GRC Lead - Chicago, IL

Build the program. Own the outcome. Shape what comes next.

Savant is hiring a GRC Lead to design, build, and own our governance, risk, and compliance program from the ground up.

This is not a maintenance role. There's no inherited framework to "optimize" and no playbook sitting on a shelf. Instead, this is a rare opportunity for a seasoned GRC professional to step into full ownership - setting the foundation for how Savant manages security, risk, and regulatory obligations as we continue to grow.

If you enjoy turning complex regulatory expectations into practical, enforceable programs - and you want real accountability rather than advisory influence - this role was built for you.

Why This Role Is Different

• True ownership. You'll own Savant's GRC operating model end-to-end, including governance, controls, escalation, and program maturity.
• Greenfield build. You'll design the framework, not inherit someone else's.
• Business-first mindset. This role sits at the intersection of technology, compliance, and leadership - translating risk into clear, actionable decisions.
• Long runway. As Savant scales, this role grows with it - including future leadership opportunities.

What You'll Do

You'll be responsible for building and operating the firm's GRC program, partnering closely with IT, Security, Compliance, Legal, HR, and executive leadership. Key areas of ownership include:

• Designing and implementing governance strategies, security policies, standards, and procedures aligned with regulatory obligations
• Mapping and operating against frameworks such as SEC, SOC 2, NIST (HIPAA and/or HITRUST experience is also valued)
• Owning control design, effectiveness, testing, and ongoing monitoring
• Leading third-party and vendor risk management programs
• Monitoring and enforcing vulnerability management and remediation efforts
• Supporting audits, regulatory exams, and security questionnaires with confidence and clarity
• Turning technical risk into business-level reporting leadership can actually use
• Building maturity over time - prioritizing what matters most and sequencing the rest

How You'll Work

• Work model: Primarily remote, with flexibility to meet in person at regional offices as needed
• Location focus: Chicagoland / driving distance to Savant offices
• Cadence: Autonomy-heavy, ownership-driven, with close collaboration early on

This role introduces structure and discipline across the organization, so success depends on strong influence, communication, and judgment - not an authoritarian approach.

What We're Looking For (Must-Haves)

We're looking for a program owner, not an analyst. You bring:

• 5+ years of experience in information security policy, audit, and technical compliance
• Bachelor's degree in information technology, computer science, or related field.
• Hands-on experience operating in highly regulated environments
• Proven ownership of a GRC program or major components of one - not just support work
• Experience designing policies, controls, and governance processes
• Comfort supporting audits and regulatory exams end-to-end (evidence, narratives, questionnaires)
• High level of communication with the ability to explain technical risk in clear, business-friendly language
• The ability to reliably commute to our Chicagoland offices at least once a week. To be considered, individuals must reside within 50 miles of our Chicago area offices.

Nice-to-Haves

• Experience across multiple regulatory environments (e.g., SEC + HIPAA / HITRUST)
• Familiarity with GRC automation tools (such as Drata or similar platforms)
• Relevant certifications (CISSP, CISA, CRISC, etc.) - helpful, but not required

What matters most is judgment, ownership, and the ability to build something that works in the real world.

Who This Role Is Not For

This role is likely not the right fit if your experience has focused primarily on:

• Ticket processing, screenshots, or checklist-only compliance work
• Analyst-level support without decision-making ownership
• Purely theoretical or academic security models without practical enforcement

What Success Looks Like

In your first year, success means:

• A clear, defensible GRC framework is in place and actively used
• Vendor and supplier risk is centralized and managed
• Vulnerability management is monitored, enforced, and visible
• Leadership has confidence in audit readiness and risk reporting

Why Join Us?

For nearly 40 years, Savant Wealth Management has served as a trusted advisor to established individuals, families, and businesses seeking clarity and confidence in their financial lives. Our name, rooted in the Latin word sapere-"to be wise"-reflects our commitment to evidence-based investing and the power of decision-making based on deep knowledge. We are a fee-only, independent, fiduciary wealth management firm providing comprehensive guidance on investments, financial planning, tax and business consulting, estate planning, trust services, and family office support.

At the heart of our firm is a culture of lifelong learning-one that values curiosity, continuous improvement, and helps clients…