Governance, Risk and Compliance Manager
About US
ETS is a leading IT consulting company in Winnipeg and part of the Exchange Income Corporation's family of companies. We provide a wide range of services, including Managed IT, Project Management, Business Intelligence, Cyber Security, Digital Transformation, Training Services, Installation Services, and Telecommunications across Canada and the US. If you are looking for a fast-paced career, serving enterprise customers and managing diverse IT projects, we invite you to join us. Our work environment is dynamic, filled with learning opportunities, exciting and challenging projects, and a chance to make a positive impact on clients’ businesses. We value teamwork, fun, and achieving amazing results together.
Reporting to the Director of Cyber Security and Information Security, the Governance, Risk and Compliance (GRC) Manager is responsible for developing, implementing, and managing the organization’s GRC framework to ensure alignment with industry standards, regulatory requirements, and strategic business objectives. Key responsibilities include overseeing risk assessments, policy development, compliance audits, and enterprise risk reporting, while fostering a strong risk-aware culture across the organization.
Key Responsibilities
• Governance:
• Develop, maintain, and enforce GRC policies, standards, and frameworks aligned with best practices (e.g., ISO 27001, SOC2, FAIR, NIST, CIS).
• Oversee the establishment and continuous improvement of information security, governance structures and risk management processes.
• Coordinate the development and maintenance of organizational policies, SOPs, and guidelines related to risk, compliance, and data protection.
• Lead GRC awareness and training programs for internal and external stakeholders.
• Lead and govern IT Risk Management, ensuring integration with organizational objectives.
• Develop and maintain the strategic IT Risk Framework to guide enterprise decision-making.
• Support the Information Security Director in implementing and maintaining the ETS Information Security Management System (ISMS).
• Manage processes and activities to sustain the ETS ISMS, including reporting on metrics that measure Information Security objectives.
• Oversee the establishment and continuous improvement of information security, governance structures and risk management processes.
• Coordinate the development and maintenance of organizational policies, SOPs, and guidelines related to risk, compliance, and data protection.
• Lead GRC awareness and training programs for internal and external stakeholders.
• Lead and govern IT Risk Management, ensuring integration with organizational objectives.
• Develop and maintain the strategic IT Risk Framework to guide enterprise decision-making.
• Support the Information Security Director in implementing and maintaining the ETS Information Security Management System (ISMS).
• Manage processes and activities to sustain the ETS ISMS, including reporting on metrics that measure Information Security objectives.
• IT Risk Management:
• Identify, assess, and manage enterprise and IT risks through a structured risk management process.
• Conduct periodic risk assessments, threat modeling, and impact analysis to support decision-making.
• Maintain and update the enterprise risk register and ensure that mitigation plans are in place and monitored.
• Collaborate with business units and IT to embed risk management practices in daily operations and strategic planning.
• Monitor emerging risks and recommend appropriate responses.
• Assess enterprise-wide risk tolerance, risk appetite, and the quantification of risks.
• Manage the evolution of risk frameworks and processes to identify, measure, monitor, and report on the ETS risk environment.
• Ensure continuous improvement of the organization’s ability to manage priority risks, including technology risks.
• Oversee Supplier and Vendor Risk Management, including annual risk assessments, quarterly KRI reporting, and updates to corporate recovery plans.
• Direct the development and maintenance of Business Continuity Plans (BCP), ensuring accuracy and completeness through plan reviews, exercises, and compliance signoffs.
• Monitor and manage action plans to address gaps in BCPs.
• Conduct periodic risk assessments, threat modeling, and impact analysis to support decision-making.
• Maintain and update the enterprise risk register and ensure that mitigation plans are in place and monitored.
• Collaborate with business units and IT to embed risk management practices in daily operations and strategic planning.
• Monitor emerging risks and recommend appropriate responses.
• Assess enterprise-wide risk tolerance, risk appetite, and the quantification of risks.
• Manage the evolution of risk frameworks and processes to identify, measure, monitor, and report on the ETS risk environment.
• Ensure continuous improvement of the organization’s ability to manage priority risks, including technology risks.
• Oversee Supplier and Vendor Risk Management, including annual risk assessments, quarterly KRI reporting, and updates to corporate recovery plans.
