Location: Hybrid with offices in Milton Keynes or London
Reports to CISO
Salary: £90,000 - £100,00
The Role
The Head of I&T GRC is responsible for establishing, maintaining, and reporting on the governance, management, risk and security control environments for Information and Technology by defining and overseeing the processes that:
• Policies, procedures, and processes are defined and updated regularly in response to performance data and changes to the operational environment
• Risks are identified and managed
• Controls are tested
• Exceptions are remediated
• Data are analysed and used for continuous improvement and optimization
• The role holder is responsible for ensuring that we deploy the most cost efficient yet effective services to meet the business needs with transparency of costs and flexibility of service.
The role ensures that we drive standardisation and consistency in the way in which we deliver solutions and support the business.
Areas of responsibility/ Key Accountabilities
Ensured Governance Framework Setting & Maintenance [COBIT 2019: EDM01]
Analyse and articulate the requirements for the governance of enterprise I&T. Put in place and maintain governance components with clarity of authority and responsibilities to achieve the enterprise's mission, goals and objectives.
Ensured Risk Optimisation [COBIT 2019: EDM03]
Ensure that the enterprise's risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of I&T is identified and managed.
Managed Quality [COBIT 2019: APO11]
Define and communicate quality requirements in all processes, procedures and related enterprise outcomes. Enable controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts.
Managed Risk [COBIT 2019: APO12]
Continually identify, assess and reduce I&T-related risk within tolerance levels set by enterprise executive management.
Managed Performance and Conformance Monitoring [COBIT 2019: MEA01]
Collect, validate and evaluate enterprise and alignment goals and metrics. Monitor that processes and practices are performing against agreed performance and conformance goals and metrics. Provide reporting that is systematic and timely.
Managed System of Internal Control [COBIT 2019: MEA02]
Continuously monitor and evaluate the control environment, including self-assessments and self-awareness. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and process control effectiveness.
Managed Compliance [COBIT 2019: MEA03]
Evaluate that I&T processes and I&T-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with; integrate IT compliance with overall enterprise compliance.
Team/People Management
• Improving organisational performance by developing the performance of individuals and workgroups to meet agreed objectives with measurable results.
• Enhancing employee engagement and ways of working, empowering team members and supporting their health and wellbeing.
• Finding, selecting, onboarding, and deploying team members.
• Facilitating the professional development of team members in line with their career goals.
Service Management
• Managing the catalogue of I&T GRC services in accordance with company standards and processes.
• Establishing and maintaining service level agreements with external suppliers and internal customers
• Managing the delivery and support of I&T GRC services to the DS Smith business
Job Dimensions & Responsibilities
Financial Responsibility/Cost Control
• I&T GRC OPEX Budget
• I&T GRC CAPEX Budget
Experience
• Tertiary academic or vocational qualification in a relevant field, or equivalent work experience
• In depth knowledge and practical experience of delivering core GRC services
• In depth knowledge and practical experience of the full breadth of information security and data protection domains
• Experience of successfully discharging leadership responsibilities
• Experience of successfully delivering consultancy or advisory services relating to core GRC disciplines
• Significant experience of leading large, multi-national and cross-functional teams influencing senior-level management and key stakeholders