GRC Analyst

JD Sports- Head Office, Warwick House, Bury, Bury, United Kingdom Req #305

24 March 2025

Established in 1981 with a single store in the Northwest of England, the JD Group is a leading omni-channel retailer of Sports Fashion, Outdoors and Gyms with our colleagues working in stores across several retail fascias in many markets around the world.

JD Sports Fashion Plc was listed on the London Stock Exchange in 1996 and has been a FTSE100 publicly quoted company since 2019 and continues to grow in the UK and internationally.

We want to be the leading global omnichannel retailer in the sports and outdoor industry. To be a part of this successful company and help us to achieve this you will have the desire to ingrain our strategic goals of being a people-led, innovative and customer-focused organisation which provides operational excellence whilst identifying new areas of growth as part of our day to day objectives.

Job Description for GRC Analyst

Business Area: Information Security

Job Title: GRC Analyst

Scope and Coverage: Global

Outline Purpose of Role:

• Support in the development and maintenance of the GRC policy, risk and controls frameworks and the associated processes and artefacts.
• Conduct internal and external compliance and controls reviews, testing and audits.
• Support effective stakeholder engagement and maintenance of GRC information repository such as policies and standards, risk register, etc.
• Help drive a robust security posture for a large, complex organisation, trading globally within a constantly evolving IT and information security threat environment.

Impact of Role:

• Supports the organisation’s IT and cyber governance, risk and compliance processes.
• Help drive good risk culture and behaviours into the business culture of JD Sports.

Reports to: This role resides in the Information Security Function and reports to a GRC Lead.

Direct Reports: Individual contributor with possible periodic oversight of seconded resources, contingent workers and systems integrators.

Key Elements of the Role:

The job holder will be responsible for assisting and supporting in a range of activities across the Governance, Risk and Compliance function. The job holder will be responsible for the following activities:

Governance and Policy:

• Develop a clear understanding of the organisation, its various entities (business units, subsidiaries, partners, and interdependent entities) to assess existing and applicable policy requirements.
• Contribute and manage IT and cyber policy, standards and guidelines development, maintenance and reviews.
• Identify, analyse and report on key policy metrics such as policy exceptions, breaches and identify relevant risks arisen from policy exception.
• Maintain and develop the IT and cyber GRC internal governance processes, such as monitoring of compliance changes, technological advancement, engagement activities, information repositories, stakeholder engagement, etc.
• Maintain and manage the IT and cyber risk register including conducting of risk assessments and agreeing risk mitigating actions with stakeholders.
• Analyse and categorise IT and cyber risks, aligning risk assessment activities with business priorities and objectives.
• Track and prepare regular risk reporting to senior leadership highlighting KRIs, status and mitigations.
• Assess and monitor third party risks in accordance with the IT and cyber risk framework.
• Analyse incidents and events to identify omissions and opportunities for improvement in accordance with the organisation risk exposure and appetite.

Compliance:

• Assist in maintenance and improvements of IT and cyber controls framework with changes in compliance and technology requirements.
• Perform IT and cyber controls testing in line with the GRC assurance plan.
• Conduct reviews and assessments of third parties in line with JD compliance requirements.
• Support internal and external audits related to IT and cyber risk and ensure timely remediation of identified risks or control gaps.

Cross-functional Collaboration:

• Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss GRC requirement and queries.
• Collaborate with third-party vendors and partners to enforce consistent GRC requirements within the supply chain and vendor ecosystem.
• Work closely with HR, procurement, legal, and other departments to ensure that GRC requirements are integrated into key business processes.
• Provide guidance and training to teams across the organization on IT and cyber GRC and best practices.
• Establish strong working relationship with the internal and external stakeholders to champion GRC processes and activities.

Key Attributes of The Jobholder:

Experience and Qualifications:

• Bachelor’s degree in Cybersecurity, Information Technology, Compliance or a related field.
• 5+ years of experience in IT and cyber governance frameworks, policy development, cyber assurance, compliance or a related discipline.
• Certifications such as CISSP, CISM, CRISC, or equivalent are strongly preferred.
• In-depth understanding of cybersecurity frameworks (e.g., NIST, ISO 27001) and risk management methodologies.
• Experience of third-party risk management.
• Knowledge of regulatory requirements and compliance frameworks (e.g., GDPR, ITGC, PCI-DSS, etc.) related to IT, cybersecurity and risk management.
• Awareness of various operating systems including but not limited to Windows, Linux, Unix.
• Experience with cloud environments (AWS, Azure, GCP) and understanding of cloud security risks.
• Awareness of Agile environments and practices.

Key Skills:

• Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
• Strong analytical and problem-solving skills, with the ability to make informed risk-based decisions.
• Excellent communication skills, both written and verbal, to effectively present risks to senior leadership and non-technical audiences.
• A proven ability to work collaboratively and constructively with other managers to ensure clarity of purpose, effective communication, and mutual understanding IT and cyber frameworks and how to apply them.
• Strong organisational skills with experience of working collaboratively within multi-disciplined teams.
• Competent, engaging communication skills and an ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
• An ability to collaborate effectively in a diversely located team to focus on common goals and timelines.

Values and Behaviours:

The job holder will be a strategic thinker who is respectful and collaborative and able to work easily within a diverse and dispersed team of professionals and will exhibit:

• Goal-oriented focus,
• Integrity,
• Empathy,
• Accountability,
• Flexibility,
• Creativity.

We know our colleagues work tirelessly to make JD Sports the success it is today and in turn, we offer them some amazing benefits including staff discount on JD Group and other brands within the organisation and personal development opportunities to learn and develop at work.