Manager - IT - Government Risk and Compliance

TITLE: MANAGER - IT- GOVERNANCE RISK AND COMPLIANCE
STATUS: EXEMPT
REPORT TO: VP - IT - PLANNING AND GOVERNANCE
DEPARTMENT: IT - GOVERNANCE RISK AND COMPLIANCE
JOB CODE: 11347

PAY GRADE: 23S

PAY SCALE: $128,400.00 - $145,000.00 ANNUALLY

GENERAL DESCRIPTION:

The IT Governance, Risk, and Compliance (IT GRC) Manager supports Senior Leadership and the information technology organization driving and leading IT risk assessment processes, management of IT security controls, managing compliance assessments, vendors, security requirement development, and IT risk due diligence. The IT GRC Manager recommends and influences the relevant stakeholders to meet compliance requirements and uplift controls and assists in assessing current and emerging risks with a view of embedding security by design principles as part of the day-to-day activities.

The manager ensures the company’s technical systems and information assets are protected. Furthermore, the manager is responsible for identifying, evaluating, and reporting on information security risks that are important for the business to be aware of and act on accordingly. The manager works in tandem with security and IT leadership to elevate the company’s security posture. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business critical.

TASKS, DUTIES, FUNCTIONS:

1. Lead a team of professionals working with IT Management, Information Security, Legal, Audit and other relevant departments to analyze and implement Information Security and Risk Management frameworks, policies, standards, and best practices.
2. Maintain a thorough understanding of state and federal laws and regulations related to credit union compliance including bank secrecy and anti-money laundering laws appropriate to the position.
3. Translate industry, government (local, state, and federal) and contractual compliance requirements into the frameworks, policies, standards, and processes.
4. Support and coordinate internal and external audits in the areas of IT, information security, risk management & compliance.
5. Provide support for analyzing and implementing Information security, risk management, application security frameworks, policies, standards, and processes.
6. Execute regular or scheduled compliance tasks as assigned, summarizing, and reporting findings, ensuring that audit issues and associated root causes are understood, well defined and presented to IT and business unit leadership.
7. Maintain relationships with internal and external audit and compliance agencies to support execution of audits.
8. Coordinates remediation activities for non-compliant areas of IT
9. Perform IT project, application security and vendor risk assessments, to ensure compliance with the corporate information security policies and standards.
10. Provide periodic updates, education and presentations to staff and management on various aspects of IT Governance, Risk and Compliance
11. Responsible for identifying, selecting, retaining, mentoring, managing, and training GRC personnel on a daily basis along with reviewing performance, allocating raises and supporting promotion. Provide focus and direction to staff to achieve established goals and defined deadlines.
12. Monitor performance, assist employees with developing and achieving performance goals, and conduct performance evaluations. Interact with Human Resources on employee matters to provide support, direction, and resolution.
13. Develop and maintain an understanding of the pertinent regulatory requirements and risks inherent to job responsibilities, establish, and maintain control activities that mitigate those risks consistent with the Credit Union’s risk appetite, and ensure operational integrity and compliance with applicable regulations.

PHYSICAL SKILLS, ABILITIES, AND EXERTION UTILIZED IN THE PERFORMANCE OF THESE TASK:

1. Excellent leadership, portfolio and project management skills, and organizational change management skills.
2. Exceptional oral and written communication skills including presentation and facilitation skills to interact with executive and senior leaders, members, and credit union staff.
3. High level of integrity and trustworthiness, as well as confidence to represent the company and security leadership with the highest level of professionalism.
4. Able to negotiate vendor agreements and oversee vendor delivery.
5. Must possess sufficient manual dexterity to skillfully operate an on-line computer terminal and other standard office equipment, such as personal computer, multi-use copiers and telephone.
6. Must be self-directed, able to work on own initiative.
7. Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls.
8. Ability to work under pressure and tight deadlines; may be required to work extended hours to complete tasks.
9. Carry and respond to smartphone.

