control, and policy
• Experience in managing regulatory compliance audits and working with external and internal auditors
• Excellent communication and interpersonal abilities, with the ability to influence and collaborate across different teams and levels of the organization
• Effectively manages stress in a constantly changing environment
• Demonstrates excellent judgment and the ability to make quick decisions and think outside the box when working with complex situations
• Is forward-thinking and possesses business acumen
• Possesses a high level of integrity, trustworthiness, and confidence, and represents the company and its management team at the highest level of professionalism

Nice To Haves

• Bachelor's degree is preferred, preferably in a technology discipline
• Relevant certification such as CISSP, CISA, CISM, or CRISC is a plus

Responsibilities

• Serve as the primary subject matter expert for technology and cyber risks and advise stakeholders on effective risk identification, analysis, documentation, and treatment
• Lead enterprise technology risk assessments including annual and ongoing risk evaluation activities
• Maintain and improve the enterprise risk register including trend analysis, aggregation, remediation monitoring, and reporting for leadership
• Partner with technology teams to define appropriate risk responses and ensure adherence to the risk management process
• Evaluate the effectiveness of existing risk controls and recommend enhancements
• Lead the assessment of risks related to vendors, contractors, service providers, and other external partners
• Evaluate third party security documentation including SOC reports and other independent validation reports
• Coordinate follow up with vendors and internal stakeholders on identified third party risks and required remediation
• Maintain third party risk records and provide reporting to technology and business leadership
• Support the integration of third-party risk management activities into procurement and contract processes
• Oversee the development, approval, publication, and ongoing review of technology policies, standards, and procedures
• Ensure policy content aligns with risk management outcomes, regulatory requirements, and applicable control frameworks such as NIST CSF
• Partner with process owners and technology leaders to ensure policy expectations are understood and implemented
• Develop and maintain policy governance metrics and reporting
• Lead the formal policy exception program including intake, evaluation, and decision support
• Review exception requests for risk impact and recommend appropriate time bound conditions, compensating controls, or mitigation actions
• Maintain accurate documentation of exception approvals, expirations, and follow up requirements
• Provide reporting on exception trends for leadership review
• Maintain a centralized inventory of issues identified through audits, assessments, risk reviews, and compliance activities
• Partner with process owners to define corrective action plans that address root causes and prevent recurrence
• Validate remediation evidence to ensure closure activities meet requirements
• Monitor remediation timelines and escalate delays when necessary
• Provide reporting on issue trends and progress for leadership
• Participate in the creation and review of technology related governance documents and support alignment with best practice frameworks
• Provide guidance during procurement, project planning, and product review processes to ensure compliance with internal policies and regulatory expectations
• Support development and assessment of GRC metrics
• Support the information security awareness program including targeted training and required annual content
• Assist with governance related activities as needed
• Support proactive readiness with process and control owners in advance of technology audits and regulatory assessments
• Facilitate audit and assessment requests including evidence collection and coordination with internal and external teams
• Evaluate the adequacy of control design and operation relative to regulatory obligations and internal standards
• Assist in the completion and documentation of compliance reviews
• Support other technology compliance duties as needed
• Develop and implement succession plans
• Create task rotation schedules to broaden GRC staff knowledge across all GRC domains