• Nikol Tosheva
• | April 12, 2022
• | Open Positions

IT Governance, Risk and Compliance Analyst

About our client:

They are a truly international company. An inclusive, innovative global FMCG with over 27,500 employees operating across 120 markets. As they embrace a new era of growth, they’re transforming. With consumers at the centre of everything they do, their ways of working and culture are driven by a challenger mindset, where people can challenge the status quo and bring their best selves to work. Their agility and collaboration are driving their ambitions, innovation and success, all supported by their award winning development programmes that create exciting and rewarding opportunities for all.

The IT Governance, Risk, and Compliance (IT GRC) Analyst (GRCA) is responsible for evaluating the compliance and risk posture of the company. The GRCA will also provide stakeholders with advice on addressing compliance gaps and risks that have been identified.

The GRCA provides technology risk and information security expertise to the Global IT function and drives the implementation of IT risk management processes within Global IT.

The GRCA’s responsibilities require technical expertise to influence effective risk analysis, compliance with Global IT standards, awareness and education, and lead the development of policies, standards and guidelines.

This role will work closely with Cybersecurity, Application Operations, Solution Delivery and other teams within Global IT as well as the Information Security, Procurement, Privacy and Legal functions to build a strong understanding and acceptance of IT GRC practices.

Technology Risk Mgmt.:

• Assess risks in technology implementations and, guide development and operations teams with risk mitigation advice to ensure a good IT Control environment is implemented.
• Manage a process to assess IT controls compliance across the Imperial Brands IT estate
• Manage the monthly tracking and reporting of compliance actions. Automate the tracking and reporting process and focus on delivering value-add insight to stakeholders.
• Prepare IT risk metrics, present these to senior stakeholders and provide quality risk mitigation advice that drives meaningful action.
• Manage the IT Policy annual review process, ensuring that the policy is reviewed and updated to meet compliance requirements and changes in the IT landscape.

Third Party Risk Mgmt.:

• On being notified by IT Vendor Management, Global Procurement or legal, review relevant third party IT security controls based on evidence provided by 3^rd Drive improvement in the 3^rd party security review process.
• Advise business stakeholders to enable informed decisions on addressing gaps in supplier security controls. In partnership with Information and Cyber security, ensure that decisions to accept risks do not pose undesirable
• Track gaps in supplier security controls to closure, Provide metrics and risk mitigation advice to procurement and IT Vendor mgmt. teams as they work with suppliers to close control gaps.

Other ad-hoc:

• Liaise with Internal and External audit teams as required and ensure that audit findings are balanced and have appropriate actions/timelines.
• Lead policy and standards training to Global IT staff, as requested.
• Represent Global IT GRC on IT project steering teams and provide risk/compliance input.
• Manage the quality of output produced by junior IT GRC colleagues or contractors.

Key Relationships:

Internal (excluding direct team and manager):

• IT Business Partners
• IT Service Owners
• Global Procurement
• Privacy
• Cyber Security
• Information Security

External:

• Key suppliers in the relevant areas

Education, Qualifications, Skills and Experience:

Essential:

• 6+ years of experience with IT Governance, Risk, and Compliance management in a large global environment.
• Demonstrated proficiency in assessing and designing internal controls for information security in an enterprise-level environment.
• Strong understanding of one or more industry frameworks and compliance regulations: i.e., NIST Cybersecurity Framework, ISO 27001, PCI-DSS, International Privacy requirements (EU-US Privacy Shield, GDPR)
• Excellent communicator and ability to work with partners from a diverse set of backgrounds.
• Understanding of fundamental information security concepts and technology and have previous exposure to cloud security, data processing, hardware platforms, enterprise software applications, and outsourced systems.
• Manage priorities and work both independently and as part of a team.
• CRISC, CISA, CISSP or other well recognised IT governance or security certifications.

Desirable:

• Creativity when approaching challenges and solving problems.
• Ability to provide advice to operational teams in a succinct manner.
• Ability to influence outcomes using prior experience, SMEs and internal/external research as appropriate.
• Familiarity with SLDC process and controls, preferably in a GxP environment
• Experience dealing with senior stakeholders

What the company offers:

Our client offers a competitive package of salary, bonus scheme, health insurance and (25/29) days holiday.

If you are interested, please, send your CV with a recent photo.

Your personal information will be used only for the purpose of the recruitment process and will be treated with confidentiality and respect. Confidentiality is guaranteed and protected by law.

Horizons is a leading recruitment company specializing in expert and middle management positions with 18 years of experience in the Bulgarian market. Our team consists of business-oriented consultants with industrial specialization, a professional understanding of the business trends and a proactive approach toward recruiting and hiring through different methodologies and innovations.

Horizons owns license No 2118 from 27.09.2016.