Senior Manager, Governance, Risk & Compliance

Application NoticeWe encourage you to apply thoughtfully by selecting one position that best matches your qualifications and interests. You may submit up to two active applications at a time. Please consider your location choice carefully—we recommend applying where you envision building your future.The FirmUnlock the Boundless Horizons of Tax, Valuation, and Business Expertise with Andersen!At Andersen, we don’t just offer a career; we provide a thrilling expedition into the world of Tax, Valuation, and Business Advisory. We stand as a trailblazing force with the most extensive global presence among professional services organizations. You’ll embark on a journey that transcends the ordinary, working with extraordinary clients spanning every industry, regardless of their size, because at Andersen, we are free from independence-related constraints that may hinder other firms.But that’s not all; we’re more than just a company; we’re a community that thrives on diversity, inclusivity, and collaboration. Our focus is on your development helping you flourish as leaders, colleagues and trusted advisors. We equip you with world-class education, immersive experiences, and invaluable mentorship to support your rise to the top.We believe in your potential and invest in it to build a legacy that extends beyond your wildest dreams. Bring your ambition, your entrepreneurial spirit, and your burning desire to be the best. Your future mirrors the limitless possibilities of our future. Join us at Andersen, and together, let’s write the story of your success!The RoleAndersen is scaling its information security function, and this is a critical hire for the program’s next phase of maturity. The Senior Manager, Governance Risk & Compliance (GRC) will report directly to the Chief Information Security Officer (CISO) and own the build-out of the firm’s governance, risk, and compliance program. The immediate mandate is significant – lead simultaneous SOC 2 Type II and ISO 27001 certification initiatives while establishing the policy and risk management infrastructure the firm will rely on long-term. This is a program-building role, and the right candidate will be energized by the opportunity to design systems rather than maintain them.The Senior Manager, Governance Risk & Compliance (GRC) can expect to:SOC 2 Type II & ISO 27001 CertificationLead end-to-end certification programs for SOC 2 Type II and ISO 27001 simultaneously, from scoping through audit closureDefine control environments, manage evidence collection, and serve as the primary liaison with external auditors and certification bodiesAdminister the firm’s compliance automation platform and maintain continuous control monitoring and audit readinessManage both programs through their full lifecycle, including observation periods, annual renewals, surveillance audits, and ISO recertification cyclesPolicy & Risk ManagementDevelop and maintain a comprehensive information security policy suite aligned to SOC 2, ISO 27001, and applicable regulatory requirements, with defined processes for ownership, annual review, and exception managementBuild and maintain an enterprise risk register using structured methodology (e.g., ISO 27005, NIST CSF) and lead annual and ad hoc risk assessmentsCommunicate risk posture and policy compliance to the CISO and, where appropriate, to firm leadership and clientsDevelop and maintain an AI governance policy covering acceptable use of AI tools, agentic system deployments, and citizen developer activity, ensuring alignment with the firm’s risk appetite and applicable regulatory requirementsPrivacy & Regulatory ComplianceServe as the firm’s subject matter expert on GDPR, CCPA, and other applicable privacy and data protection requirementsMonitor evolving regulatory obligations globally and translate them into actionable compliance programsPartner with Legal and Operations on data subject requests, privacy impact assessments, and breach notification proceduresAdvise the CISO on emerging compliance obligations relevant to a global professional services firmThird-Party Risk & Client Due DiligenceDesign and operate the firm’s third-party risk management program, including vendor tiering, security assessments, and remediation trackingManage the firm’s response program for client security questionnaires and due diligence requestsMaintain a library of certification-aligned response language and track contractual security commitments across vendors and clientsSecurity Awareness & TrainingOwn the firm’s security awareness program, including curriculum design, platform administration, and completion trackingDevelop role-specific content for high-risk populations and keep training current against the evolving threat landscapeDevelop and maintain training content addressing AI-related threats and responsible AI use, including risks from unsanctioned AI tools, citizen developer activity, and AI agents operating with access to firm data and systemsTrack and report program effectiveness to the CISO on a regular cadenceTeam & Stakeholder LeadershipBuild collaborative relationships across Legal, IT, Operations, Audit, and client-facing teams to embed security and compliance into firm workflowsRepresent the information security function in client-facing conversations regarding the firm’s security postureThe Requirements8–12 years of progressive experience in information security GRC, with a demonstrated record of building programs, not just maintaining themBachelor’s degree in Information Security, Computer Science, Risk Analysis, or a related fieldProven track record achieving and sustaining both SOC 2 Type II and ISO 27001 certifications, including scoping, control design, ISMS development, and auditor relationship managementOperational knowledge of GDPR and CCPA, including hands-on implementation of compliance obligationsExperience designing and operating third-party risk management programsExperience managing client security due diligence and responding to security questionnaires at scaleAbility to build defensible, auditable policy frameworks and maintain structured enterprise risk registersProficiency with GRC or compliance automation platformsStrong written and verbal communication skills, with the ability to translate technical risk into business language for non-technical audiencesUnderstanding of the security and governance risks introduced by AI systems, including large language models, AI agents, and citizen developer platforms, and the ability to translate those risks into policy, training content, and risk register entriesPreferredRelevant certification such as CISA, CISM, or CRISCBackground in professional services or consulting, where security posture is tied directly to client trustFamiliarity with international privacy frameworks such as NDPA or DPDPAWorking knowledge of the NIST Cybersecurity Framework as a risk management overlayFamiliarity with AI governance frameworks such as NIST AI RMF, the EU AI Act, or ISO 42001, and awareness of emerging regulatory obligations affecting AI use in global professional services environmentsExperience managing or mentoring junior GRC staffCompensation And BenefitsOur firm offers competitive base compensation, benefits package, and a discretionary employee bonus program for eligible employees based on individual and firm performance metrics per the defined program guidelines. For individuals hired to work in the United States, the expected salary range for this role is $193,000 to $220,000; the actual salary offer can vary based upon employee qualifications.Benefits: Employees (and their families) are covered by medical, dental, vision, and basic life insurance. Employees are able to enroll in our firm’s 401(k) plan upon hire. We offer paid time off, beginning at 160 hours annually and provides twelve paid holidays throughout the calendar year. For a full listing of benefit offerings, please visit https://www.andersen.com/careers/faqs.Compensation: In addition to competitive base compensation, our firm offers annual discretionary bonuses based on firm and individual performance, a discretionary long-term cash incentive program, and other forms of discretionary compensation that would be offered to the hired applicant in addition to their established salary range scale.Applicants must be currently authorized to work in the United States on a full-time basis upon hire. Andersen will not consider candidates for this position who require sponsorship for employment visa status now or in the future (e.g., H-1B status).Equal OpportunityAndersen Tax welcomes and encourages workforce diversity. We are an equal opportunity employer. Applicants and employees are considered for positions and are evaluated without regard to race, color, national origin, ancestry, religion, sexual orientation (including gender identity and gender expression), mental disability, physical disability, sex/gender (including pregnancy, childbirth, and related medical conditions), age, marital status, military status, veteran status, genetic information, or any other characteristic protected by federal, state or local laws or regulations. All qualified individuals, including those with criminal histories, will be considered in a manner consistent with the requirements of applicable state and local laws. Additionally, we make every effort to provide reasonable accommodations to qualified individuals with disabilities.