• IRC is seeking an experienced Governance Risk & Compliance Manager (GRC) Manager to lead and enhance the GRC function within the Global Information Security (GIS) department. Reporting directly to the Sr. Director Technology, Operations, and Information Security, this role is ideal for a self-starter who requires minimal direction and is capable of both consolidating and optimizing existing GIS services within the GRC framework while also identifying opportunities to innovate and expand service offerings. This role is designed for someone who excels in an autonomous capacity and is skilled at evolving and scaling GRC initiatives to meet the dynamic needs of the organization.

Duties/Responsibilities

Information Security Governance:

• Act as a strategic partner to senior leadership, aligning GRC efforts with broader organizational goals to contribute to resilience, reputation, and long-term success.
• Formalize and enhance the metrics program for consistent monthly and quarterly reporting on key information security metrics and trends, providing actionable insights for executive management.
• Drive a comprehensive, multi-cultural security training and awareness initiative, ensuring all staff are well-versed in security policies, procedures, and implications for their roles.
• Further implement and optimize IRC's GRC platform to support strategic GRC objectives, enabling efficient reporting, seamless integration with existing workflows, and improved organizational visibility.

Information Security Risk Management

• Identify, assess, prioritize, mitigate, and continuously monitor risks in alignment with IRC's risk appetite, creating actionable insights for leadership.
• Maintain and regularly update risks in the GIS Risk Register while proactively building and refining strategic approaches to mitigate identified risks.
• Lead third-party risk management efforts, including overseeing the deployment and use of the Vendor Risk Assessment (VRA) module, ensuring rigorous vetting and oversight of external partnerships.
• Integrate threat intelligence into risk management and incident response, anticipating emerging threats and aligning with predictive risk analytics to support proactive security measures.

Information Security Compliance

• Ensure compliance with relevant laws, regulations, industry standards, and donor obligations, including GDPR, ISO 27001, NIST Cybersecurity Framework (CSF), and NIST 800-171.
• Partner with Legal, Supply Chain, and other teams to facilitate contract reviews, update language for security obligations, and ensure IRC’s preparedness for donor contract and revenue compliance.
• Strengthen organizational understanding of policies and conduct regular assessments to measure and improve workforce compliance.
• Coordinate IT audits, cyber risk assessments, and control assurance activities.

Strategic Thought Leadership And Industry Awareness

• Maintain a robust awareness of emerging threats, best practices, and evolving regulations across cybersecurity, privacy, and compliance domains, providing guidance on ethical considerations, including data privacy laws and responsible use of artificial intelligence.
• Develop and refine internal processes and policies to address and anticipate compliance needs in rapidly evolving regulatory landscapes, ensuring IRC stays ahead of regulatory changes.
• Establish, track, and report on key GRC metrics and KPIs to measure program effectiveness, supporting a continuous improvement model and leveraging benchmarking to align with industry standards.

Organizational Culture And Engagement

• Foster a culture of security and compliance across all levels of the organization, promoting ownership and accountability among staff for information security.
• Champion role-specific security education programs that go beyond basic awareness, addressing unique risks associated with different roles and functions within the organization.
• Key Working Relationships
• Position Reports to: Sr. Director Technology, Operations, and Information Security
• Education

Job Requirements:

• Relevant Bachelor’s degree; Masters degree in Computer Science, Security or related highly desired

Work Experience

• At least 3-6 years GRC program experience required, including at least 2 years of functional ownership. Relevant information security program experience permitted.
• At least 2 years in a global organization; nonprofit experience desired.

Demonstrated Skills And Competencies

• Global GRC program development and implementation, including governance framework and policy enforcement.
• Strong leadership, forming and leading internal working groups and governance bodies related to information security, risk, and compliance.
• Independent problem-solving, proactive approach, and ability for strategic decisions.
• Proactive analytical and critical thinking, committed to understanding needs.
• Change management expertise, securing buy-in across the organization.
• Hands on experience with GRC platform implementation and operation.
• Deep knowledge of cybersecurity, IT risk management, incident response, and data privacy, including relevant laws and regulations.
• Effective communication and stakeholder engagement at all levels with integrity and discretion in handling sensitive matters.
• Development and delivery of training programs and awareness campaigns.
• Proficiency in managing third-party/vendor risk assessments and compliance.
• Adaptability to evolving security threats and industry trends.
• Commitment to ethical conduct and regulatory compliance.
• Language Skills: English required;
• Certificates or Licenses: Certifications such as CISSP, CISM, CRISC, or other related certifications are desirable.