Role: Governance, Risk & Compliance Manager
Position Summary
The Governance, Risk & Compliance (GRC) Manager, working out of one of our Manila, Philippines office locations, will collaborate with ECLARO US and Philippines IT, IS and business entities to create, manage, and administer the company's information security, risk management and data privacy controls framework, policies, standards, processes, procedures, and tools that apply to all technologies, processes, and systems used by all company business functions.
The GRC Manager will assess risk across ECLARO's Philippines entities on a regular basis and seek to identify and promote opportunities to reduce risk while helping the company stay in compliance with applicable policy and regulatory guidelines and/or mandates.
Responsibilities
- Perform/manage internal information security risk assessments, IT controls audits, and compliance assessments to identify weaknesses and risks that jeopardize the safety, security, or compliance posture of internal and client-facing systems and information resources
- Manage ECLARO's external audit activities and associated maintenance. Coordinate internal ECLARO resources (human, technical, documentation) and external audit resources (i.e. audit and/or client resources) to ensure compliance with its relevant ISO 27001 (ISMS), ISO 9001 (QMS) (combined, ECLARO's ISO Integrated Management System or IMS), SOC 2 and any other relevant audit certifications/requirements
- Manage ECLARO's Control Traceability Matrix (controls inventory and tracking system) for the firm's IMS and SOC 2 programs
- Identify and promote opportunities to reduce risk while helping ECLARO stay in compliance with its relevant ISO, SOC 2 and any other relevant audit certifications/requirements
- Act as the company's primary Data Privacy Officer in the Philippines to ensure the company is adhering to the Data Privacy Act of 2012 compliance standards for the protection of personal and private information
- Administer compliance frameworks and associated tools necessary to generate compliance reports and audit artifacts
- Help system owners and business stakeholders to reduce information security risks and achieve required compliance positions through systematic application of risk mitigation controls, compensation activities, and remediation efforts. This includes day-to-day business operations and department and enterprise-wide projects/initiatives
- Provide structured security, privacy, risk and compliance-related reporting to senior/executive leadership at team, department, country, and company-wide levels as applicable
- Participate as a key member of the company's Information Security Committee, a Committee comprised of other cross-sectional functions of the firm that established and oversees the company's security, privacy and overall risk and control strategy
- Manage other members of the GRC team. This includes interviewing, hiring, day-to-day operational management, training and development, performance management, regularization and termination activities as needed
- Develop and maintain relationships with the relevant and key risk, compliance, IT, IS and business stakeholders
- Develop and maintain policies, procedures, standards, and other documentation related to risk management, IT controls, information security and compliance and data privacy
- Recommend improvements to the GRC team's daily operational processes, organizational structure, etc. to maximize the team's productivity and quality of deliverables
- Ensure GRC's team's adherence to all department and company policies, procedures, code of conduct, etc.
- Perform any other tasks as assigned
Qualifications/Skills
- Bachelor's degree from an accredited college or university is required
- 5+ years of progressively responsible experience in risk management, internal audit, compliance, information security, or related governance functions
- Proven experience performing internal audits for ISO 27001 and/or SOC 2 is required
- 8+ years in a relevant IT and/or IS role is desired
- Demonstrated experience with ITIL, COBIT, ISO 27001, ISO 9001, SOC 2, Sarbanes Oxley, NIST, HITRUST and other common governance and/or audit frameworks and methodologies
- Previous data privacy experience preferred or someone with high degree of familiarity with data privacy principals and the Philippine's National Privacy Commission (NPC)
- CISA, CIA, CISM, CGEIT, CRISC, CISSP, Data Privacy Officer or similar industry certification(s) is desired
- Strong critical thinking and problem-solving skills
- Strong data analytical skills
- Strong verbal and written communication skills (English)
- Strong presentation skills (internal and client-facing)
- Strong work ethic and ability to work in a high-volume, fast-paced, high-pressure environment
- Demonstrated professionalism, sound judgment, and ability to engage credibly with auditors, regulators, and senior leadership
- Collaborative and motivational management/leadership style