• Direct the development and maintenance of Business Continuity Plans (BCP), ensuring accuracy and completeness through plan reviews, exercises, and compliance signoffs.
• Monitor and manage action plans to address gaps in BCPs.
• Compliance:
• Monitor regulatory and legal compliance requirements relevant to the organization’s industry (e.g., data protection, cybersecurity, financial reporting).
• Lead internal and external audits related to compliance, including ISO certifications and regulatory inspections.
• Manage responses to compliance violations, audit findings, and risk incidents.
• Oversee third-party risk assessments and vendor compliance reviews.
• Ensure compliance with data privacy and protection frameworks (e.g., CMMC, CDP, GDPR, PIPEDA, or regional equivalents).
• Evaluate internal controls and conduct audits to ensure regulatory and policy adherence.
• Lead the internal audit team and support the maintenance of Information Security certifications and attestations.
• Manage oversight of policies, procedures, and systems that ensure ongoing compliance.
• Reporting and Communication:
• Provide periodic reporting to executive leadership and relevant committees on the status of risk, compliance, and governance initiatives.
• Develop dashboards, metrics, and KPIs for monitoring GRC performance.
• Additional responsibilities as assigned.
• Lead internal and external audits related to compliance, including ISO certifications and regulatory inspections.
• Manage responses to compliance violations, audit findings, and risk incidents.
• Oversee third-party risk assessments and vendor compliance reviews.
• Ensure compliance with data privacy and protection frameworks (e.g., CMMC, CDP, GDPR, PIPEDA, or regional equivalents).
• Evaluate internal controls and conduct audits to ensure regulatory and policy adherence.
• Lead the internal audit team and support the maintenance of Information Security certifications and attestations.
• Manage oversight of policies, procedures, and systems that ensure ongoing compliance.
• Reporting and Communication:
• Provide periodic reporting to executive leadership and relevant committees on the status of risk, compliance, and governance initiatives.
• Develop dashboards, metrics, and KPIs for monitoring GRC performance.
• Additional responsibilities as assigned.
Qualifications
• Education, Licenses, and/or Certification, Experience Required:
o Bachelor’s or Master’s degree in Information Security, Risk Management, or a related field.
o Minimum 5 years of relevant experience in GRC, cyber security, audits, or enterprise risk.
o Professional certifications preferred: CRISC, CISM, CISA, ISO 27001 Lead Implementer/Auditor, or similar.
o Minimum 5 years of relevant experience in GRC, cyber security, audits, or enterprise risk.
o Professional certifications preferred: CRISC, CISM, CISA, ISO 27001 Lead Implementer/Auditor, or similar.
• Knowledge, Skills, and Abilities Required:
o Strong knowledge of regulatory and compliance frameworks such as ISO 27001, NSIT, PCI-DSS, or regional standards.
o Strong communication skills to effectively interact with diverse groups of people at all levels of the organization.
o Exceptional writing skills to generate required reports.
o Experience in a fast-paced environment with multitasking responsibilities.
o Strong ability to prioritize tasks and meet deadlines.
o Strong attention to detail and accuracy.
o Strong communication skills to effectively interact with diverse groups of people at all levels of the organization.
o Exceptional writing skills to generate required reports.
o Experience in a fast-paced environment with multitasking responsibilities.
o Strong ability to prioritize tasks and meet deadlines.
o Strong attention to detail and accuracy.
Working Conditions
• Must be able to obtain and maintain a clear criminal record check.
• Work performed primarily in an office environment.
• Manual dexterity required to use desktop computer and telephone.
• High visibility role that requires regular interaction with stakeholders, clients, and vendors.
• Work performed primarily in an office environment.
• Manual dexterity required to use desktop computer and telephone.
• High visibility role that requires regular interaction with stakeholders, clients, and vendors.
What We Offer:
- Competitive Salary and Benefits Package
- Registered Retirement Savings Plan with Company Matching
- Employee Share Purchase Plan
- Subsidized Gym Membership
- Subsidized Phone Plan
- Opportunities for Professional Development and Career Growth
- Collaborative and Innovative Work Environment
