Global Director, Risk & Compliance

Company Description

Blend is a premier AI services provider, committed to co-creating meaningful impact for its clients through the power of data science, AI, technology, and people. With a mission to fuel bold visions, Blend tackles significant challenges by seamlessly aligning human expertise with artificial intelligence. The company is dedicated to unlocking value and fostering innovation for its clients by harnessing world-class people and data-driven strategy. We believe that the power of people and AI can have a meaningful impact on your world, creating more fulfilling work and projects for our people and clients. For more information, visit www.blend360.com.

Job Description

We are looking for a Director, Global Risk & Compliance to establish and lead the firm's first centralized risk management and compliance function. This role will build the enterprise risk framework, develop and implement global policies (AI governance, data privacy, vendor risk management, ESG compliance), manage the corporate insurance program, and coordinate compliance execution across all regions.

This role will serve as the client-facing risk leader, engaging directly with enterprise clients on compliance questionnaires, security assessments, and risk governance. The role partners closely with the VP of IT and Sr. Security Engineer to ensure the enterprise risk framework reflects both business and technology dimensions.

This is a governance and framework role, not a technical security engineering role. The Director defines risk policy and requirements ("what" and "why"); the Sr. Security Engineer implements at the infrastructure level ("how"). The two roles operate as complements with a clear boundary.

Core Responsibilities

Risk Management & Oversight

• Partner with executive leadership to define Blend360's risk appetite and tolerance thresholds; translate those into a practical risk management framework with clear escalation protocols across all the global enterprise.
• Create and maintain a master risk register that tracks business, operational, regulatory, and technology risks; record who owns each risk, its likelihood and potential impact, and how we'll address it
• Run annual risk reviews across all regions and business units; use the external Global Risk Assessment (expected Q3 2026) to benchmark our findings
• Design incident response procedures and lead after-incident reviews to track fixes to completion
• Brief senior leadership quarterly on our risk position, new threats, and progress on mitigation efforts

AI Governance & Technology Risk

• Create and maintain policies for how Blend360 uses AI, manages data, handles information security, and maintains business continuity
• Partner with the AI Steering Committee to ensure AI is used responsibly both for client work and internal operations
• Set standards for building and using AI models: establish rules around data quality, model performance, bias detection, and responsible use; translate regulatory requirements (EU AI Act, NIST AI RMF) into Blend360 standards
• Work with the VP of IT and Sr. Security Engineer to assess risks in our technology infrastructure (AWS, Snowflake, client systems); document findings in the risk register and present to leadership
• Track data safety across the company, from how it's collected and processed to how it's shared and moved across borders (for both client and internal data)
• Review client projects for risks related to cloud, data, and AI components; provide risk-based recommendations to support legal review and deal decisions

Vendor & Third-Party Risk Management

• Establish standards for evaluating vendor and partner risks; assess key technology providers (AWS, Snowflake), subcontractors, regional partners and any data processors
• Set rules for how we safely integrate with and share data with vendors
• Review the technical side of partnerships, acquisitions, and client solutions working with the VP of IT
• Review all policies at least annually and maintain an update process when policies change

Insurance & Compliance Program

• Manage Blend360's global insurance programs: professional liability, cyber, directors & officers, general liability, and any client-specific coverage
• Manage broker relationships and lead annual insurance renewals
• Lead SOC 2 compliance: own the audit relationship, framework, and track remediation; work with the Sr. Security Engineer on technical requirements
• Oversee ESG compliance, including Mastercard requirements and sustainability reporting (SBTi, CDP)
• Track regulatory changes across North America, Europe, and Latin America that affect Blend360 (GDPR, EU AI Act, data privacy laws, employment law)

Cross-Regional Coordination

• Coordinate compliance across regions with legal leads: North America, Latin America, and EMEA
• Work with VP Ops in Uruguay and India on compliance, employment law, and data protection at each office
• Fill the EMEA compliance gap until dedicated legal resources are in place; own EMEA policies in the meantime
• Partner with legal lead on Latin American regulatory issues; work with Legal & Compliance Analyst for on-the-ground support
• Run quarterly compliance reviews with each region; track fixes and report status to the SVP Finance

Client-Facing Risk & Compliance

• Represent Blend360 on risk and compliance matters with enterprise clients; engage directly with their security, procurement, and compliance teams
• Handle client compliance questionnaires (security, privacy, ESG, AI governance) in partnership with IT, Security, and delivery teams
• Create standard checklists for reviewing client contracts and define when to escalate
• Support high-risk contract reviews; assess insurance, liability, indemnification, and IP issues
• Maintain a log of client contracts that exceed our risk limits

Operating Model: Risk Director vs. Sr. Security Engineer

This role works closely with the Sr. Security Engineer (reports to VP IT). The split is:

Risk Director owns: risk framework, policies, risk register, insurance, ESG, SOC 2 audits, client compliance, AI governance policy, vendor standards, cross-regional coordination, executive reporting

Sr. Security Engineer owns: AWS security, Snowflake security, access controls, vulnerability management, technical incident response, infrastructure hardening

Shared: SOC 2 (Risk owns the framework and audit; Engineer provides technical details), client questionnaires (Risk owns responses; Engineer provides technical input), AI risk (Risk owns policy; Engineer implements technical controls)

Qualifications

Required Qualifications

• 8 years in risk management, compliance, or legal operations in professional services, technology, AI/data, or consulting
• 5 years in a global or multi-regional role managing policies and compliance programs
• Deep knowledge of data privacy laws (GDPR, CCPA/CPRA, LGPD), AI governance (EU AI Act, NIST AI RMF), and risk management standards (COSO, ISO 31000)
• Technology literacy: understand cloud architecture (AWS), data platforms (Snowflake, Databricks), and AI/ML risks (bias, data quality, model drift). Not expected to build systems, but must speak credibly with technical teams and translate tech risk into business terms
• Experience managing corporate insurance (professional liability, cyber, D&O) and working with brokers
• Comfortable engaging directly with Fortune 500 clients on security, compliance, and risk matters
• Strong written and verbal communication; able to present to executives, boards, and clients
• Proven ability to influence across regions and functions in a fast-moving, matrixed organization
• Bachelor's degree required; JD, MBA, or relevant advanced degree preferred

Preferred Qualifications

• Experience in AI/ML services, data analytics, cloud-native, or digital transformation firms
• Certifications: CRISC, CISM, CISA, CIPP/E, ARM, or equivalent
• SOC 2 audit experience and ESG/sustainability reporting (CDP, SBTi)
• Knowledge of cybersecurity frameworks (NIST CSF, ISO 27001) at a governance level
• Spanish language skills
• Familiarity with Latin American regulations (Colombia, Uruguay)
• Experience building a compliance function from scratch at a growth-stage company

Additional Information

All your information will be kept confidential according to EEO guidelines.