GRC Manager

Job Description

The GRC Manager is responsible for day-to-day execution of Pillsburys Governance Risk & Compliance (GRC) program ensuring the firm maintains strong operational performance across ISO 27001 CMMC Level 2 vendor risk management business continuity documentation internal audit readiness policy governance and security awareness functions.

The GRC Manager translates strategic direction into actionable workflows coordinates cross-functional teams supports evidence lifecycle management leads readiness activities and ensures all GRC processes operate smoothly and efficiently. This role requires strong coordination documentation audit and control-testing capabilities paired with working technical fluency to understand control implications without performing system administration.

KEY RESPONSIBILITIES

Program Operations & Coordination

• Lead day-to-day execution of ISO 27001 and CMMC Level 2 programs ensuring alignment with regulatory and framework requirements.
• Translate strategy from the GRC Director into operational plans workflows and coordinated activities across departments.
• Oversee evidence lifecycle management ensuring accuracy completeness and readiness for assessments.
• Manage recurring readiness cycles status tracking remediation follow-up and program documentation.
• Coordinate closely with IT and Security SMEs to validate controls conceptually assess alignment and ensure proper documentation.

Audit Readiness & Assessment Support

• Serve as the primary operational point of contact for external auditors assessors and C3PAOs.
• Lead audit planning evidence packaging SME coordination and communication throughout assessment cycles.
• Track findings corrective actions and remediation progress ensuring issues are resolved on schedule.
• Maintain audit documentation repositories and ensure audit materials remain continuously ready.

Policy Documentation & Governance

• Oversee the full lifecycle of policies standards and procedures including drafting reviewing updating and publishing governance documents.
• Ensure governance documents (including the SSP POA&M SoA risk registers and operational procedures) are current consistent and high quality.
• Maintain comprehensive version control and documentation structures across all GRC-managed artifacts.

Risk Management Oversight

• Lead operational ownership of the firms risk register including risk identification scoring tracking and reporting.
• Support annual and ongoing risk assessments and help drive risk-based decisions and improvements.
• Co-lead risk committee or GRC steering activities with the Director and ensure preparation of materials.

Vendor Risk Management

• Oversee intake and assessment of third-party vendors coordinating review of security documentation questionnaires and remediation efforts.
• Work with Procurement Legal IT and the GRC Director to ensure consistent vendor oversight processes.

QUALIFICATIONS

Business Continuity & Disaster Recovery (BCP/DR) Documentation & Reporting

• Manage updates to business continuity and disaster recovery documentation including BIAs plan revisions team rosters and dependencies.
• Coordinate documentation reporting and follow-up from continuity exercises DR tests and tabletop sessions.
• Maintain continuity evidence in support of compliance audits and regulatory assessments.

Security Awareness & Training

• Oversee rollout of cybersecurity awareness campaigns and required annual trainings.
• Monitor participation ensure compliance and support content preparation aligned with firm and regulatory requirements.

Cross-Functional Collaboration

• Lead readiness meetings documentation reviews action-item tracking and other recurring GRC operational sessions.
• Coordinate and supervise third-party consultants advisors and GRC service providers as needed.
• Serve as the operational escalation point for compliance risks elevating issues to the GRC Director as appropriate.
• Provide backup support for client security questionnaires or reviews when delegated by the GRC Director.

REQUIRED EDUCATION KNOWLEDGE AND EXPERIENCE

• 5 -10 years of experience in cybersecurity governance risk compliance audit or related disciplines.
• Strong experience with IT controls internal audit risk assessments or compliance operations.
• Working technical fluency - able to understand control expectations architectural impacts and technical evidence.
• Demonstrated ability to coordinate assessments or audits and lead multi-stakeholder compliance processes.
• Excellent documentation writing and organizational skills with attention to detail.
• Experience with GRC platforms (e.g. Archer ServiceNow GRC OneTrust FutureFeed).
• Strong interpersonal skills and experience collaborating across business IT and security teams.
• Preferred Qualifications
• Certifications such as CISA CISM ISO 27001 Lead Implementer/Lead Auditor CGRC (CAP) CCAK or CMMC-related credentials.
• Experience supporting or leading ISO 27001 or CMMC compliance efforts.
• Familiarity with process maturity models such as CMMI.
• Prior experience supervising or mentoring analysts associates cross-functional team members in a compliance audit or risk-management setting.

REQUIRED SKILLS AND ABILITIES

• Operational leadership and coordination
• Strong written and verbal communication
• Analytical problem-solving
• Professional judgment and discretion
• Ability to manage multiple workflows simultaneously
• High-quality documentation and reporting discipline

PHYSICAL REQUIREMENTS

• Ability to sit and stand for extended periods.
• Ability to lift up to 20 pounds.

Pillsbury Winthrop Shaw Pittman LLP is an Equal Opportunity Employer.

If you require an accommodation in order to apply for a position please contact us at .