Head of Governance, Risk, and Compliance (GRC)

At SCP Health, what you do matters

As part of the SCP Health team, you have an opportunity to make a difference. At our core, we work to bring hospitals and healers together in the pursuit of clinical effectiveness. With a portfolio of over 8 million patients, 7500 providers, 30 states, and 400 healthcare facilities, SCP Health is a leader in clinical practice management spanning the entire continuum of care, including emergency medicine, hospital medicine, wellness, telemedicine, intensive care, and ambulatory care.

Why you will love working here:

- Strong track record of providing excellent work/life balance.

- Comprehensive benefits package and competitive compensation.

- Commitment to fostering an inclusive culture of belonging and empowerment through our core values - collaboration, courage, agility, and respect.

The Head of Governance, Risk, Compliance (GRC) is responsible for designing, implementing, and operating a unified control environment that integrates governance, risk management, regulatory compliance, and business resilience across the organization.

This role ensures that security and compliance obligations are met through a single, scalable control framework, reducing duplication and audit fatigue while strengthening overall risk posture. The program is aligned to ISO 27001/27002 principles and mapped to HITRUST and SOC 2 Type II, with consideration for future SOX readiness.

The Head of GRC partners closely with Security, IT, Legal, Privacy, Finance, and business and clinical leaders to ensure controls are embedded into operations and that risk decisions are transparent, measurable, and aligned with organizational priorities.

Core focus areas include unified control framework design, audit and certification leadership, enterprise risk management, third-party risk, and business continuity & disaster recovery (BCDR).

Governance & Control Framework

• Design and maintain a unified control framework aligned to ISO 27001/27002 principles and mapped to NIST CSF, HITRUST, SOC 2, and future SOX requirements.
• Define and manage enterprise-wide policies, standards, and procedures, ensuring consistency and scalability across the organization.
• Establish control ownership and accountability across business and technology teams.
• Rationalize and streamline controls to eliminate redundancy and improve operational efficiency.
• Ensure consistent control documentation, testing, and evidence management practices.

Audit & Certification Management

• Lead and sustain SOC 2 Type II audit readiness and execution, ensuring continuous compliance without reliance on point-in-time efforts.
• Drive HITRUST certification progression (e1 to r2), including control alignment, readiness assessments, and coordination with external assessors.
• Partner with internal and external auditors to support audits, assessments, and remediation efforts.
• Establish and operationalize a scalable evidence lifecycle model to support ongoing audit requirements.
• Prepare the organization for future SOX-related control expectations, in partnership with Finance and Internal Audit.

Risk Management

• Develop and operate an enterprise security risk management program aligned with business objectives.
• Maintain a centralized risk register, including identification, assessment, prioritization, and tracking of risks.
• Implement risk quantification and prioritization methodologies to support decision-making.
• Establish and manage a formal risk acceptance and exception process, including executive-level reporting.
• Integrate control effectiveness and audit findings into overall risk posture reporting.

Business Continuity & Disaster Recovery (BCDR)

• Design, implement, and mature the organization’s BCDR program to ensure operational resilience.
• Conduct Business Impact Analyses (BIA) to define critical processes and dependencies.
• Establish and maintain recovery objectives (RTO/RPO) aligned with business requirements.
• Coordinate and oversee disaster recovery planning, testing, and continuous improvement.
• Ensure BCDR capabilities meet regulatory expectations and customer commitments.

Third-Party Risk Management (TPRM)

• Design and operate a scalable vendor risk management program integrated with procurement and legal processes.
• Implement vendor tiering, risk assessments, and ongoing monitoring practices.
• Leverage external certifications (e.g., SOC 2, HITRUST) to reduce assessment redundancy.
• Ensure third-party risks are incorporated into the enterprise risk framework.

Policy, Exception & Compliance Governance

• Establish and maintain a structured policy lifecycle aligned with ISO principles.
• Develop and enforce a risk-based exception management process with clear governance and accountability.
• Ensure compliance activities are integrated into operational workflows rather than treated as standalone efforts.
• Promote a unified compliance approach, where multiple regulatory requirements are satisfied through a single control set.

