Sr. Manager, Governance Risk and Compliance

Responsibilities:

• Third-Party & Vendor Risk Management:
• Manage the complete third-party risk management (TPRM) program, from initial assessment to ongoing monitoring.
• Conduct security risk assessments for all vendors, especially those handling protected health information (PHI).
• Collaborate with Legal to review security language in vendor contracts and Business Associate Agreements (BAAs).
• Maintain the vendor risk register, track remediation of risks, and report on vendor risk exposure.
• Demonstrate success developing third-party risk governance programs with Legal, Security, and Procurement to increase efficiency and reduce friction across stakeholders.
• Experience implementing tiered vendor risk models and reassessment cycles to reduce manual tracking workload.
• Audit & Compliance (HIPAA, SOC 2)
• Manage all internal and external audits, including planning, evidence collection, and coordinating with auditors.
• Serve as the main point of contact for external auditors (e.g., for SOC 2, HIPAA).
• Oversee security controls (technical and procedural) to ensure continuous compliance with HIPAA, HITECH, and SOC 2 frameworks.
• Translate complex regulatory requirements into actionable security controls and procedures for technical and business teams.
• Track and manage the remediation of all audit findings.
• Experience creating standardized audit playbooks and evidence repositories.
• Experience owning an organization-wide compliance program to comply with audit framework(s).
• Strong ability to translate audit outcomes into business-oriented insights that directly impact riskreduction and process improvement.
• Enterprise Risk & Security Operations
• Manage the enterprise risk management program, including conducting annual risk assessments and maintaining the risk register.
• Develop, maintain, and test the company's incident response (IR) plan.
• Run security awareness programs, such as phishing simulations and tabletop exercises.
• Track remediation efforts for all identified risks.
• Produce concise, executive-ready risk reports that inform strategic decisions across departments.
• Client & Sales Security Support
• Lead responses to client and prospect security questionnaires, RFPs, and assessments.
• Develop and maintain a knowledge base of standard security responses and supporting documentation.
• Act as the security subject matter expert to support the sales and partnership teams.
• Coordinate and manage client-facing security audits and reviews.
• Security Policy & Documentation
• Extensive experience creating, reviewing, and maintaining clear security policies, standards, andprocedures.
• Create, review, and maintain clear security policies, standards, and procedures.
• Ensure all policies align with regulatory requirements (HIPAA, SOC 2) and industry best practices.
• Communicate policies and procedures to all employees and contractors.
• Experience embedding compliance checkpoints within existing or new operational processes (e.g.,change management, onboarding).

Qualifications:

• Required
• 7+ years of experience in GRC, compliance, risk management, or information security roles, with at least 4 years in a management or leadership capacity
• Demonstrated experience managing a full-cycle third-party risk management (TPRM) programs, including conducting vendor risk assessments and reviewing security terms in contracts.
• Hands-on expertise leading external audits for major compliance frameworks, specifically SOC 2 Type 2 and HIPAA.
• Proven ability to build and manage an enterprise risk program, including conducting formal risk assessments (e.g., NIST-based) and developing/testing incident response plans.
• Direct experience serving as a security subject matter expert in a client-facing role, including leading responses to security questionnaires, RFPs, and customer audits.
• Exceptional technical writing skills with a history of creating, implementing, and maintaining a comprehensive set of security policies, standards, and procedures.
• Preferred
• Bachelor's degree in Computer Science, Information Security, Business Administration, or related field (or equivalent experience).
• Deep expertise in healthcare compliance regulations including:
• HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
• HITECH Act and meaningful use requirements
• SOC 2 Type 2 (preferably with hands-on audit management experience)
• Professional certifications such as: CISSP, CISM, CRISC, CISA, GRCP, CHPS, CIPP/US
• Experience with additional compliance frameworks such as:ISO 27001/27002, ISO 27701, HITRUST, CSFFedRAMP, State RAMPPCI-DSS, State privacy laws (CCPA, CPRA, VCDPA, etc.)
• Experience with GRC platforms such as Vanta, Drata, OneTrust, LogicGate, Archer, ServiceNow GRC, or similar
• Knowledge of cloud security and compliance (AWS, GCP)
• Experience managing security awareness platforms (KnowBe4, Proofpoint, NINJIO, etc.)

Physical/Cognitive Requirements:

• Prompt and regular attendance at assigned work location.
• Capability to remain seated in a stationary position for prolonged periods.
• Eye-hand coordination and manual dexterity to operate keyboard, computer and other office-related equipment.
• No heavy lifting is expected, though occasional exertion of about 20 lbs of force (e.g., lifting a computer \/ laptop) may be required.
• Capability to work with leadership, employees, and members in an appropriate manner