Governance, Risk, and Compliance Manager

Overview

The GRC (Governance, Risk, and Compliance) Manager is responsible for establishing, maturing, and operating LeafTech’s governance and compliance programs across internal operations and client-facing environments.

This role owns the development and execution of policies, risk management practices, and compliance frameworks (e.g., CMMC, NIST, SOC 2, HIPAA, PCI), ensuring alignment with business objectives, regulatory requirements, and client expectations.

The GRC Manager operates as both a strategic leader and hands-on practitioner, partnering closely with Engineering, Support, Client Experience, and Leadership to embed governance into daily operations while reducing organizational risk.

This role is aligned to a Senior Engineer 2 / early Principal level scope, with broad organizational influence.

Duties

Governance & Program Leadership

• Define, implement, and continuously improve the organization’s GRC strategy and operating model
• Establish governance structures that align with ITIL practices (Incident, Problem, Change, Configuration Management)
• Develop and maintain policies, standards, and control frameworks
• Act as the internal authority on compliance posture and risk tolerance

Risk Management

• Design and operate a formal risk management program
• Identify, assess, and prioritize risks across infrastructure, security, and operations
• Maintain a centralized risk register with clear ownership and mitigation tracking
• Partner with Engineering and Operations to reduce systemic and operational risk

Compliance & Audit Management

• Lead compliance initiatives across multiple frameworks (CMMC, NIST, SOC 2, HIPAA, PCI, etc.)
• Coordinate internal and external audits, assessments, and evidence collection
• Ensure documentation is complete, accurate, and audit-ready
• Translate compliance requirements into actionable operational controls

Change Enablement & Control Integration

• Integrate GRC into the Change Enablement process, ensuring:
• Risk evaluation is part of change review
• Compliance considerations are embedded in CAB decisions
• Standard vs Non-Standard changes align with control requirements
• Provide governance oversight without slowing delivery velocity

Cross-Functional Collaboration

• Partner with:
• Infrastructure Engineering on platform standards and risk mitigation
• Professional Services Engineering (PSE) on compliant solution design
• Support on operational adherence and incident-related risk
• Client Experience on client-facing compliance discussions
• Serve as a trusted advisor to leadership on risk, compliance, and governance strategy

Client & External Engagement

• Participate in client discussions related to compliance, security posture, and regulatory alignment
• Support sales and account management in positioning LeafTech’s compliance capabilities
• Provide guidance during client audits, assessments, and security reviews

Program Maturity & Continuous Improvement

• Build scalable, repeatable GRC processes that reduce manual effort and ambiguity
• Identify gaps in controls and drive remediation initiatives
• Align GRC practices with business growth and service expansion
• Leverage metrics and reporting to demonstrate program effectiveness

Requirements

• 5–8+ years of experience in GRC, cybersecurity, IT compliance, or related field
• Strong working knowledge of one or more frameworks:
• NIST, CMMC, SOC 2, HIPAA, PCI-DSS
• Experience leading audits, assessments, or compliance programs
• Deep understanding of IT infrastructure, operations, and risk domains
• Experience working within or alongside ITSM / ITIL environments
• Ability to translate regulatory requirements into operational practices

Preferred Qualifications

• Experience in an MSP or multi-client environment
• Familiarity with tools such as ServiceNow, AutoTask, Jira, or similar platforms
• Experience integrating GRC into Change Management / CAB processes
• Prior experience working with cross-functional engineering and operations teams
• Relevant certifications (preferred but not required):
• CISSP, CISM, CRISC, CISA, or similar

Pay: $110,000.00 - $160,000.00 per year

Benefits:

• 401(k) matching
• Employee assistance program
• Health insurance
• Paid time off
• Professional development assistance

Work Location: In person