ORGANIZATIONAL CONTACTS & RELATIONSHIPS:

1. INTERNAL: All levels of staff and management, including Senior Management.

EXTERNAL: Members, vendors, suppliers, government agencies, credit union industry associations and peers at other financial institutions.

QUALIFICATIONS:

1. EDUCATION: Bachelor's degree in Business Administration, Accounting, Management Information Systems or Computer Science is strongly preferred. Advanced Degree in Business Administration or other related area is preferred.
2. EXPERIENCE: Minimum eight years of experience in a technology risk, security or compliance role preferably in a financial institution. Detailed understanding of risk management and controls assurance. Strong understanding of information security controls and standards such as ISO 27001/2, NIST, CSF, and related frameworks. Thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, HITRUST, GDPR and GLBA. Experience in a role balanced between business stakeholders and a central technology service organization. Experience managing and leading a team of professional level staff is required Certifications, such as CISSP, CRISC, CISA, CIPP, CISM, are well regarded.
3. KNOWLEDGE / SKILLS:

• Operational Risk Management experience and demonstrated knowledge of ORM

concepts and practices (i.e., process mapping, risk identification, assessment of control

environments, risk monitoring and measurements) and understanding of the relevant

operational risk types/sub-types, is preferred.

• Strong leadership skills and ability to organize and motivate others.

• Demonstrated experience with regulatory agencies, requirements, and/or regulatory

compliance.

• Strong analytical, problem-solving and workflow analysis skills, including demonstrated

ability to quickly synthesize information from various sources, identifying key points and

issues.

• Ability to apply judgment around risk management and control frameworks and industry

best practices and make sound risk/reward decisions using a balance of data, logic and

intuition to inform critical business strategies and processes.

• Proven strong interpersonal and customer service skills; ability to negotiate, influence,

and build collaborative, cross-organization relationships, even in difficult situations.

• Excellent communication (verbal, written and presentation) skills, including ability to

convey complex situations and relationships concisely to management and executive.

level audiences.

• Strong organizational skills, with a high degree of initiative and ability to self-start and

self-prioritize assignments and make timely and effective decisions.

• Strong process facilitation, process management and improvement skills; ability to

independently and effectively handle multiple priorities and deliver a quality result within

tight deadlines.

• Highly proficient in Microsoft Office (Word, Excel, Visio, Outlook, PowerPoint).

• Solid work ethic and able to work effectively both independently and in a team.

PHYSICAL REQUIREMENTS:

1. Prolonged sitting throughout the workday with occasional mobility required.
2. Corrected vision within the normal range.
3. Hearing within normal range. A device to enhance hearing will be provided if needed.
4. Ability to lift 20 lbs. as may be required.
5. Occasional movements throughout the department daily to interact with staff, accomplish tasks, etc.
6. May require long work hours to accomplish tasks.
7. Occasional travel may be required locally, statewide, and throughout the United States to attend seminars and vendor group meetings. Overnight travel and evening schedules included.
8. Prolonged use of telephone to accomplish tasks.

LICENSES / CERTIFICATIONS:

Project Management Professional (PMP) and (PfMP) certifications from the Project Management Institute (PMI) or Certified Business Analyst Professional (CBAP) from the International Institute of Business Analysis (IIBA); CISSP, CISM, CISA, CRISC, GSLC preferable, but not required.

 #LI-Hybrid

THIS JOB DESCRIPTION IN NO WAY STATES OR IMPLIES THAT THESE ARE THE ONLY DUTIES TO BE PERFORMED BY THIS EMPLOYEE. HE OR SHE WILL BE REQUIRED TO FOLLOW OTHER INSTRUCTIONS AND TO PERFORM OTHER DUTIES REQUESTED BY HIS OR HER SUPERVISOR THAT ARE WITHIN HIS / HER KNOWLEDGE, SKILL AND ABILITY AS WELL AS HIS / HER MENTAL AND PHYSICAL ABILITIES.

REV. 3.11.2025