Senior GRC Manager

About RiskExecRiskExec is a rapidly growing SaaS company that delivers a best-in-class compliance analytics and reporting platform to help financial institutions and lenders comply with key government regulations and unlock new growth opportunities.Working at RiskExecAt RiskExec, we’re building a world class Compliance and Business Intelligence Platform trusted by regulated financial institutions including banks, credit unions, and fintech lenders. We help our clients confidently navigate complex regulatory requirements while achieving business growth. Our high-performing team thrives in a dynamic, fast-paced environment that requires maximum professionalism, flexibility, and responsiveness. We value driven individuals who embrace ownership and accountability, excel at collaborating closely with teammates, and dedicate themselves fully to delivering exceptional outcomes. As an entrepreneurial organization, the demands of our business don’t always fit into a “traditional 9-5” schedule. The OpportunityRiskExec sells into banks and credit unions that expect disciplined governance, provable controls, and rapid, defensible responses to vendor risk scrutiny. This role exists now because we need a single owner accountable for the governance system that underpins trust: how policies are set and maintained, how risks are recorded and adjudicated, how controls stay effective, and how we prove it—fast.You will own our SOC 2 program, enterprise due diligence execution, and Trust Center, while also operating as the company’s governance lead: turning “security and compliance” into an operating system with clear decision rights, measurable outcomes, and audit-grade traceability. You will use AI as leverage to reduce cycle time, improve consistency, and keep RiskExec continuously ready.We are prioritizing candidates in the Washington, DC, Chicago, and Knoxville areas. We will consider candidates based in the United States (remote) ET and CT time zones.What You Will DoWhat you will own:Governance system ownership: the structure, cadence, and decisioning for risk, controls, policies, exceptions, and accountability (including executive-level reporting).Risk management operating rhythm: risk register quality, risk acceptance workflows, exception handling, and control ownership clarity across the org.SOC 2 end-to-end ownership: readiness, evidence strategy, auditor management, remediation tracking, and year-round audit posture.Vendor risk & due diligence execution: DDQs/SIGs, procurement security reviews, customer risk calls, and follow-up threads that unblock revenue.Trust Center as a product: content strategy, publishing governance, accuracy guarantees, and ongoing maintenance tied to real architecture and controls.Compliance proof library: a centralized, version-controlled repository of reusable, bank-ready narratives and evidence with clear freshness/expiry rules.AI-enabled compliance operations: the workflows, controls, and QA process that make AI output reliable, repeatable, and audit-aligned.How You Will Drive ImpactYou will build a governance-and-compliance engine that runs on cadence, not heroics:Governance cadence:Weekly: evidence/control hygiene and deal support triageMonthly: risk register updates, vendor reviews, and exception log reviewQuarterly: control effectiveness reviews, policy refresh cycles, executive readoutsPre-audit: a defined sprint with zero scrambling because the system is already currentDecision authority (explicit):Set the standard for what RiskExec can claim externally—and stop claims that aren’tprovable.Require remediation plans with owners/dates for control gaps.Own risk acceptance workflow and escalate material risks to exec leadership withRecommendations.AI is part of the operating model (expected outcomes):Build AI-assisted DDQ/SIG response workflows that pull from approved internal sources and the proof library.Use AI to draft/refresh policies and control narratives, then apply human review and audit alignment checks.Automate evidence summaries, Trust Center updates, and change-detection prompts tied to product/infra changes.Establish guardrails: source-of-truth requirements, red-team review for hallucination risk, and version control.Success metrics (measured outcomes):SOC 2: on-time milestones, evidence completeness, remediation cycle time, reduction in audit findingsDue diligence: turnaround time, follow-up volume reduction, win-rate impact in security reviewsGovernance: risk register accuracy, exception aging, control ownership clarity, policy freshness SLAsTrust Center: content freshness, adoption/usage, reduction in repetitive customer questionsCross-Functional & Executive InterfacesYou will partner closely with:Executive leadership: governance reporting, material risk escalation, risk acceptance recommendations, audit readiness status.Engineering / DevOps / Security: control design reality, evidence automation, SDLC controls, incident response, and architecture narratives.Sales / So