Governance, Risk, and Compliance Manager

Governance, Risk, and Compliance Manager

Irving, TX

Meriton is a national team of experts driving HVAC innovation through a network of high-performing companies. From strategy and support to systems and solutions, we work behind the scenes to strengthen operations and build value—for our partners and our people.

If you're looking to make an impact, we're glad you're here. At Meriton, you'll join a team that believes in big ideas, doing great work, and building careers that matter—every step of the way.

Job Title: Governance, Risk, and Compliance Manager

Reports To: Director of Cybersecurity & Compliance

FLSA Status: Exempt

Location: Shared Services Office, Irving, TX

Summary:

The Governance, Risk, and Compliance (GRC) Specialist supports the organization's information security and enterprise risk management programs by facilitating risk identification, control assessment, policy governance, and compliance activities across regulatory and internal frameworks. This role partners with business and technology stakeholders to ensure risks are documented, evaluated, and treated in alignment with organizational risk tolerance, while enabling consistent, auditable processes for compliance, third-party risk, and control monitoring. The GRC Specialist plays a critical role in translating regulatory and security requirements into actionable controls, maintaining accurate risk and compliance artifacts, and supporting leadership with timely, data-driven reporting to inform risk-based decision-making.

Essential Duties and Responsibilities:

Governance:

• Support the development, maintenance, and lifecycle management of information security and IT governance policies, standards, and procedures.
• Coordinate periodic policy reviews and facilitate stakeholder input, approvals, and attestations.
• Maintain policy exceptions and waivers, ensuring appropriate risk evaluation, documentation, and executive approval.
• Partner with legal, compliance, IT, and security teams to ensure governance alignment across enterprise initiatives.
• Lead and coordinate the Business Impact Analysis (BIA) process by partnering with business and technology stakeholders to identify critical processes, assess operational, financial, and regulatory impacts, and document recovery objectives to support enterprise resilience and continuity planning.

Risk Management:

• Identify, assess, and document information technology risks across infrastructure, applications, cloud services, and third-party environments using standardized risk assessment methodologies.
• Facilitate periodic and ad-hoc IT risk assessments, including inherent risk evaluation, control effectiveness testing, and residual risk determination.
• Maintain the enterprise IT risk register by ensuring risks are accurately described, consistently scored, and aligned to business impact and risk tolerance.
• Track risk remediation activities to completion and validate that corrective actions effectively reduce risk exposure.
• Support third-party and vendor risk assessments by evaluating IT-related risks associated with external service providers.
• Support continuous improvement of the IT risk management program through process optimization, tooling enhancements, and stakeholder feedback.
• Monitor emerging threats, vulnerabilities, and technology changes to identify new or evolving risk scenarios.

Compliance:

• Lead internal control testing, evidence collection, and audit readiness across cloud and on-prem system.
• Collaborate with architects and development teams to identify potential attack paths early in the design phase.
• Collaborate with cross-functional teams and external auditors to ensure regulatory compliance.
• Leverage intelligence from vulnerability, threat, and incident data to continuously refine security controls.
• Evaluate and improve security controls, processes, and documentation.

Program Governance & Reporting:

• Develop and maintain risk metrics, dashboards, and reporting artifacts for management and executive-level audiences.
• Present risk posture and program effectiveness metrics to senior leadership and governance committees.
• Align program outcomes with frameworks such as NIST CSF & CIS Controls.

Competencies:

• Elevated professionalism which demonstrates tempered emotions, empathy, positive intent, and integrity in all interactions.
• Excellent communication and interpersonal skills with the ability to build strong relationships across all levels of the organization. Strong verbal and written communication skills
• Ability to effectively communicate and present information one-on-one and in group situations, and outside of the company.
• Strong attention to detail
• Ability to work in a fast-paced environment
• Must be a self-starter, independent, and strong organization skills, with the ability to manage multiple priorities and deadlines at any given time
• Strategic & Analytical Thinking
• Risk‑Based Decision‑Making and the ability to solve practical problems and manage a variety of variables in situations and with problems where only limited information or standardization exists
• Change Leadership
• Continuous Improvement Mindset

Education/Experience:

• Bachelor's degree in Cybersecurity, Information Systems, or related field (or equivalent experience).
• 8+ years' experience in security, risk, compliance, or GRC-focused roles.
• Strong practical experience with one or more frameworks such as ISO 27001, SOC 2, NIST, CIS, or similar.
• Confidence leading meetings, workshops, and complex discussions.
• Ability to design security governance and compliance programs, not just implement them.
• Strong written communication skills, with experience producing high-quality documentation.
• Experience mentoring or supporting the development of junior team members.
• Strong organizational skills and ability to manage multiple engagements and priorities.
• A pragmatic, solutions-focused mindset with an understanding of business realities.
• Certifications such as CISSP, CISM, CRISC, CGEIT, or CGRC, preferred.

Work Environment:

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodation may be made to enable individuals with disabilities to perform the essential functions. The noise level in the work environment is usually moderate. The workplace is in a corporate office environment and the temperature in the work environment is usually moderate. The position's primary office is the Shared Services, Irving, TX office; however, telework or work at home, on the road, or in a satellite location for portions of the workweek may occur, depending upon project needs and requirements in coordination with your direct supervisor and/or most senior leader of your department. Physical Demands:

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable the individuals with disabilities to perform the essential functions. Must be able to regularly lift and/or move up to 25 pounds and frequently lift and/or move up to 25 pounds. Specific vision abilities required by this job include close vision, distance vision, peripheral vision, depth perception, and ability to adjust focus. Acknowledgment:

I have read this job description and fully understand the requirements set forth therein. I hereby accept the position of GRC Specialist agree to perform the identified essential functions in a safe manner and in accordance with the facility's established procedures. I further understand that my employment is at-will and thereby understand that my employment can be terminated at-will either by the company or myself and that such termination can be made with or without notice.

Merton is an Equal Opportunity Employer

Employment practices will not be influenced or affected by an applicant's or employee's race, color, religion, sex (including pregnancy), national origin, age, disability, genetic information, sexual orientation, gender identity or expression, veteran status or any other legally protected status. Reasonable accommodations will be made for qualified individuals with disabilities unless doing so would result in an undue hardship.

Salary ranges listed are dependent upon a candidate's qualifications, experience, internal equity, and the budgeted amount for the specific role and location.