Governance, Risk & Compliance (GRC) Lead

Governance, Risk & Compliance (GRC) Lead

Who Are We

At ERMCO, we energize the world by empowering people. Our team keeps your lights on and your future bright. We welcome innovation, test ideas fearlessly, and turn them into scalable, market-ready solutions. We're driven by purpose, aligned in our goals, and agile in the face of change. If you're ready to be part of a company with a strong legacy and even stronger vision, we’re ready to meet you. Join a team where your career can truly TRANSFORM.

Who Are You

The GRC Lead plays a pivotal role in ensuring an organization adheres to regulations, policies and ethical standards while managing risks effectively. This position not only safeguards business systems and ensures regulatory compliance but also serves as a strategic leader in the creation and maturation of a comprehensive GRC Program.

The GRC Lead will be responsible for building and evolving internal processes, leading cross-functional efforts, and supporting the development of a scalable security and compliance framework. This role also provides an opportunity to lay the foundation for a dedicated internal team and will be instrumental in shaping ERMCO’s long-term GRC roadmap.

**This position is remote in the following states: FL, GA, IL, KS, NC, NE, SD, TN, TX, WI, WY

What Will You Do

Governance and Compliance:

• Conduct regular audits of ERP access, security controls, and processes to ensure adherence to internal and regulatory compliance.
• Develop, implement, and manage IT governance and compliance frameworks aligned with industry standards (e.g., ISO 27001, NIST CSF, SOC 2, GDPR).
• Monitor and report on compliance with internal policies, regulatory requirements, and contractual obligations.
• Support the creation of a scalable governance function by documenting frameworks and mentoring future GRC team members.
• Assist with creating and educating the business on security policies that align with organizational needs, regulatory requirements, and business objectives.

Strategic Function Development:

• Partner with leadership to define the vision and roadmap for GRC initiatives across the enterprise.
• Design and implement internal processes, metrics, and reporting systems to support a growing compliance and security infrastructure.
• Lead or support the establishment of an internal GRC/security team, helping to onboard, train, and mentor new personnel as the function evolves.

Risk Management & Mitigation:

• Identify and assess IT related risks, including those related to information security, data privacy and regulatory compliance.
• Manage the IT risk register and partner with business functions (Finance, HR, etc.) to ensure risks are proactively mitigated.
• Facilitate cross-functional risk assessments and implement strategies aligned with enterprise risk management goals.
• Monitoring the effectiveness of implemented controls and making recommendations for improvement.

Compliance Management:

• Ensuring compliance with relevant laws, regulations and industry standards (GDPR, NIST CSF)
• Developing and maintaining policies, standards and procedures related to GRC
• Conducting compliance audits and assessments.
• Staying up to date on changes in relevant regulations and industry best practices.

 Vendor Risk Management:

• Conduct vendor risk assessments to evaluate the security posture of 3^rd party vendors.
• Monitor vendor compliance with organizational security requirements.
• Drive the third-party security process for both client-facing and internal vendors, ensuring security standards are met and maintained.

 Reporting and Communication:

• Preparing and presenting reports on risk assessments, compliance status and mitigation efforts.
• Communicating GRC-related information to business stakeholders.
• Providing guidance and support to business units on GRC related matters.

 Policy Development and Management Training:

• Develop and maintain policies, standards, and procedures to ensure the confidentiality and integrity of business systems and data.
• Ensure the policies are aligned with organizational objectives and regulatory requirements.
• Track emerging risks and ensure policies adapt to new threats, technologies, and regulations.

 Training and Awareness

• Ongoing Delivery of training that promotes awareness of IT policies and security best practices.
• Take ownership of the company’s security awareness training and improve its relevance and impact across the organization.
• Deliver monthly cybersecurity awareness training to improve end user behavior and reduce the risk at the individual level.
• Design and conduct phishing and vishing campaigns that are more meaningful and effective in reducing employee susceptibility and improving engagement.
• Deliver monthly cybersecurity awareness training designed to improve end-user behavior and increase overall training compliance.
• Emphasize the importance of reporting phishing attempts and build a culture of proactive incident awareness.
• Mature the phishing training program by introducing targeted, role-based training and performance tracking.

 Collaboration and Support:

• Collaborate with various business units and stakeholders to integrate GRC practices into daily operations.
• Support acquisition integrations through risk assessments and onboarding into the enterprise compliance framework.
• Prepare documentation and evidence for internal and external audits and regulatory reviews.
• Strong collaborative partnership with Security Operations and Security Architecture.
• Act as the cybersecurity assurance liaison for the station, ensuring alignment of GRC objectives with operational practices.
• Identify and support five key improvements at the station that enhance security posture and contribute to reduced cybersecurity insurance premiums.

What Will You Need

• Bachelor’s degree in Cybersecurity, Information Technology, or a related field.
• 5+ years of OT security, IT security, GRC, cyber project management, security framework implementation or risk management (manufacturing environment preferred).
• Familiarity with industry frameworks such as ISO 27001, NIST CSF, or SOC 2.
• Hands-on experience with access controls, risk registers, and audit support.
• Strong communication, stakeholder engagement, and problem-solving skills.
• Certifications such as CISA, CISM, or CISSP are highly desirable.

Preferred Skills:

• Experience in establishing and leading internal control and segregation of duties processes.
• Experience securing SaaS and hybrid environments.
• Background in user access reviews and role-based permission structures.
• Demonstrated ability to lead cross-functional teams or projects.

Let’s Build the Future Together
At ERMCO, your ideas matter, your growth is supported, and your impact is real. If you're ready to take the next step in your career and help us drive innovation in manufacturing, we’d love to hear from you. Join ERMCO and TRANSFORM your career!