GRC Lead

Job Summary The GRC Lead drives the execution and continuous improvement of AEG's Governance, Risk, and Compliance program, with broad ownership across enterprise risk management, third-party risk management, compliance, and information security governance. They will contributor partner with IT, Legal, Privacy, Finance, and business leaders to translate risk into actionable insights, strengthen risk visibility, and improve program effectiveness. The role operates with a high degree of autonomy, leads complex cross-functional initiatives, and is accountable for advancing GRC program maturity and driving timely, measurable outcomes. Essential Functions Enterprise Risk Management (ERM): Own and continuously enhance the enterprise risk management framework, including risk taxonomy, scoring methodology, and governance processes Lead enterprise-wide risk identification and assessment workshops with senior stakeholders across business and technology functions Drive risk quantification and scenario analysis to support risk-informed business decisions Own the enterprise risk register, ensuring accuracy, completeness, and executive-level relevance Identify gaps in current risk processes and implement scalable improvements to advance program maturity Risk Reporting & Governance: Design and deliver executive-level risk reporting, dashboards, and Key Risk Indicators (KRIs) that drive decision-making Lead preparation of materials for Risk Committees and senior leadership forums Establish and enforce governance processes for risk acceptance, escalation, and tracking Ensure audit-ready documentation of risk decisions, control effectiveness, and program outputs Continuously improve reporting quality, automation, and visibility of enterprise risk Compliance & Assurance: Lead compliance assessments across frameworks (e.g., NIST CSF, ISO 27001, PCI-DSS, SOC), ensuring alignment with business and regulatory requirements Own coordination of internal and external audits, including stakeholder alignment and evidence management Drive remediation efforts to closure, ensuring accountability and measurable reduction of control gaps Own and continuously improve policy, standards, and procedure frameworks Evaluate control effectiveness and recommend enhancements to strengthen the control environment Third-Party Risk Management (TPRM): Own and mature the third-party risk lifecycle, including intake, risk tiering, due diligence, and ongoing monitoring Partner with Legal, Procurement, and business stakeholders to assess vendor risk and define appropriate controls Establish and enforce risk-based due diligence standards and assessment methodologies Track and report on third-party risk posture, including remediation and risk acceptance decisions Identify opportunities to streamline and scale the TPRM process Information Security Governance: Provide risk advisory for new systems, technologies, and business initiatives, ensuring alignment with security and compliance requirements Drive control design and documentation in partnership with security and engineering teams Ensure governance processes evolve in line with regulatory requirements and business changes Influence stakeholders to adopt risk-informed practices and control improvements Program Enablement & Leadership: Lead cross-functional initiatives to improve risk awareness, engagement, and adoption across the organization Develop and deliver playbooks, training, and guidance to enhance risk literacy Mentor and guide junior team members, fostering capability development and consistency Identify and implement process improvements across the GRC program to increase efficiency and effectiveness Serve as a trusted advisor to stakeholders on risk prioritization and trade-off decisions Required Qualifications BA/BS Degree (4-year) in Information Security, Computer Science, Business, Risk Management, or related field; or equivalent related work experience 6-8 years experience in GRC, ERM, or risk/compliance roles Demonstrated ownership of risk programs or major program components (ERM, TPRM, or compliance) Experience working in enterprise environments with cross-functional stakeholders Deep understanding of ERM concepts (risk appetite, inherent/residual risk, KRIs, scenario analysis) Strong experience with regulatory and security frameworks (NIST, ISO 27001, PCI-DSS, SOC, GDPR/CPRA) Ability to operate effectively in ambiguous environments and drive initiatives from concept through execution Ability to translate technical and risk concepts into business decisions Experience building executive-level reporting and dashboards Proficiency with GRC platforms (e.g., Archer, ServiceNow GRC, OneTrust, LogicGate) Strong facilitation, stakeholder management, and influencing skills CISSP, CISM, CRISC, or CISA highly preferred ISO 27001 Lead Auditor or equivalent preferred but not required Pay Scale $135,000.00 - $150,000.00 Bonus This position is eligible for a bonus under the current bonus plan requirements. Benefits Medical insurance Dental and vision insurance Paid holidays Vacation and sick time Company paid basic life insurance Voluntary life insurance Parental leave 401k Plan (with a current employer match of 3%) Flexible spending and health savings account options Wellness offerings AEG's policy is to hire the most qualified applicants, and we comply with all applicable federal, state and local employment laws in making hiring and employee decisions. We are an equal opportunity employer and do not discriminate against applicants or employees on the basis of race, color, marital status, disability, religion, age, sex, sexual orientation, national origin, genetic information, veteran status, or any other legally protected status recognized by applicable federal, state or local law. Employer does not offer work visa sponsorship for this position. #J-18808-Ljbffr