*** This is a full time, permanent position. Our client WILL NOT sponsor Visas so no third parties please ***
IT Governance, Risk, and Compliance Manager (IT GRC)
Job Description: This role has existed for more than 10 years and helps mature the technology governance program, identify and provide guidance on risk remediation, and ensure compliance with regulators/auditors.
The ideal candidate is someone that understands the difference between GRC (proactive) and Audit (reactive). Our client is looking for someone that is familiar with GRC technologies (Archer, Metricstream, Modulo, SAP, etc.), understands and supports continuous control testing, and enjoys risk assessments and regulatory/audit examinations. This person MUST be able to talk at an executive level, but also ensure that the tactical details of various tasks are a high priority. A big 4 audit firm candidate would be great if you are well experienced and seeking to proactively build a GRC program. This position has a full time contract staff member to handle administrative tracking duties, proofing, and junior analysis. The position often brings in third party services (and manages those engagements) to meet specific needs such as control assessments, risk assessments, and methodology validations. There is significant potential that a candidate for this position could move up in the organization and be a potential successor to the VP/Director or take a position within the Enterprise Risk team or other risk functions.
· Maintain/track an inventory of all open audit (internal/external), assessment, and other third party findings in addition to exceptions to policies and standards. This includes helping finding owners to develop remediation plans and tracking them to completion as well as providing feedback to systemically address risks identified from the assessment/audit.
· Facilitate/coordinate audits (internal/external) and federal examinations with areas throughout IT including up to a dozen reviews per year of the IT area.
· Coordinate vendor assessments for all key vendors and report the risks/results to committees and executives throughout the organization (in coordination with the formal vendor management program).
· Conduct an annual IT Risk Assessment to identify key risks, changes in the risk profile, and plans to reduce those risks to acceptable levels.
· Identify and set the risk tolerance levels with executives to ensure that efforts and expenditures in risk mitigation meet senior management’s expectations.
· Manage the formal IT Controls inventory and facilitate periodic third party assessments of those controls for effectiveness and adherence. The controls are tied to industry frameworks such as NIST, COBIT, ITIL, FFIEC, and ISO so familiarity with these standards is critical.
· Develop and produce periodic (monthly) metrics reports for KRIs (Key Risk Indicators) and KPIs (Key Performance Indicators).
· Support and expand the organization’s RSA Archer technology for GRC efforts (tracking findings, controls, policies/standards, and metrics reports from the tool), working with the Archer support team to design/direct new functionality.
· Work to conduct gap analysis (with supporting resources) against the IT controls and overall maturity to provide input into the IT strategic plan.
· 8 - 10 years of experience in IT Governance, Risk, and Compliance (IT GRC).
· Understands the difference between GRC (proactive) and Audit (reactive).
· Experience with GRC technologies (Archer, Metricstream, Modulo, SAP, etc.).
· Understands and supports continuous control testing, and enjoys risk assessments and regulatory/audit examinations.
· Tracks the risks/remediation plans of IT.
· MUST be able to talk at an executive level, but also ensure that the tactical details of various tasks are a high priority.
· Experienced and seeking to proactively build a GRC program.
· Ability to interface with executives and other risk functions (enterprise risk management, internal audit, and legal).
· Excellent communication skills, polished professional with attention to detail and strong writing/presentation skills is critical.
· Visionary, but with a seasoned approach to understand how to navigate business politics and process.
· Self-driven, high energy, and willing to dive into the weeds to ensure your vision has tactical approaches to see through to fruition.
Certifications: CRISC/CISA certification or similar with experience in the RSA Archer platform is a strong plus.
Education: Bachelor’s degree in Information Systems, Computer Science or related filed. MBA is a plus.