The Lead Governance, Risk & Compliance (GRC) Manager is responsible for establishing, operating, and continuously improving the organisation's enterprise-wide compliance, risk, and security governance frameworks. This senior leadership role requires deep expertise across regulatory, industry, and cybersecurity standards— specifically the UK Telecom Security Act, PCI DSS, ISO/IEC 27001, and NIS 2. You will act as the organisation's authoritative subject-matter expert, ensuring end to end
compliance, overseeing risk posture, and enabling secure and resilient operations through structured governance and proactive risk management.
Responsibilities:
Governance & Compliance Leadership
· Lead the design and operation of the organisation's GRC strategy, ensuring alignment with business objectives and regulatory obligations.
· Serve as the principal authority on:
o Telecoms Security Act (TSA) & Code of Practice
o Payment Card Industry Data Security Standard (PCI DSS)
o ISO/IEC 27001 Information Security Management System (ISMS)
o NIS 2 Directive requirements & associated national legislation
· Maintain and continuously improve compliance roadmaps, policies, and controls across the enterprise.
· Oversee the governance framework, ensuring effective risk ownership,reporting, and leadership engagement.
Risk Management
· Lead the enterprise risk management (ERM) programme, ensuring risks are identified, assessed, prioritised, and treated effectively.
· Own the corporate risk register and report regularly to senior leadership, audit committees, and regulatory stakeholders.
· Design and implement risk assessment methodologies to support security, operational, and regulatory decision making.
Security Assurance & Control Oversight
· Drive internal and external audit cycles (TSA compliance, PCI assessments, ISO 27001 audits, NIS 2 evaluations).
· Oversee testing of security controls, including assurance reviews, control maturity assessments, and continuous compliance monitoring.
· Ensure remediation actions are managed through to completion and embedded into business processes.
Regulatory Engagement & Reporting
· Support business units during their contact with regulatory bodies and national CSIRTs/competent authorities for NIS 2
· Prepare and deliver accurate regulatory submissions, compliance evidence, incident notifications, and executive reporting
Policy, Standards & Framework Development
· Develop, own, and maintain enterprise information security policies and standards
· Ensure policies reflect current legal, regulatory, and industry practices, and are adopted consistently across the organisation · Foster a strong risk-aware culture through training, awareness, and stakeholder engagement
Cross-Functional Leadership
· Lead a high-performing GRC team and influence stakeholders across engineering, operations, legal, procurement, and product functions
· Provide expert guidance on secure-by-design initiatives, and supplier risk management.
· Support major programmes and transformation initiatives ensuring compliance and risk considerations are integrated from inception
Skills:
· Extensive experience working with:
o UK Telecom Security Act & Code of Practice (TSA/SRF)
o PCI DSS v4.0 including SAQ/ROC, segmentation, and control validation
o ISO/IEC 27001:2022 and associated 27000-series standards
o NIS 2 Directive, cybersecurity measures, governance requirements, and incident reporting obligations
o NCSC Cyber Assessment Framework
· Strong understanding of risk management frameworks (NIST, ISO 27005, ISO 31000, COSO)
· Experience managing audits, external assessors, and regulatory reviews
· Solid knowledge of threat landscapes requirements and operational security best practices.
· Solid grounding in information security principles, controls, and assurance practices.
· Experience overseeing technical and non-technical security controls
· Ability to shape long-term GRC strategy aligned to business objectives
· Strong understanding of network security, telecoms architecture and cloud platforms
· Experience with security tooling and GRC platforms such as Onetrust
· Proven ability to lead, coach, and develop a high-performing GRC team.
· Skilled at influencing cross-functional stakeholders without direct authority