Senior Manager/ GRC

• 100% onsite
• temp to perm
• Location:  TBD
• Job title:  Senior Manager GRC

General Summary

The Senior Manager of GRC provides strategic leadership and operational oversight for the Governance, Risk & Compliance function within Tolling Operations at Harris County Toll Road Authority (HCTRA). This position is responsible for directing and coordinating risk management initiatives, internal governance structures, compliance programs.This position is also responsible for developing and managing GRC frameworks, overseeing key regulatory compliance programs (including PCI DSS, SOC 1 and SOC 2), conducting vendor risk and third-party assessments, and ensuring alignment with industry standards such as ISO 27001 and NIST. This role ensures alignment of GRC strategies with county-wide objectives, regulatory requirements, and industry best practices, while fostering a culture of integrity, risk awareness, and operational resilience.

Duties & Responsibilities:

Provide executive oversight of Governance, Risk & Compliance programs including policy governance, enterprise risk management, compliance frameworks, and change initiatives.

Direct and support the activities of the Manager of Governance, Manager of Risk & Compliance, and Manager of Change Management to ensure program integration, continuity, and effectiveness.

Ensure compliance with data security and assurance standards including PCI DSS, SOC 1, and SOC 2 by developing and maintaining relevant policies, controls, and audits.

Develop and maintain a comprehensive risk assessment and mitigation strategy for the HCTRA’s Tolling Operations.

Oversee the third-party risk management (TPRM) program, conducting vendor due diligence, security assessments, and contract reviews to ensure appropriate risk controls are in place.

Collaborate with internal departments and external partners to improve operational governance and risk posture.

Lead strategic planning and reporting related to GRC objectives and performance metrics.

Support training, communication, and awareness programs to cultivate a risk-informed organizational culture. Participate in audit and incident response processes to ensure transparency and appropriate mitigation.

Knowledge, Skills and Abilities

Expert knowledge of compliance and assurance frameworks including PCI DSS, SOC 1, and SOC 2 reporting requirements.
Extensive knowledge of risk management, compliance regulations, governance models, and change management frameworks.
Strong understanding of IT controls, data protection policies, and third-party risk.
Proven leadership and people management skills in cross-functional environments.
Excellent analytical, communication, and strategic planning skills  with the ability to translate complex security and compliance issues into business-relevant language.
Deep understanding of public sector regulatory environments and operations.
Ability to build cross-functional relationships and lead multi-departmental initiatives.

 
Work Environment

There are no major sources of discomfort. A normal office environment with acceptable lighting and climate control is provided.

Physical Demands

Sedentary work - Exerting up to 10 pounds of force occasionally, and/or a negligible amount of force
frequently or constantly to lift, carry, push, pull or otherwise move objects, including the human
body. Sedentary work involves sitting most of the time. Jobs are sedentary if walking and standing are required only occasionally, and all other sedentary criteria are met.

 
Position Type and Typical Hours of Work

This is a full time position. Typical days of work are Monday-Friday. Hours may vary based on agency needs of the department. Evening, weekend, or on-call availability may be necessary to support 24/7 operations.

 
Required Education / Experience Bachelor’s degree in Information Security, Risk Management, Business Administration, or related field.
5–7 years of progressive experience in GRC, compliance, audit, or risk management roles.
Minimum 2–3 years of direct experience managing PCI DSS and SOC 1 / SOC 2 compliance efforts.
Proven experience developing and managing vendor risk and third-party assessment programs.
Leadership or mentoring experience in a GRC or risk-focused role.
Preferred professional certifications, one or more of the following:
      Master's degree    
      Certified Information Systems Auditor (CISA)
      Certified in Risk and Information Systems Control (CRISC)
      Certified Information Security Manager (CISM)
      Certified Information Systems Security Professional (CISSP)
      Certified in Governance of Enterprise IT (CGEIT) 
      PCI Professional (PCIP) or similar PCI-related certification