Director of GRC

Amalgamated Bank is looking for a Director of Governance, Risk Management & Compliance who will be responsible for establishing and maintaining the company’s overall IT and security GRC program, as well as for developing and managing a global, enterprise-wide information GRC program. The role includes implementation and maintenance of policies, as well as a comprehensive controls framework with global third-party risk management. 

The director ensures the company’s technical systems and information assets are protected. Furthermore, the director is responsible for identifying, evaluating and reporting on information security risks that are important for the business to be aware of and act on accordingly. The director works in tandem with security leadership to elevate the company’s security posture. To be successful, the director of GRC must be able to influence and lead the GRC security strategy of the business within new and existing information system capabilities. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business-critical. The GRC program is led by the director, who reports to executive security or risk management leadership within the company.

 By joining our team, you’ll be joining a Bank that believes that that maintaining a diverse and inclusive workplace where everyone feels valued and respected is essential for us to grow as a company. We are dedicated to building a more equitable world in our everyday practices by embracing the values of our employees and customers.

Essential Job Functions:

1. In tandem with risk management and security, direct and conduct ongoing risk analysis organization-wide to uphold the GRC program.
2. Lead & direct the GRC team to document, communicate and enforce areas of security improvement that balance risk with business operations, as well as ensure controls are not weakening efficiencies or business innovation; providing rigorous oversight of security systems and security configuration administration that reduces risk to enterprise systems and accounts.
3. Emphasize privacy, security, business resiliency and compliance frameworks.
4. Establish and maintain a strategy for managing security-related audits, compliance checks, and external assessment processes for auditors, including but not limited to, the National Institute of Standards and Technology (NIST), Society for Worldwide Interbank Financial Telecommunication (SWIFT), FedLine, the EU’s General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Service Organization Controls (SOC) 2, California Consumer Privacy Act (CCPA), CRI-profile, and other applicable industry standards. Create strong oversight with third parties, vendors and business partners by confirming …