Senior GRC Manager

Risk Exec is a rapidly growing SaaS company that delivers a best-in-class compliance analytics and reporting platform to help financial institutions and lenders comply with key government regulations and unlock new growth opportunities.

At Risk Exec, we’re building a world class Compliance and Business Intelligence Platform trusted by regulated financial institutions including banks, credit unions, and fintech lenders. We help our clients confidently navigate complex regulatory requirements while achieving business growth. Our high-performing team thrives in a dynamic, fast-paced environment that requires maximum professionalism, flexibility, and responsiveness. We value driven individuals who embrace ownership and accountability, excel at collaborating closely with teammates, and dedicate themselves fully to delivering exceptional outcomes.

As an entrepreneurial organization, the demands of our business don’t always fit into a “traditional 9-5” schedule.

Risk Exec sells into banks and credit unions that expect disciplined governance, provable controls, and rapid, defensible responses to vendor risk scrutiny. This role exists now because we need a single owner accountable for the governance system that underpins trust: how policies are set and maintained, how risks are recorded and adjudicated, how controls stay effective, and how we prove it—fast.

You will own our SOC 2 program, enterprise due diligence execution, and Trust Center, while also operating as the company’s governance lead: turning “security and compliance” into an operating system with clear decision rights, measurable outcomes, and audit-grade traceability. You will use AI as leverage to reduce cycle time, improve consistency, and keep Risk Exec continuously ready.

We are prioritizing candidates in the Washington, DC, Chicago, and Knoxville areas. We will consider candidates based in the United States (remote) ET and CT time zones.

What you will own:

• Governance system ownership : the structure, cadence, and decisioning for risk, controls, policies, exceptions, and accountability (including executive-level reporting).
• Risk management operating rhythm : risk register quality, risk acceptance workflows, exception handling, and control ownership clarity across the org.
• SOC 2 end-to-end ownership : readiness, evidence strategy, auditor management, remediation tracking, and year-round audit posture.
• Vendor risk & due diligence execution : DDQs/SIGs, procurement security reviews, customer risk calls, and follow-up threads that unblock revenue.
• Trust Center as a product : content strategy, publishing governance, accuracy guarantees, and ongoing maintenance tied to real architecture and controls.
• Compliance proof library : a centralized, version-controlled repository of reusable, bank-ready narratives and evidence with clear freshness/expiry rules.
• AI-enabled compliance operations : the workflows, controls, and QA process that make AI output reliable, repeatable, and audit-aligned.

How You Will Drive Impact

You will build a governance-and-compliance engine that runs on cadence, not heroics:

• Weekly: evidence/control hygiene and deal support triage
• Monthly: risk register updates, vendor reviews, and exception log review
• Quarterly: control effectiveness reviews, policy refresh cycles, executive readouts
• Pre-audit: a defined sprint with zero scrambling because the system is already current
• Decision authority (explicit):
• Set the standard for what Risk Exec can claim externally—and stop claims that aren’t provable.
• Require remediation plans with owners/dates for control gaps.
• Own risk acceptance workflow and elevate material risks to exec leadership with recommendations.
• AI is part of the operating model (expected outcomes):
• Build AI-assisted DDQ/SIG response workflows that pull from approved internal sources and the proof library.
• Use AI to draft/refresh policies and control narratives, then apply human review and audit alignment checks.
• Automate evidence summaries, Trust Center updates, and change-detection prompts tied to product/infra changes.
• Establish guardrails: source‑of‑truth requirements, red‑team review…