GRC Program Manager

The International Rescue Committee (IRC) responds to the world’s worst humanitarian crises, helping to restore health, safety, education, economic wellbeing, and power to people devastated by conflict and disaster. Founded in 1933 at the call of Albert Einstein, the IRC is one of the world’s largest international humanitarian non-governmental organizations (INGO), at work in more than 40 countries and 29 U.S. cities helping people to survive, reclaim control of their future and strengthen their communities. A force for humanity, IRC employees deliver lasting impact by restoring safety, dignity and hope to millions. If you’re a solutions-driven, passionate change-maker, come join us in positively impacting the lives of millions of people world-wide for a better future.

JOB SUMMARY

IRC is seeking an experienced Information Security Governance, Risk, and Compliance (GRC) Manager to lead and enhance the GRC function within the Global Information Security (GIS) department. Reporting directly to the Chief Information Security Officer (CISO), this role is ideal for a self-starter who requires minimal direction and is capable of both consolidating and optimizing existing GIS services within the GRC framework while also identifying opportunities to innovate and expand service offerings. This role is designed for someone who excels in an autonomous capacity and is skilled at evolving and scaling GRC initiatives to meet the dynamic needs of the organization.

DUTIES/RESPONSIBILITIES

1. Information Security Governance:

• Act as a strategic partner to senior leadership, aligning GRC efforts with broader organizational goals to contribute to resilience, reputation, and long-term success.

• Formalize and enhance the metrics program for consistent monthly and quarterly reporting on key information security metrics and trends, providing actionable insights for executive management.

• Drive a comprehensive, multi-cultural security training and awareness initiative, ensuring all staff are well-versed in security policies, procedures, and implications for their roles.

• Further implement and optimize IRC’s GRC platform to support strategic GRC objectives, enabling efficient reporting, seamless integration with existing workflows, and improved organizational visibility.

2. Information Security Risk Management:

• Identify, assess, prioritize, mitigate, and continuously monitor risks in alignment with IRC’s risk appetite, creating actionable insights for leadership.

• Facilitate regular interviews with Asset Owners and Custodians to perform risk identification, risk scenario development and assessment, business impact analysis (BIA), and control assessments.

• Maintain the IT Risk Register while proactively building and refining strategic approaches to mitigate identified risks and monitor relevant controls.

• Lead third-party risk management efforts, including overseeing the deployment and use of the Vendor Risk Assessment (VRA) module, ensuring rigorous vetting and oversight of external partnerships.

• Integrate threat intelligence into risk management and incident response, anticipating emerging threats and aligning with predictive risk analytics to support proactive security measures.

3. Information Security Compliance:

• Ensure compliance with relevant laws, regulations, industry standards, and donor obligations, including GDPR, ISO 27001, NIST Cybersecurity Framework (CSF), and NIST 800-171.

• Partner with Legal, Supply Chain, and other teams to facilitate contract reviews, update language for security obligations, and ensure IRC’s preparedness for donor contract and revenue compliance.

• Strengthen organizational understanding of policies and conduct regular assessments to measure and improve workforce compliance.

• Coordinate IT audits, cyber risk assessments, and control assurance activities.

4. Strategic Thought Leadership and Industry Awareness:

• Maintain a robust awareness of emerging threats, best practices, and evolving regulations across cybersecurity, privacy, and compliance domains, providing guidance on ethical considerations, including data privacy laws and responsible use of artificial intelligence.

• Develop and refine internal processes and policies to address and anticipate compliance needs in rapidly evolving regulatory landscapes, ensuring IRC stays ahead of regulatory changes.

• Establish, track, and report on key GRC metrics, including KPI/KRIs, to measure program effectiveness, supporting a continuous improvement model, define risk threshold triggers, and leveraging benchmarking to align with industry standards.

5. Organizational Culture and Engagement:

• Foster a culture of security and compliance across all levels of the organization, promoting ownership and accountability among staff for information security.

• Champion role-specific security education programs that go beyond basic awareness, addressing unique risks associated with different roles and functions within the organization.

Key Working Relationships:

Position Reports to: CISO

Position indirectly supervises: N/A

Indirect Reporting:

Other Internal and/or external contacts:

Internal: IT staff / leaders, Information Security Working Groups, Senior Leadership, Governance Committees, Business and IT staff across regions, HQ and Nairobi iHub, Safety and Security Team.

External: Industry/sector peers and vendors.

Job Requirements:

Education

Relevant Bachelor’s degree; Masters degree in Computer Science, Security or related highly desired

Work Experience

• At least 5-7 years GRC program experience required, including at least 2 years of functional ownership. Relevant information security program experience permitted.

• At least 2 years in a global organization; nonprofit experience desired.

Demonstrated Skills and Competencies

• Global GRC program development and implementation, including governance framework and policy enforcement.

• Strong leadership, forming and leading internal working groups and governance bodies related to information security, risk, and compliance.

• Independent problem-solving, proactive approach, and ability for strategic decisions.

• Proactive analytical and critical thinking, committed to understanding needs.

• Change management expertise, securing buy-in across the organization.

• Hands on experience with GRC platform implementation and operation.

• Deep knowledge of cybersecurity, IT risk management, incident response, and data privacy, including relevant laws, regulations, and security frameworks, e.g., ISO 27001-2022, NIST 800-53 R4, NIST CSF 2.0.

• Effective communication and stakeholder engagement at all levels with integrity and discretion in handling sensitive matters.

• Development and delivery of training programs and awareness campaigns.

• Proficiency in managing third-party/vendor risk assessments and compliance.

• Proficiency in data analysis techniques and tools, e.g., data aggregation, PowerBI/Tableau, etc.

• Adaptability to evolving security threats and industry trends.

• Commitment to ethical conduct and regulatory compliance.

Language Skills: English required; French and Arabic a plus

Certificates or Licenses: Certifications such as CISSP, CISM, CRISC, or other related certifications are desirable.

Working Environment: Standard office work environment; work location may be remote.

Travel: Limited

Compensation:

Posted pay ranges apply to US-based candidates. Ranges are based on various factors including the labor market, job type, internal equity, and budget. Exact offers are calibrated by work location, individual candidate experience and skills relative to the defined job requirements.

US Benefits:

We offer a comprehensive and highly competitive set of benefits. In the US, these include: 10 sick days, 10 US holidays, 20-25 paid time off days depending on role and tenure, medical insurance starting at $143 per month, dental starting at $6.50 per month, and vision starting at $5 per month, FSA for healthcare and commuter costs, a 403b retirement savings plans with immediately vested matching, disability & life insurance, and an Employee Assistance Program which is available to our staff and their families to support counseling and care in times of crisis and mental health struggles.

Standard of Professional Conduct: The IRC and the IRC workers must adhere to the values and principles outlined in the IRC Way – our Code of Conduct. These are Integrity, Service, Accountability, and Equality.

Commitment to Gender, Equality, Diversity, and Inclusion: The IRC is committed to creating a diverse, inclusive, respectful, and safe work environment where all persons are treated fairly, with dignity and respect. The IRC expressly prohibits and will not tolerate discrimination, harassment, retaliation, or bullying of the IRC persons in any work setting. We aim to increase the representation of women, people that are from country and communities we serve, and people who identify as races and ethnicities that are under-represented in global power structures.