IT Governance, Risk, and Compliance (GRC) Lead

Job Summary

Governance and GRC Program Leadership

• Establish and maintain the enterprise GRC charter, scope, and overall operating model.
• Develop and maintain security policies, standards, and procedures aligned with business objectives and regulatory requirements.
• Establish governance processes to ensure security requirements are incorporated into new systems, projects, and technology deployments prior to go-live.
• Promote a culture of compliance, risk awareness, and accountability across IT and business functions.
• Provide regular updates on risk posture, compliance status, and program maturity to IT and Security leadership.
• Integrate other cybersecurity areas into the GRC Program such as Vulnerability Management, Disaster Recover, Business Continuity, Penetration Testing, Third-Party Risk Management, etc.

GRC Platform and Engineering

• Lead the design, configuration, and optimization of the organization’s GRC platform(s).
• Develop scalable workflows for risk assessments, control management, audit tracking, and compliance reporting.
• Integrate GRC tooling with security platforms and enterprise systems to automate evidence collection and improve efficiency.
• Develop dashboards, analytics, and reporting capabilities to provide visibility into cybersecurity posture and risk trends.
• Continuously evaluate and enhance the GRC architecture to align with evolving regulatory requirements and business needs.
• Engage with vendors to improve platform capabilities and ensure solutions meet organizational requirements.
• Ensure GRC tooling and reporting capabilities support executive decision-making, prioritization, and risk transparency across the enterprise

Compliance & Audit Management

• Align controls with applicable frameworks and regulatory requirements (PCI-DSS, NIST CSF, CIS Controls, FAIR-CAM, etc.) and track compliance/maturity over time.
• Lead coordination of internal and external audits, including evidence collection, control validation, and remediation tracking.
• Monitor retail and adjacent industry risk trends to identify emerging threats and control gaps
• Provide governance oversight to ensure audit findings and regulatory developments are reflected in enterprise

Enterprise and Cyber Risk Management

• Build and maintain a centralized enterprise and cyber risk register
• Define and apply a consistent risk taxonomy and assessment approach
• Evolve risk assessments from basic qualitative scoring to scenario-based analysis
• Support leadership in evaluating risk trade-offs, including investment decisions, operational impact, and defined risk tolerance
• Translate risk information into something leadership can utilize in decision making, including clear trade-offs between risk reduction, operational impact, and cost
• Provide structured risk insight to inform strategic planning and prioritization across the Security organization
• Incorporate relevant industry breach patterns and threat developments into scenario-based risk discussions to ensure risk assessments reflect current conditions

Required Education/Experience/Skills

• Bachelor’s degree in Information Technology, Cybersecurity, Risk Management, or a related field, or demonstrated equivalent experience.
• At least 6 years Governance, Risk and Compliance and/or Cyber Security experience.
• Experience leading or engineering enterprise GRC or Risk Quantification platforms.
• Strong knowledge of cybersecurity frameworks, regulatory requirements, and risk management methodologies.
• Ability to communicate risk clearly to both technical and non-technical audience.
• Demonstrated leadership in cross-functional initiatives.
• Strong communication and relationship skills, with the ability to articulate complex technical concepts to non-technical stakeholders.
• Demonstrates a strong, well-rounded understanding of core IT Security domains, and the tools and technologies used within each area.

Preferred Qualifications

• Retail grocery or PCI-regulated environment experience.
• GRC or Risk Quantification certifications.
• Vendor certifications in GRC related solution.
• Professional certifications such as CISSP, CISM, CISA, CRISC, or similar.

The above statements are intended to describe the general nature of work performed by the employee assigned to this job. All employees must comply with Company policies and applicable laws. The responsibilities, duties, and qualifications required of personnel may vary.