GRC Senior Analyst


The Governance Risk and Compliance (GRC) Senior Analyst is responsible for supporting the operational development and implementation of an effective enterprise-wide industry aligned GRC framework. You will have extensive experience in similar roles and have a demonstrable track record of delivering tangible outcomes in complex organisations.

As the GRC Senior Analyst you will be familiar with industry standards in information security and be able to drive an approach to risk management, compliance and control implementation that balances the need for robust security with the need to allow the business to achieve its goals.

You will be comfortable navigating a complex environment, collaborating with technical teams and be able to articulate concisely your ideas to stakeholders at all levels and influence outcomes in support of enterprise projects.

If you have a positive mindset, can map risk to business value with a practical, adaptable, and innovative approach then this is the role for you!


  • Support the Head of GRC in designing, implementing, and maintaining all aspects of the Information Security Management System (ISMS) across the organisation working with key stakeholders such as IT Operations, Procurement, Legal, HR, Commercial, Marketing and Finance.
  • Contribute to the effective running of required steering/working groups to oversee and report on information security governance. These should drive strategic decisions to reduce risk across the CIO and wider group initiatives.
  • Support the design, implementation and maintenance of a risk management program that is embedded into the business with focus around the office of the CIO and ensure there is full transparency around risks, ownership, reporting and accountability around risk remediation plans.
  • Support the design, implementation and maintenance of a governance and compliance program that focuses on the high-risk areas of our business and technology control environment that provides insightful and actionable reporting on non-compliance.
  • Plan and conduct internal and external compliance audits, coordinating with the wider Information Security function and external partners to drive assurance.
  • Provide Information Security subject matter expertise in collaboration with cross-functional teams and external partners to support a proactive security-led approach across the CIO and wider group initiatives.
  • Design, implement and maintain an effective training and awareness program tailored to business functions and based on training needs analysis to foster a positive security culture and embed security best practices.
  • Design, implement and maintain a practical third-party risk management program using a scalable, measurable and automated approach.
  • Draft, review and maintain Information Security policies, standards, procedures, and guidelines. Effectively communicate with relevant stakeholders to embed the policy framework in a practical and auditable manner.
  • Support the evolution of GRC capabilities to ensure we continually mature and maintain a proactive posture. Support the management and maintenance all tooling for delivering GRC capabilities into the organisation.
  • Work closely with the wider Information Security function to unify approaches to delivery of our services, engagement, reporting and communication.
  • Guide and support the professional development of junior team members to drive consistency, build trade competency and ensure cohesion across the wider Information Security function.


  • A thorough understanding of information security practices, frameworks and cyber security controls, with the ability to translate into real world practical sustainable implementation.
  • Significant experience in the areas of information security governance, risk management, compliance and audit.
  • Ability to simplify complex technical security risks to both technical and non-technical audiences.
  • Confident and engaging communicator with excellent verbal, written and presentation communication skills.
  • Can work with multi-disciplinary teams and influence delivery and outcomes across all levels regardless of reporting lines.
  • Ability to prioritise complex evolving workloads against capacity to maximise valuable outputs.
  • Effective short-mid term planning and comfortable re-prioritising and communicating impact.
  • Comfortable identifying opportunities, influencing change and challenging in an appropriate manner at all levels.
  • Outcome focused and able to ‘think outside the box’ with a business value mindset.


  • A certification in any one or more of the following is desirable:
    • Certified in Risk and Information Systems (CRISC)
    • Certified Information Systems Auditor (CISA)
    • Certified Information Systems Security Professional (CISSP)
    • Certificate in Information Security Management Principles (CISMP)
    • CompTIA Security+

 The above list of duties is not exclusive or exhaustive and the post holder will be required to undertake tasks that are reasonably expected within the scope and grading of the post.


Job application

Thanks for your application