Group Governance, Risk & Compliance Manager

Location Birmingham
Contact name: Jonathan Savage

Contact email:
Job ref: 029491
Published: 23 days ago

The role holder will work to improve information security controls in the business, adapting as new security threats emerge and the threat landscape evolves, to reduce the risk of losses to the business.


The role holder will provide specialist security knowledge and be responsible for driving security culture and awareness across Grafton Brands, with the focus expected to be in following areas:

  • Create and support Business Units to deliver comprehensive training and awareness campaigns including videos, e-learning, news bulletins and simulated phishing campaigns
  •  Implementation and operation of information security processes such a third-party security assessment, PCI-DSS compliance and mergers and acquisitions framework.
  • Working with subsidiaries to ensure that security tooling KPIs are up to date and reported (for example EDR rollout).
  • Provide consultancy, advice, and support to Grafton subsidiaries on their management of controls and compliance with a NIST based information security framework.
  • Work with subsidiaries to assist them in identifying and effectively managing cyber security risk
  • Champion cyber security across the business to embed it into the business culture
  • Work with business units to ensure compliance to software license agreements, including true up of licenses throughout the year (Software Asset Management)
  • Implement and manage a programme of end-to-end controls testing

The role holder will be a resourceful, self-motivated individual who is comfortable getting things done in matrix structures. They will have the opportunity to both shape and deliver projects and solutions. They will be expected to apply information security and data protection best practices with pragmatism and common sense.


Key Responsibilities

  • Design, implementation, and maintenance of information security technical controls across all Grafton subsidiaries
  • Creation, maintenance and communication of information security technology standards, procedures, and guidelines.
  • Perform security reviews of third parties who provide IT solutions and/or process data for Grafton Group.
  • Reporting on security KPIs such as endpoint EDR coverage, unsupported OS, and vulnerabilities
  • Work closely with Group and business unit IT teams to ensure appropriate information security and data protection controls are embedded within projects.
  • Perform compliance reporting against appropriate control frameworks and international standards.
  • Review the effectiveness of controls embedded in the business units to ensure compliance with internal security policies, regulations (e.g., GDPR) and industry standards (e.g., PCI DSS).
  • Create training and awareness material and support Business units in delivering it consistently across their businesses.



  • Experience working in an information security technology practitioner or related infrastructure management role, with knowledge of risk management practices, PCI-DSS and Software Asset Management
  • Excellent written and oral communication skills, with the ability to effectively communicate at all levels of the organisation.
  • Build and maintain strong, collaborative relationships with technical and non-technical stakeholders
  • Ability to carry out high-quality data analysis and formal report writing.
  • Experience in designing and implementing written and technical information security standards.
  • Passion for information security and supporting the business in reducing risk, with a proactive attitude toward maintaining up-to-date knowledge.
  • Broad experience and knowledge of IT systems, networking principles and associated technology-based security controls.
  • Knowledge and experience of logical access control management and administration
  • Broad knowledge of GDPR and PCI DSS.
  • High level of personal and professional integrity.


  • Holds one of the following certifications (ITAM, CISM, CISSP or CISA).
  • Professional qualification (degree or equivalent industry qualification).
  • Knowledge of data protection and information security standards and processes, and delivery of information security projects.
  • Experience in delivering security projects relating to Microsoft technologies, including Office 365 security, Azure cloud services security
  • Knowledge of technical frameworks and best practices.
  • Knowledge of cloud computing and the associated security and control considerations.

Key Behaviours

Thinking Things Through

  • Problem Solving: Getting to the root cause of problems and coming up with practical, commercial solutions.
  • Business & Customer Focus: Works consistently in the best interests of customers and the business.

Delivering Results


  • Taking responsibility for results: Making things happen, going the extra mile to drive performance and standards. Proactively intervenes to maintain the integrity of information security practices.

Engaging Others


  • Skilful Communication: Communicating information clearly, openly and persuasively.
  • Relationship Building: Building positive relationships with colleagues and customers through respect, listening and teamwork.

Adapting to Change


  • Flexibility: Updating skills and knowledge by assessing industry best practice, creating and maintaining relationships with colleagues, suppliers and partners, and responding positively to change.
  • Resilience: Demonstrating calmness, confidence and perseverance in demanding situations.



  • Creating a virtual Team: Builds a high performing virtual team working with colleagues across the Group, providing clarity of direction and making the most of the collective strengths of the team.
  • Managing change: Helping others to embrace change and implement it successfully.

Suitable for someone who is‿


  • Happy to work under their own steam and is comfortable working across multiple projects with multiple stakeholders.
  • Resourceful and innovative, and disciplined to get the job done.
  • Comfortable working at all organisational levels to drive real change and improvement.
  • Has a good broad understanding of IT landscapes combined with the ability to manage the human aspects of delivering technology change.