General Manager - Risk & Compliance

JOB DESCRIPTION

Serve as a key leader in driving, shaping, and governing the organization's Risk and Compliance framework, ensuring alignment with contractual requirements, internal controls, risk assessment and enterprisewide strategic objectives. Provide strategic oversight and direction to core Risk & Compliance initiatives, acting as an anchor member of the organization's governance structure. Selected candidate will be leading Philippines and South Africa clusters.

ORGANISATIONALCHART

Chief Compliance Officer -- General Manager Risk & Compliance

PRINCIPLE ACCOUNTABILITIES

List the expected end results that must be achieved in order to fulfil your job purpose and the activities that help in achieving these results.

EXPECTED END RESULTS

MAJOR ACTIVITIES

Application / Tools Risk Assessment

• Oversee identification, assessment, and treatment of strategic, operational, financial, Information security, and third-party risks.
• Maintain process risk register, KRIs, and risk appetite frameworks.
• Provide insights and risk heatmaps to leadership and stakeholder forums.

Security Certifications & Compliance Standards (ISO 27001, ISO 9001, PCI DSS, SOC 1 & 2, HIPAA)

• Lead, maintain, and enhance compliance with ISO 27001 & ISO 9001, and other global security frameworks like PCI DSS, SOC -1, SOC 2 etc.
• Oversee ISMS governance, process risk assessments, internal audits, surveillance audits, and certification cycles.
• Ensure secure handling, processing, and storage of sensitive data in line with applicable standards.
• Collaborate with internal stakeholders and external auditors to ensure control effectiveness.
• Maintain evidence repositories, Statement of Applicability (SoA), risk treatment plans (RTP), and continuous improvement logs.
• Drive annual certification, recertification, and readiness assessments.
• Ensure closure of non-conformities and alignment with regulatory and industry requirements.

Internal Controls & Assurance Specific to NPC (National Privacy Commission, Philippines)

• Strengthen the organisation's internal control environment on NPC guidelines.
• Employee will act as a Data Protection Officer for Philippines location.
• Conduct process-level DPIA's, control testing, and remediation tracking.
• Ensure readiness for internal, external, and regulatory audits.

Audit Governance (Internal, External & Regulatory)

• Coordinate internal audits, external audits, and compliance audits.
• Manage end-to-end audit lifecycle: planning, fieldwork, evidence, closure, CAPA validation.
• Prepare consolidated audit reports for leadership review.

Incident, Breach & Root Cause Management

• Lead investiagtion for incident/breach management including detection, escalation, containment, and RCA.
• Provide timely and transparent reporting to leadership.

Third-Party (Client & Vendor Risk Management)

• Lead end to end client audits & maintain contractual compliance
• Implement and maintain third-party due diligence, vendor reviews, and ongoing monitoring.
• Ensure all high-risk vendors are assessed for security, compliance, and contractual controls.
• Oversee remediation and compliance certification requirements for vendors.

Data Privacy

• Drive privacy compliance with laws and frameworks (e.g., GDPR principles).
• Ensure coverage of DFD, ROPA & DPIA's vis--vis GDPR
• Lead data lifecycle governance, retention controls, and breach response readiness.

Reporting, Analytics & GRC Tool Enablement

• Build and own dashboards for risk, compliance, security certification status, KRIs, audits, and incidents.
• Ensure high data quality, automation, and real-time governance.
• Optimize GRC tools for reporting, workflow automation, and maturity uplift.

Culture, Training & Awareness

• Build organizational competency in risk and compliance.
• Deliver training programs in ethics, privacy, cyber hygiene, security standards, and compliance.
• Promote speak-up, transparent reporting, and non-retaliation culture.

EDUCATIONAL QUALIFICATIONS

• Bachelor's degree in business administration, Commerce, Law, Information Security, Computer Science, or a related discipline.
• Master's Degree (Preferred) in Business Administration (MBA), Risk Management, Corporate Governance, Information Security, or related fields.

Professional Certifications (preferred skills)

• ISO 27001 & ISO 9001 Lead Auditor / Lead Implementer Must Have
• CISA (Certified Information Systems Auditor)
• PCI DSS Implementation
• SOC 1 & SOC 2 compliance training
• HIPAA Compliance Training / Certified HIPAA Professional (CHP)

Additional training in ERM Frameworks, GRC Tools, and Cybersecurity Governance is an advantage.

RELEVANT EXPERIENCE

• 15+ years of progressive experience in Risk Management, Compliance, Internal Controls, Corporate Governance, or Business Excellence within mid-to-large-scale organizations.
• Demonstrated experience in leading Enterprise Risk Management (ERM) programs, including risk identification, assessment, treatment planning, KRI development, and governance reporting.
• Proven expertise in managing regulatory compliance frameworks, statutory obligations, internal/external audits, and regulatory inspections.
• Hands-on experience implementing and maintaining security and compliance certifications, including:
• ISO 27001 (ISMS implementation, audit readiness, SoA, RTP, recertification cycles) PCI DSS compliance (assessment support, evidence readiness, ASV scans, hardening) SOC 1 & SOC 2 Type I/II (control mapping, walkthroughs, evidence coordination) HIPAA compliance for PHI environments (privacy/security safeguards, breach readiness)Strong background in designing and strengthening internal control frameworks, conducting control testing, and resolving audit findings with a focus on eliminating repeat issues.
• Prior responsibility for thirdparty risk management, vendor assessments, contract compliance, and continuous monitoring of highrisk suppliers.
• Exposure to data privacy, including DPIA, data lifecycle controls, consent management, and privacy compliance (e.g., NPC Act, GDPR-aligned practices).
• Experience working closely with Information Security, including vulnerability management, security hardening, access reviews, and cyber awareness initiatives.
• Demonstrated leadership in policy creation, risk governance, process standardization, and continuous improvement initiatives aligned with Business Excellence.
• Experience managing cross-functional teams, senior stakeholder engagement, and presenting insights to leadership, Board, and Audit Committees.

BEHAVIORAL COMPETENCIES -

• Strategic Mindset: Anticipates risks, connects insights to business strategy, and makes informed decisions.
• Leadership & Collaboration: Leads crossfunctional teams effectively and builds strong stakeholder relationships.
• Integrity & Ethical Conduct: Demonstrates sound judgement, transparency, and promotes a culture of compliance.
• Analytical Thinking: Solves complex problems using structured, data-driven approaches.
• Executive Communication: Communicates clearly, simplifies complex issues, and presents confidently to senior leadership.
• Change Agility: Adapts quickly to evolving regulations, risks, and organizational priorities.
• Attention to Detail: Ensures accuracy and rigor in documentation, controls, and reporting.
• Continuous Improvement Orientation: Drives efficiency, automation, and process excellence using structured methodologies.
• Accountability & Ownership: Takes responsibility for outcomes and ensures timely closure of actions.
• Risk & Control Mindset: Promotes early identification, escalation, and mitigation of risks across the organization.

It is our policy to provide equal employment opportunities to all individuals based on job-related qualifications and ability to perform a job, without regard to age, gender, gender identity, sexual orientation, race, colour, religion, creed, national origin, disability, genetic information, veteran status, citizenship or marital status, and to maintain a non-discriminatory environment free from intimidation, harassment or bias based upon these grounds