Consultant - GRC

Confidential Company

Own and drive the Cybersecurity BU’s internal governance, risk, and compliance execution—handling a high volume of corporate requests (policies, audits, risk registers, exceptions, third-party reviews, metrics), while also contributing to client-facing GRC engagements (assessments, roadmaps, compliance mapping, reporting). This role is delivery-heavy and requires strong stakeholder management, prioritization, and hands-on documentation skills.

Key Outcomes (What success looks like)

• Corporate GRC requests are triaged, tracked, delivered, and reported with clear SLAs and priorities.

• Policies/standards/procedures are usable, enforced, and updated—not shelfware.

• Risk and compliance reporting is accurate, timely, and defensible for leadership and auditors.

• Client deliverables are clean, structured, and aligned to agreed frameworks (e.g., QCSF/NIA, ISO 27001, NIST).

• Stakeholders respect the function because you add clarity and control, not bureaucracy.

1) Corporate GRC Operations (High-Volume Request Handling)

• Act as the single point of accountability for BU GRC operations: intake, triage, prioritization, execution, and closure.

• Build and run a GRC request pipeline (ticketing/backlog/kanban), including SLAs, dependencies, and status reporting.

• Challenge vague requests: convert noise into clear scope, deliverables, owners, and deadlines.

• Enforce governance through decisions and escalation.

2) Governance (Policies, Standards, Internal Controls)

• Develop and maintain BU security governance artifacts: policies, standards, procedures, baselines, templates.

• Ensure governance aligns with corporate requirements and applicable regulations, with traceability to controls/frameworks.

• Drive policy adoption via implementation guidance, control owners, and periodic attestations.

• Produce executive-friendly outputs: dashboards, governance reports, action trackers.

3) Risk Management (Practical, Not Theoretical)

• Own the BU risk register: identification, assessment, scoring, treatment plans, and acceptance workflows.

• Run risk workshops with IT/Operations/Projects to capture real risks and convert them into actions.

• Manage risk exceptions/waivers (justification, compensating controls, approval, expiry, re-validation).

• Track remediation progress, validate evidence, and report risk movement over time.

4) Compliance & Audit Execution (Evidence-Driven)

• Lead BU readiness for internal/external audits: evidence collection, control testing coordination, gap closure plans.

• Maintain compliance mapping for relevant frameworks (e.g., ISO 27001/27002, NIST CSF/800-53, CIS Controls, local frameworks such as QCSF/NIA when applicable).

• Coordinate with Legal/HR/IT/Procurement on compliance topics (privacy, records, access controls, vendor risk).

• Produce audit artifacts: SoA, control matrices, evidence packs, CAPA plans.

5) Third-Party & Supplier Risk 

• Execute/coordinate third-party security assessments: questionnaires, evidence review, risk ratings, remediation follow-up.

• Support contract/security clauses review with Procurement/Legal.

• Maintain supplier risk records and ensure closure of high/critical findings.

6) Client-Facing GRC Delivery (Part-Time Allocation)

• Contribute to client assessments and advisory engagements: maturity assessments, gap analysis, compliance roadmaps, risk registers, policies, and reporting.

• Support delivery managers/project leads with structured, reusable deliverables and strong documentation quality.

• Participate in client meetings/workshops and translate discussions into actionable outputs.

7) Metrics, Reporting, and Leadership Communication

• Run recurring reporting: GRC KPIs/KRIs, compliance status, audit readiness, top risks, overdue actions.

• Brief BU leadership with clear recommendations, decisions needed, and escalation items.

• Maintain transparency: stakeholders should always know what’s in progress, blocked, overdue, and why.