Governance, Risk & Compliance Manager

LOCATION: Remote

REPORTS TO: Corporate Counsel

The GRC Manager will operate at the intersection of Legal, IT, Security, and Business Operations, serving as a central point of coordination for governance, risk, and compliance initiatives across the organization. The Governance, Risk & Compliance Manager will work closely with Corporate Counsel to align compliance strategy with regulatory obligations and legal risk considerations.

The GRC Manager partners heavily with IT and Information Security teams to translate technical controls and security frameworks into business-aligned processes and documentation. Collaboration with Product and Engineering may be required to ensure that data handling, system controls, and security practices align with compliance requirements.

In addition, the position supports client-facing teams including Sales, Account Management, and Customer Success by responding to due diligence requests, security questionnaires, and audit inquiries, helping to build trust with lender clients and external stakeholders. The role will also coordinate with Operations and Data functions, to support data quality auditing and integrity initiatives.

Externally, the GRC Manager will interact with third-party auditors, vendors, and client stakeholders to support audits, vendor risk management, and compliance assurance activities.

THE OPPORTUNITY: The GRC Manager will mature and scale the company's GRC capabilities during a period of growth. This role offers the opportunity to build structure, drive process improvements, and enhance the company's compliance posture in a highly regulated environment.

The position plays a critical role in establishing and maintaining audit readiness (including SOC 2 Type II), strengthening vendor risk management practices, and improving the efficiency and quality of client-facing due diligence responses. The individual will help translate evolving regulatory and security requirements into actionable, business-aligned controls that support both internal operations and external trust.

This is a highly cross-functional and visible role with the opportunity to influence how compliance, risk, and security practices are operationalized across the organization. The ideal candidate will bring both strategic thinking and hands-on execution, helping F&I Sentinel continue to build credibility with financial institution partners while supporting scalable, sustainable growth.

Specifically, the GRC Manager will have responsibility in:


Audit & Certification

• Drive SOC 2 Type II audit readiness end-to-end: evidence collection, auditor coordination, and remediation tracking
• Execute internal audit procedures across operations for accuracy, completeness, and compliance
• Document audit findings, develop corrective action plans, and track remediation to closure
• Maintain GRC documentation including control narratives, procedures, and supporting artifacts for continuous audit readiness
• Support BCP, DR, and IR programs, including tabletop exercises and plan testing

Due Diligence & Security Questionnaire Management

• Own and optimize the end-to-end Due Diligence Questionnaire (DDQ) response workflow, drafting, reviewing, and delivering responses to security questionnaires, Request For Proposals (RFP), and vendor assessments that build trust with lender clients
• Partner with IT, infosec, operations, and leadership to serve as the liaison between technical teams and client-facing engagements
• Exercise sound judgment in determining how to frame sensitive topics and how to present the company's security posture accurately
• Develop efficiencies through process improvements, implementation of automation and tools, and standardizing responses

Vendor Risk Management

• Manage and continuously improve the vendor risk program, maintaining a current inventory of third-party providers with data access or critical dependencies
• Apply and refine risk tiering based on data sensitivity, business impact, and regulatory exposure
• Conduct periodic reviews of critical and high-risk vendors; track remediation of findings and ensure contractual compliance
• Maintain vendor risk documentation that supports audit readiness and DDQ responses

Risk Management Support

• Assist in maintaining the risk register; identify emerging risks and document mitigating controls
• Assist with risk assessments; operationalize mitigation strategies and validate controls

Data Quality Auditing

• Partner with the Data Analyst to define data quality audit criteria and compliance-focused reporting requirements
• Review data quality results for accuracy and completeness; identify and escalate data integrity issues
• Design data checks and guardrails that ensure operational data integrity across products

Professional Qualifications:

The following knowledge, skills, education, and experiences are required:

• 3-6+ years of professional working experience
• Hands-on experience with SOC 2 audits, either managing or as a key contributor
• Working knowledge of security frameworks such as NIST CSF, ISO 27001, FTC Safeguards Rule, or similar
• Proven ability to draft and manage security questionnaire responses for enterprise clients
• Strong written communication skills - you will be writing client-facing materials that reflect the company's professionalism
• Ability to operate independently, manage multiple workstreams, and escalate appropriately
• Comfort working in a fully remote environment with a distributed team

The following knowledge, skills, and experiences are preferred, but not required:

• Experience in fintech, insurtech, automotive finance, or another regulated industry
• Familiarity with F&I (Finance & Insurance) products or the automotive dealer ecosystem is a strong plus
• Exposure to vendor/third-party risk management programs
• Understanding of basic data privacy requirements (CCPA, state privacy laws)
• Experience with data quality analysis and reporting tools
• Bachelor's degree in Information Systems, Business, Accounting, Risk Management, or a related field; relevant certifications such as CISA, CRISC, or GRCP are a plus

Why Consider Joining FIS now?

• The business is poised for accelerated growth with increasing demand from financial institutions and regulatory scrutiny creating a strong need for scalable GRC capabilities
• Opportunity to build and shape foundational GRC processes and programs, rather than inherit a fully mature system
• High visibility role with direct impact on client trust, audit outcomes, and enterprise risk posture
• Exposure to a unique intersection of fintech, automotive finance, and regulatory compliance
• Collaborative, cross-functional environment with access to leadership and influence on strategic decisions
• Hybrid/remote culture offering flexibility and autonomy
• Competitive compensation and benefits, with opportunity for growth as the company scales

The following behaviors are required:

• • Ownership mindset: takes full accountability for outcomes, follows through, and proactively addresses gaps
  • Detail-oriented and quality-driven: maintains high standards for documentation, accuracy, and audit readiness
  • Sound judgment and discretion: handles sensitive security and compliance information appropriately
  • Strong written communicator: translates complex technical and regulatory concepts into clear, client-ready language
  • Cross-functional collaborator: builds trust and works effectively across Legal, IT, Security, and business teams
  • Process-oriented and disciplined: creates repeatable, scalable workflows and continuously improves them
  • Risk-aware and pragmatic: balances regulatory requirements with business practicality and speed
  • Self-directed and organized: manages multiple priorities independently in a remote environment
  • Continuous learner: stays current on evolving regulations, frameworks, and industry best practices
  • Problem-solver: identifies root causes, proposes solutions, and drives issues to resolution
  • Client-focused: understands the importance of external trust and represents the company professionally in due diligence interactions
  • Adaptable and resilient: operates effectively in a growing, evolving organization with shifting priorities.

F&I Sentinel is an Equal Opportunity Employer. Employment decisions are made without regard to race, color, religion, national origin, gender, sexual orientation, gender identity, age, physical or mental disability, genetic factors, military/veteran status, or other characteristics protected by law.