GRC Risk Management and Governance

About The Position

Requirements

• 10+ years of experience in cybersecurity risk management, technology risk, or enterprise risk governance, with significant experience at a senior leadership level.
• Bachelor’s degree in information systems, computer science, data analytics, cybersecurity or related field (or equivalent experience).
• Deep understanding of cyber risk frameworks, enterprise risk management, and regulatory expectations within a large, complex financial services or regulated environment.
• Proven experience with risk governance, control assurance and assessments, KRIs, issue management, and executive reporting.
• Strong ability to build relationships across the three lines of defense and influence at executive and Board levels.
• Exceptional communication skills, with the ability to translate technical and risk concepts into executive‑level insights.
• Experience leading highly successful teams in achieving objectives and key results.

Nice To Haves

• Cybersecurity Certifications such as: CISSP, CISM or equivalent.
• Experience implementing automated and/or continuous controls monitoring in cloud and hybrid environments.
• Strong analytical mindset with the ability to translate ambiguous risk or control questions into measurable metrics and repeatable tests.
• Clear written and verbal communication skills, including the ability to explain complex technical findings and trends to leadership.

Responsibilities

• Own and evolve the Cyber Risk Management Framework, ensuring alignment with the Enterprise Risk Framework and regulatory expectations.
• Govern cyber risk taxonomies, risk appetite statements, risk metrics, and assessment methodologies.
• Support embedding cyber risk practices across the L3 Cyber risk methodology and support functional and business risk owners in their efforts to improve and sustain cyber risk posture.
• Provide oversight of control assurance and remediation execution and quality, including challenge, escalation, and consistency.
• Ensure consistent linkage between assessment outcomes, risk appetite, and remediation priorities.
• Enable and guide Enterprise Process Owner (EPO) / Metric Owners with challenges related to processes area / Key Risk Indicator improvement, ensuring clear accountability and effective operation.
• Support the second line of defense in defining, maintaining, and overseeing Cyber Key Risk Indicators (KRIs) and thresholds, ensuring they provide meaningful insight into risk posture and trends.
• Coordinate cyber risk matters for management‑level and executive Risk Committees, including agenda development, materials, and escalation.
• Produce and oversee executive‑level cyber risk reporting, including risk posture, trends, material issues, and emerging risks. Ensure reporting is concise, decision‑oriented, and aligned with enterprise and Board risk governance expectations.
• Serve as the primary cyber risk interface with Technology Risk Advisors (TRAs), coordinating inputs, challenge, outcomes, and follow‑through.
• Oversee LOD and legal entity cyber risk reporting, ensuring a consistent Global Cybersecurity view.
• Coordinate with Cyber Compliance teams to provide accurate data sharing for regulatory engagement and legal entities.
• Provide governance oversight for issues that impact cyber risk, including intake, severity assessment, challenge, escalation, and closure monitoring.
• Oversee cyber risk acceptance governance, ensuring decisions are risk‑informed, appropriately documented, time‑bound, and approved at the correct level. Ensure alignment between issues, risk acceptances, and risk appetite.
• Lead the intake and governance of cyber findings from audits, regulatory reviews, assessments, and testing activities. Ensure findings are consistently risk‑rated, challenged where appropriate, and tracked through remediation to closure.
• Monitor remediation progress, aging, and systemic themes, escalating concerns as needed to governance/management committees.