Governance Risk Compliance Manager

Overview

The position will prioritize the risk management, third party risk management, policy management, policy exceptions, and issue management responsibilities listed below, while still supporting all GRC areas based on resource needs.

• Serve as the primary subject matter expert for technology and cyber risks and advise stakeholders on effective risk identification, analysis, documentation, and treatment
• Lead enterprise technology risk assessments including annual and ongoing risk evaluation activities. Maintain and improve the enterprise risk register including trend analysis, aggregation, remediation monitoring, and reporting for leadership
• Partner with technology teams to define appropriate risk responses and ensure adherence to the risk management process
• Evaluate the effectiveness of existing risk controls and recommend enhancements
• Support other risk related activities as needed

• Lead the assessment of risks related to vendors, contractors, service providers, and other external partners
• Evaluate third party security documentation including SOC reports and other independent validation reports
• Coordinate follow up with vendors and internal stakeholders on identified third party risks and required remediation
• Maintain third party risk records and provide reporting to technology and business leadership
• Support the integration of third-party risk management activities into procurement and contract processes

• Oversee the development, approval, publication, and ongoing review of technology policies, standards, and procedures
• Ensure policy content aligns with risk management outcomes, regulatory requirements, and applicable control frameworks such as NIST CSF
• Partner with process owners and technology leaders to ensure policy expectations are understood and implemented
• Develop and maintain policy governance metrics and reporting

• Lead the formal policy exception program including intake, evaluation, and decision support
• Review exception requests for risk impact and recommend appropriate time bound conditions, compensating controls, or mitigation actions
• Maintain accurate documentation of exception approvals, expirations, and follow up requirements
• Provide reporting on exception trends for leadership review

• Maintain a centralized inventory of issues identified through audits, assessments, risk reviews, and compliance activities
• Partner with process owners to define corrective action plans that address root causes and prevent recurrence
• Validate remediation evidence to ensure closure activities meet requirements
• Monitor remediation timelines and escalate delays when necessary
• Provide reporting on issue trends and progress for leadership

• Participate in the creation and review of technology related governance documents and support alignment with best practice frameworks
• Provide guidance during procurement, project planning, and product review processes to ensure compliance with internal policies and regulatory expectations
• Support development and assessment of GRC metrics
• Support the information security awareness program including targeted training and required annual content
• Assist with governance related activities as needed

• Support proactive readiness with process and control owners in advance of technology audits and regulatory assessments
• Facilitate audit and assessment requests including evidence collection and coordination with internal and external teams
• Evaluate the adequacy of control design and operation relative to regulatory obligations and internal standards
• Assist in the completion and documentation of compliance reviews
• Support other technology compliance duties as needed

• Develop and implement succession plans
• Create task rotation schedules to broaden GRC staff knowledge across all GRC domains

Education:

• Bachelor’s degree is preferred, preferably in a technology discipline
• Relevant certification such as CISSP, CISA, CISM, or CRISC is a plus

Required skills/experience:

• Minimum 5 years of proven experience in information security governance, risk management, and…