Job Description for GRC Analyst
Business Area: Information Security
Job Title: GRC Analyst
Scope and Coverage: Global
Outline Purpose of Role:
* Support in the development and maintenance of the GRC policy, risk and controls frameworks and the associated processes and artefacts.
* Conduct internal and external compliance and controls reviews, testing and audits.
* Support effective stakeholder engagement and maintenance of GRC information repository such as policies and standards, risk register, etc.
* Help drive a robust security posture for a large, complex organisation, trading globally within a constantly evolving IT and information security threat environment.
Impact of Role:
* Supports the organisation’s IT and cyber governance, risk and compliance processes.
* Help drive good risk culture and behaviours into the business culture of JD Sports.
Reports to: This role resides in the Information Security Function and reports to a GRC Lead.
Direct Reports: Individual contributor with possible periodic oversight of seconded resources, contingent workers and systems integrators.
Key Elements of the Role:
The job holder will be responsible for assisting and supporting in a range of activities across the Governance, Risk and Compliance function. The job holder will be responsible for the following activities:
Governance and Policy:
* Develop a clear understanding of the organisation, its various entities (business units, subsidiaries, partners, and interdependent entities) to assess existing and applicable policy requirements.
* Contribute and manage IT and cyber policy, standards and guidelines development, maintenance and reviews.
* Identify, analyse and report on key policy metrics such as policy exceptions, breaches and identify relevant risks arisen from policy exception.
* Maintain and develop the IT and cyber GRC internal governance processes, such as monitoring of compliance changes, technological advancement, engagement activities, information repositories, stakeholder engagement, etc.
Risk Management:
* Maintain and manage the IT and cyber risk register including conducting of risk assessments and agreeing risk mitigating actions with stakeholders.
* Analyse and categorise IT and cyber risks, aligning risk assessment activities with business priorities and objectives.
* Track and prepare regular risk reporting to senior leadership highlighting KRIs, status and mitigations.
* Assess and monitor third party risks in accordance with the IT and cyber risk framework.
* Analyse incidents and events to identify omissions and opportunities for improvement in accordance with the organisation risk exposure and appetite.
Compliance:
* Assist in maintenance and improvements of IT and cyber controls framework with changes in compliance and technology requirements.
* Perform IT and cyber controls testing in line with the GRC assurance plan.
* Conduct reviews and assessments of third parties in line with JD compliance requirements.
* Support internal and external audits related to IT and cyber risk and ensure timely remediation of identified risks or control gaps.
Cross-functional Collaboration:
* Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss GRC requirement and queries.
* Collaborate with third-party vendors and partners to enforce consistent GRC requirements within the supply chain and vendor ecosystem.
* Work closely with HR, procurement, legal, and other departments to ensure that GRC requirements are integrated into key business processes.
* Provide guidance and training to teams across the organization on IT and cyber GRC and best practices.
* Establish strong working relationship with the internal and external stakeholders to champion GRC processes and activities.
Key Attributes of The Jobholder:
Experience and Qualifications:
* Bachelor’s degree in Cybersecurity, Information Technology, Compliance or a related field.
* 5+ years of experience in IT and cyber governance frameworks, policy development, cyber assurance, compliance or a related discipline.
* Certifications such as CISSP, CISM, CRISC, or equivalent are strongly preferred.
* In-depth understanding of cybersecurity frameworks (e.g., NIST, ISO 27001) and risk management methodologies.
* Experience of third-party risk management.
* Knowledge of regulatory requirements and compliance frameworks (e.g., GDPR, ITGC, PCI-DSS, etc.) related to IT, cybersecurity and risk management.
* Awareness of various operating systems including but not limited to Windows, Linux, Unix.
* Experience with cloud environments (AWS, Azure, GCP) and understanding of cloud security risks.
* Awareness of Agile environments and practices.
Key Skills:
* Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
* Strong analytical and problem-solving skills, with the ability to make informed risk-based decisions.
* Excellent communication skills, both written and verbal, to effectively present risks to senior leadership and non-technical audiences.
* A proven ability to work collaboratively and constructively with other managers to ensure clarity of purpose, effective communication, and mutual understanding IT and cyber frameworks and how to apply them.
* Strong organisational skills with experience of working collaboratively within multi-disciplined teams.
* Competent, engaging communication skills and an ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
* An ability to collaborate effectively in a diversely located team to focus on common goals and timelines.
Values and Behaviours:
The job holder will be a strategic thinker who is respectful and collaborative and able to work easily within a diverse and dispersed team of professionals and will exhibit:
* Goal-oriented focus,
* Strong schedule keeping,
* Openness,
* Integrity,
* Empathy,
* Accountability,
* Enthusiasm,
* Flexibility,
* Creativity.
#J-18808-Ljbffr