Metrics, Reporting & Leadership Engagement

• Develop and deliver risk-based reporting to executive leadership, including control effectiveness, audit status, and top enterprise risks.
• Define and track key performance and risk indicators (KPIs/KRIs) across GRC and BCDR domains.
• Translate technical risks into business-relevant insights for non-technical stakeholders.
• Support board-level and audit committee reporting as needed.

Collaboration & Leadership

• Partner with IT, Security Engineering, DevOps, Legal, Privacy, Finance, and Internal Audit to embed controls into business processes.
• Act as a strategic advisor to the CISO on governance, risk, compliance, and resilience matters.
• Drive a culture of accountability, risk awareness, and operational resilience across the organization.
• Provide mentorship and leadership to GRC and related team members.

Knowledge, Skills, and Abilities:

• Security & Compliance Frameworks:   NIST CSF v2.0, ISO 27001/27002, HITRUST, SOC 2 Type II, HIPAA, SOX  
• Risk Management:   Enterprise risk frameworks, risk assessment methodologies, risk quantification, control effectiveness
• Audit & Compliance:   Experience leading audits, certification processes, and continuous compliance programs
• BCDR & Resilience:   Business continuity planning, disaster recovery, BIA, RTO/RPO, resilience testing
• Third-Party Risk:   Vendor risk assessment, due diligence, and monitoring practices
• GRC Tooling:   Experience with platforms such as ServiceNow, Riskonnect, OneTrust, or similar
• Policy & Control Design:   Ability to design scalable, practical, and enforceable controls
• Strategic Thinking:   Ability to align governance and compliance efforts with business objectives
• Communication:   Strong written and verbal communication skills for executive and technical audiences
• Collaboration:   Proven ability to influence cross-functional stakeholders
• Problem-Solving:   Ability to simplify complex regulatory and risk challenges into actionable solutions
• Leadership:   Ability to build, lead, and mature high-performing teams

EDUCATION

• Bachelor’s degree in information security, Computer Science, Information Technology, Business Administration, or related field
• Master’s degree, preferred

FIELD OF STUDY:

• Information Security
• Cybersecurity
• Information Technology
• Computer Science
• Business Administration

WORK EXPERIENCE/QUALIFICATIONS:

Required:

• 15+ years of experience in governance, risk, compliance, or security leadership roles
• Demonstrated experience leading SOC 2 Type II audits and HITRUST certification efforts
• Experience designing or maturing unified control frameworks across multiple standards
• Strong working knowledge of ISO 27001/27002 principles (non-certification implementation)
• Hands-on experience building or managing business continuity and disaster recovery programs
• Experience with enterprise risk management and risk register operations
• Strong understanding of regulatory environments, particularly healthcare (HIPAA/PHI)
• Proven ability to drive cross-functional alignment and program execution

Preferred:

• Experience in healthcare services or other highly regulated industries
• Experience with SOX controls and public company readiness
• Experience scaling GRC programs in high-growth or transformation environments
• Experience implementing or optimizing GRC platforms

CERTIFICATES AND LICENSES:

• CISSP
• CISM
• CRISC
• HITRUST CCSFP
• ISO 27001 Lead Implementer or Auditor 

PRIMARY LOCATION:

• Hybrid

SECONDARY LOCATION(S):

• Atlanta
• Lafayette
• Traverse City
• Remote

Pay Range:

This range represents the anticipated base salary for this role. Actual compensation will be determined based on experience, qualifications, and internal equity considerations.

-

We offer a comprehensive benefits package designed to support your health, financial well-being, and work-life balance, including medical dental, vision insurance, a 401(k) plan with a company match, paid time off and holidays, professional development support, and employee wellness resources.

Visit our website for further information. https://myscpbenefits.com/

Login name: corp-guest

Password: weheal