Grc Analyst

Job Description for GRC Analyst

Business Area: Information Security

Job Title: GRC Analyst

Scope and Coverage: Global

Outline Purpose of Role:

• Support in the development and maintenance of the GRC policy, risk and controls frameworks and the associated processes and artefacts.
• Conduct internal and external compliance and controls reviews, testing and audits.
• Support effective stakeholder engagement and maintenance of GRC information repository such as policies and standards, risk register, etc.
• Help drive a robust security posture for a large, complex organisation, trading globally within a constantly evolving IT and information security threat environment.

Impact of Role:

• Supports the organisation’s IT and cyber governance, risk and compliance processes.
• Help drive good risk culture and behaviours into the business culture of JD Sports.

Reports to: This role resides in the Information Security Function and reports to a GRC Lead.

Direct Reports: Individual contributor with possible periodic oversight of seconded resources, contingent workers and systems integrators.

Key Elements of the Role:

The job holder will be responsible for assisting and supporting in a range of activities across the Governance, Risk and Compliance function. The job holder will be responsible for the following activities:

Governance and Policy:

• Develop a clear understanding of the organisation, its various entities (business units, subsidiaries, partners, and interdependent entities) to assess existing and applicable policy requirements.
• Contribute and manage IT and cyber policy, standards and guidelines development, maintenance and reviews.
• Identify, analyse and report on key policy metrics such as policy exceptions, breaches and identify relevant risks arisen from policy exception.
• Maintain and develop the IT and cyber GRC internal governance processes, such as monitoring of compliance changes, technological advancement, engagement activities, information repositories, stakeholder engagement, etc.

Risk Management:

• Maintain and manage the IT and cyber risk register including conducting of risk assessments and agreeing risk mitigating actions with stakeholders.
• Analyse and categorise IT and cyber risks, aligning risk assessment activities with business priorities and objectives.
• Track and prepare regular risk reporting to senior leadership highlighting KRIs, status and mitigations.
• Assess and monitor third party risks in accordance with the IT and cyber risk framework.
• Analyse incidents and events to identify omissions and opportunities for improvement in accordance with the organisation risk exposure and appetite.

Compliance:

• Assist in maintenance and improvements of IT and cyber controls framework with changes in compliance and technology requirements.
• Perform IT and cyber controls testing in line with the GRC assurance plan.
• Conduct reviews and assessments of third parties in line with JD compliance requirements.
• Support internal and external audits related to IT and cyber risk and ensure timely remediation of identified risks or control gaps.

Cross-functional Collaboration:

• Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss GRC requirement and queries.
• Collaborate with third-party vendors and partners to enforce consistent GRC requirements within the supply chain and vendor ecosystem.
• Work closely with HR, procurement, legal, and other departments to ensure that GRC requirements are integrated into key business processes.
• Provide guidance and training to teams across the organization on IT and cyber GRC and best practices.
• Establish strong working relationship with the internal and external stakeholders to champion GRC processes and activities.

Key Attributes of The Jobholder:

Experience and Qualifications:

• Bachelor’s degree in Cybersecurity, Information Technology, Compliance or a related field.
• 5+ years of experience in IT and cyber governance frameworks, policy development, cyber assurance, compliance or a related discipline.
• Certifications such as CISSP, CISM, CRISC, or equivalent are strongly preferred.
• In-depth understanding of cybersecurity frameworks (e.g., NIST, ISO 27001) and risk management methodologies.
• Experience of third-party risk management.
• Knowledge of regulatory requirements and compliance frameworks (e.g., GDPR, ITGC, PCI-DSS, etc.) related to IT, cybersecurity and risk management.
• Awareness of various operating systems including but not limited to Windows, Linux, Unix.
• Experience with cloud environments (AWS, Azure, GCP) and understanding of cloud security risks.
• Awareness of Agile environments and practices.

Key Skills:

• Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
• Strong analytical and problem-solving skills, with the ability to make informed risk-based decisions.
• Excellent communication skills, both written and verbal, to effectively present risks to senior leadership and non-technical audiences.
• A proven ability to work collaboratively and constructively with other managers to ensure clarity of purpose, effective communication, and mutual understanding IT and cyber frameworks and how to apply them.
• Strong organisational skills with experience of working collaboratively within multi-disciplined teams.
• Competent, engaging communication skills and an ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
• An ability to collaborate effectively in a diversely located team to focus on common goals and timelines.

Values and Behaviours:

The job holder will be a strategic thinker who is respectful and collaborative and able to work easily within a diverse and dispersed team of professionals and will exhibit:

• Goal-oriented focus,
• Strong schedule keeping,
• Openness,
• Integrity,
• Empathy,
• Accountability,
• Enthusiasm,
• Flexibility,
• Creativity.