Job Summary

The GRC Manager is responsible for developing, implementing, and managing the organization’s Governance, Risk, and Compliance framework to ensure alignment with industry standards, regulatory requirements, and strategic business objectives. This role oversees risk assessments, policy development, compliance audits, and enterprise risk reporting while promoting a risk-aware culture across the organization.

Key Responsibilities

Governance

• Develop, maintain, and enforce GRC policies, standards, and frameworks aligned with best practices (e.g., ISO 27001, COBIT, NIST, ITIL).

• Oversee the establishment and continuous improvement of information security governance structures and risk management processes.

• Coordinate the development and maintenance of organizational policies, SOPs, and guidelines related to risk, compliance, and data protection.

• Lead GRC awareness and training programs for internal stakeholders.

Risk Management

• Identify, assess, and manage enterprise and IT risks through a structured risk management process.

• Conduct periodic risk assessments, threat modeling, and impact analysis to support decision-making.

• Maintain and update the enterprise risk register and ensure that mitigation plans are in place and monitored.

• Collaborate with business units and IT to embed risk management practices in daily operations and strategic planning.

• Monitor emerging risks and recommend appropriate responses.

Compliance

• Monitor regulatory and legal compliance requirements relevant to the organization’s industry (e.g., data protection, cybersecurity, financial reporting).

• Lead internal and external audits related to compliance, including ISO certifications and regulatory inspections.

• Manage responses to compliance violations, audit findings, and risk incidents.

• Oversee third-party risk assessments and vendor compliance reviews.

• Ensure compliance with data privacy frameworks (e.g., GDPR, HIPAA, or regional equivalents).

Reporting & Communication

• Provide periodic reporting to executive leadership and relevant committees on the status of risk, compliance, and governance initiatives.

• Develop dashboards, metrics, and KPIs for monitoring GRC performance.

• Facilitate risk and compliance workshops and forums with key stakeholders.

Qualifications & Experience

• Bachelor’s or Master’s degree in Information Security, Risk Management, Business Administration, or a related field.

• Minimum 7–10 years of relevant experience in GRC, cybersecurity, audit, or enterprise risk.

• Professional certifications preferred: CRISC, CISM, CISSP, ISO 27001 Lead Implementer/Auditor, CGEIT, or similar.

• Strong knowledge of regulatory and compliance frameworks such as ISO 27001, NIST, PCI-DSS, GDPR, HIPAA, or regional standards.

• Proven experience implementing and managing enterprise GRC tools or platforms (e.g., RSA Archer, ServiceNow GRC, MetricStream).