The GRC Lead is a newly created, group-level role responsible for building and operationalising the organisation's cybersecurity governance, risk, and compliance capabilities from the ground up. This role will define foundational policies, frameworks, and risk management processes while enabling scalable and sustainable security governance across the group.
You will take a hands-on approach to design, implement, and embed governance structures, risk processes, and supporting GRC tooling. The role partners closely with technology, security, legal, audit, and business stakeholders to establish clear accountability, control visibility, and risk-informed decision-making.
Responsibilities:
GRC Strategy & Foundations
- Design and implement a group-wide cybersecurity GRC framework, aligned with business objectives and risk appetite.
- Establish core security governance artefacts, including policies, standards, procedures, and control frameworks.
- Define a practical operating model for cybersecurity governance across regions and functions.
Cyber Risk Management
- Build and own the cyber risk management lifecycle, including risk identification, assessment, treatment, acceptance, and reporting.
- Establish consistent methodologies for risk scoring, prioritisation, and escalation.
- Enable leadership with clear, actionable cyber risk reporting and dashboards.
Compliance, Assurance & Audit Readiness
- Define compliance requirements against relevant regulatory, legal, and industry-recognised security frameworks (e.g. ISO 27001, NIST).
- Design and operationalise control assurance and testing processes, supporting internal and external audits.
- Track remediation activities and ensure sustained compliance across the organisation.
GRC Tooling & Process Enablement
- Lead the selection, implementation, and configuration of GRC tooling to support risk, control, and compliance management.
- Define control libraries, workflows, and reporting structures within the GRC platform.
- Drive adoption of tooling by embedding GRC processes into day-to-day technology and business operations.
Third-Party & Operational Risk Governance
- Establish frameworks for third-party cyber risk management, including due diligence, onboarding, and ongoing monitoring.
- Partner with procurement and legal teams to embed security and risk requirements into contracts and vendor oversight.
Stakeholder Engagement & Change Enablement
- Act as a trusted advisor to technology and business leaders on governance, risk, and compliance matters.
- Drive security awareness and accountability by embedding GRC expectations into operating practices.
- Support the Group CISO in communicating cyber risk posture and progress to senior leadership.
Requirements:
- 12+ years of experience in cybersecurity GRC, technology risk, or information security roles.
- Proven experience building GRC frameworks, policies, and risk processes in complex organisations.
- Strong understanding of security governance, risk management, and control assurance concepts.
- Hands-on experience implementing or operating GRC platforms or tooling.
- Ability to operate independently in a greenfield environment with limited existing structure.
To apply:
If you're interested to apply or find out more, please share across your CV or reach out to Chen Yi at [Confidential Information] for a discussion. Due to anticipated high volume of applications, we regret to inform that only shortlisted candidates will be notified.
Reg: R1876389
Lic: 16S8060
