Job Description

Position Title

: GRC Manager

Location

: Winnipeg, MB

Department

: Cyber Security and Information Security

Reports To

: Director of Cyber Security and Information Security

Job Overview

Reporting to the Director of Cyber Security and Information Security, the Governance, Risk and Compliance (GRC) Manager is responsible for developing, implementing, and managing the organization's GRC framework to ensure alignment with industry standards, regulatory requirements, and strategic business objectives. Key responsibilities include overseeing risk assessments, policy development, compliance audits, and enterprise risk reporting, while fostering a strong risk-aware culture across the organization.

Key Responsibilities

o

Governance

:

Develop, maintain, and enforce GRC policies, standards, and frameworks aligned with best practices (e.g., ISO 27001, SOC2, FAIR, NIST, CIS). Oversee the establishment and continuous improvement of information security, governance structures and risk management processes. Coordinate the development and maintenance of organizational policies, SOPs, and guidelines related to risk, compliance, and data protection. Lead GRC awareness and training programs for internal and external stakeholders. Lead and govern IT Risk Management, ensuring integration with organizational objectives. Develop and maintain the strategic IT Risk Framework to guide enterprise decision-making. Support the Information Security Director in implementing and maintaining the ETS Information Security Management System (ISMS). Manage processes and activities to sustain the ETS ISMS, including reporting on metrics that measure Information Security objectives.
o

IT Risk Management:

Identify, assess, and manage enterprise and IT risks through a structured risk management process. Conduct periodic risk assessments, threat modeling, and impact analysis to support decision-making. Maintain and update the enterprise risk register and ensure that mitigation plans are in place and monitored. Collaborate with business units and IT to embed risk management practices in daily operations and strategic planning. Monitor emerging risks and recommend appropriate responses. Assess enterprise-wide risk tolerance, risk appetite, and the quantification of risks. Manage the evolution of risk frameworks and processes to identify, measure, monitor, and report on the ETS risk environment. Ensure continuous improvement of the organization's ability to manage priority risks, including technology risks. Oversee Supplier and Vendor Risk Management, including annual risk assessments, quarterly KRI reporting, and updates to corporate recovery plans. Direct the development and maintenance of Business Continuity Plans (BCP), ensuring accuracy and completeness through plan reviews, exercises, and compliance signoffs. Monitor and manage action plans to address gaps in BCPs.
o

Compliance

:

Monitor regulatory and legal compliance requirements relevant to the organization's industry (e.g., data protection, cybersecurity, financial reporting). Lead internal and external audits related to compliance, including ISO certifications and regulatory inspections. Manage responses to compliance violations, audit findings, and risk incidents. Oversee third-party risk assessments and vendor compliance reviews. Ensure compliance with data privacy and protection frameworks (e.g., CMMC, CDP, GDPR, PIPEDA, or regional equivalents). Evaluate internal controls and conduct audits to ensure regulatory and policy adherence. Lead the internal audit team and support the maintenance of Information Security certifications and attestations. Manage oversight of policies, procedures, and systems that ensure ongoing compliance.
o

Reporting and Communication:

Provide periodic reporting to executive leadership and relevant committees on the status of risk, compliance, and governance initiatives. Develop dashboards, metrics, and KPIs for monitoring GRC performance. Additional responsibilities as assigned.

Qualifications

o

Education, Licenses, and/or Certification, Experience Required

:

Bachelor's or Master's degree in Information Security, Risk Management, or a related field. Minimum5 years of relevant experience in GRC, cyber security, audits, or enterprise risk. Professional certifications preferred*: CRISC, CISM, CISA, ISO 27001 Lead Implementer/Auditor, or similar.

o

Knowledge, Skills, and Abilities Required

:

Strong knowledge of regulatory and compliance frameworks such as ISO 27001, NSIT, PCI-DSS, or regional standards. Strong communication skills to effectively interact with diverse groups of people at all levels of the organization. Exceptional writing skills to generate required reports. Experience in a fast-paced environment with multitasking responsibilities. Strong ability to prioritize tasks and meet deadlines. Strong attention to detail and accuracy.

Working Conditions

Must be able to obtain and maintain a clear criminal record check. Work performed primarily in an office environment. Manual dexterity required to use desktop computer and telephone. High visibility role that requires regular interaction with stakeholders, clients, and vendors.
Methods and procedures described or implied in the job profile may be altered to accommodate employees.

Job Types: Full-time, Permanent

Pay: $115,000.00-$125,000.00 per year

Benefits:

Dental care Employee assistance program Extended health care Life insurance On-site parking Paid time off RRSP match Vision care
Education:

Bachelor's Degree (required)
Experience:

GRC: 5 years (preferred) Cybersecurity: 5 years (preferred)
Licence/Certification:

CRISC (preferred) CISM (preferred) Certified Information Systems Auditor (preferred)
Location:

Winnipeg, MB R3P 0Z9 (required)
Work Location: In person