Head of Governance, Risk and Compliance - CISO function - BPL

The Head of GRC leads the pillar responsible for ensuring the organisation understands, manages, and can demonstrate compliance with its security risk and regulatory obligations. This includes owning the PCI DSS compliance programme, managing FCA and ICO regulatory engagement, maintaining the security risk register, and ensuring third‑party risks are assessed and managed. The role bridges the gap between technical security delivery and regulatory/business expectations, translating the organisation’s declared risk appetite into measurable tolerances, control objectives, and compliance evidence.

This is a critical leadership position that requires someone comfortable operating at both strategic and operational levels. The ideal candidate will have a financial services background, regulation expertise and practical experience, and the credibility to engage effectively with the FCA, external auditors, and the QSA.

• Own the security policy framework, ensuring policies are current, proportionate, and aligned to PCI DSS, FCA expectations, UK GDPR, and DORA requirements.
• Maintain and operate the security risk register, ensuring risks are assessed consistently using a defined methodology, owned explicitly, and reported accurately to the CISO and Executive Leadership Team.
• Manage the relationship with external auditors, the Qualified Security Assessor (QSA), and 2nd/3rd Line of Defence on all security and technology risk matters.
• Own the third‑party security assurance process, ensuring all vendors, partners, and card scheme integrations are risk‑assessed with a tiered approach proportionate to data access and criticality.
• Chair the monthly Cyber and Tech Risk and Controls Forum, presenting risk posture, compliance status, and material findings to the CISO, CIO and ELT.
• Design and maintain the control framework, mapping controls to PCI DSS, FCA, UK GDPR, and DORA requirements, and ensuring control effectiveness is tested on a continuous cycle.
• Produce KRI dashboards and risk reporting for CISO, CIO, and ELT consumption, ensuring risk is communicated in business terms.
• Lead regulatory and audit engagement on security matters, coordinating regulatory review and audit interactions and proactively managing stakeholder relationships.
• Own the risk assessment calendar, ensuring both cyclical and event‑driven assessments are executed on schedule with appropriate rigour.
• Manage the risk acceptance process, ensuring risk acceptance decisions are documented, time‑bound, approved at the appropriate authority level, and reviewed before expiry.
• Manage and develop the GRC team, building capability across risk assessment, compliance, and third‑party assurance disciplines.

• Security risk register, reviewed and updated monthly with full audit trail in the GRC platform.
• PCI DSS compliance roadmap and continuously maintained evidence repository.
• Monthly Cyber and Tech risk and compliance report for CISO and ELT.
• Quarterly KRI dashboard and risk trend analysis for Risk Committee reporting.
• Annual third‑party security assurance plan with tiered assessment calendar and completion tracking.
• Control framework mapping document (controls mapped to PCI DSS 4.0 / FCA / UK GDPR / DORA requirements).
• Risk assessment calendar (cyclical and event‑driven) with capacity planning.
• Risk acceptance authority matrix and active acceptance register.

• CISM, CRISC, or CISSP certification.
• Experience with DORA (Digital Operational Resilience Act) compliance requirements and implementation.
• ISO 27001 Lead Auditor or Lead Implementer certification.
• PCI QSA or Internal Security Assessor (ISA) qualification.
• Previous experience in Fin Tech, Digital Banking, Payment Acquiring organisation.
• Experience with Visa GACS and Mastercard SDP acquirer compliance programmes.
• Significant experience of progressive experience in information security governance, risk, and compliance, with at least 5 years leading a GRC team in a regulated environment.
• Strong understanding of UK GDPR and the role of security controls in meeting data protection obligations, including breach notification requirements and data protection impact…