Head of Governance, Risk and Compliance - BPL in London

Purpose of the role: To provide a primary liaison service between the business, technology, and security functions. In order to ensure the confidentiality, integrity and availability of information, and support the mitigation of security risk.

Accountabilities:

• Collaboration with stakeholders to understand their security requirements in business processes and IT projects, to enhance overall risk management.
• Execution of risk assessments to identify and prioritise potential cybersecurity threats that could impact the banks operations and data and guide the implementation of mitigation strategies and communicate findings to relevant senior stakeholders.
• Collaboration with business units to develop and implement security policies and procedures for the banks operations aligned to the risk management framework.
• Management of the implementation, testing and monitoring of security controls across the banks IT systems to ensure the effectiveness of controls and mitigation of risk.
• Execution of training content and sessions to educate employees, enhance cybersecurity awareness and provide guidance on safe online practices.
• Management of complex cybersecurity incidents by collaborating with IT teams and response experts to effectively resolve cases through analysis, expertise support and project supervision.
• Identification of emerging cybersecurity trends, threats, and new technologies to address potential risks by advocating the adoption of new security solutions.

Director Expectations:

• To manage a business function, providing significant input to function wide strategic initiatives.
• Contribute to and influence policy and procedures for the function and plan, manage and consult on multiple complex and critical strategic projects, which may be business wide.
• Manage the direction of a large team or sub-function, leading other people managers and embedding a performance culture aligned to the values of the business.
• Provide expert advice to senior functional management and committees to influence decisions made outside of own function, offering significant input to function wide strategic initiatives.
• Manage, coordinate and enable resourcing, budgeting and policy creation for a significant sub-function.
• Foster and guide compliance, ensure regulations are observed that relevant processes in place to facilitate adherence.
• Demonstrate extensive knowledge of how the function integrates with the business division / Group to achieve the overall business objectives.

Head of GRC – Key Responsibilities:

• Own the security policy framework, ensuring policies are current, proportionate, and aligned to PCI DSS, FCA expectations, UK GDPR, and DORA requirements.
• Maintain and operate the security risk register, ensuring risks are assessed consistently using a defined methodology, owned explicitly, and reported accurately to the CISO and Executive Leadership Team (ETL).
• Manage the relationship with external auditors, the Qualified Security Assessor (QSA), and 2nd/3rd Line of Defence (LoD) on all security and technology risk matters.
• Own the third‐party security assurance process, ensuring all vendors, partners, and card scheme integrations are risk‐assessed with a tiered approach proportionate to data access and criticality.
• Chair the monthly Cyber and Tech Risk and Controls Forum, presenting risk posture, compliance status, and material findings to the CISO, CIO and ELT.
• Design and maintain the control framework, mapping controls to PCI DSS, FCA, UK GDPR, and DORA requirements, and ensuring control effectiveness is tested on a continuous cycle.
• Produce KRI dashboards and risk reporting for CISO, CIO, and ELT consumption, ensuring risk is communicated in business terms.
• Lead regulatory and audit engagement on security matters, coordinating regulatory review and audit interactions and proactively managing stakeholder relationships.
• Own the risk assessment calendar, ensuring both cyclical and event‐driven assessments are executed on schedule with appropriate rigour.
• Manage the risk acceptance process, ensuring risk acceptance decisions are documented, time‐bound, approved at the appropriate authority level, and reviewed before expiry.
• Manage and develop the GRC team, building capability across risk assessment, compliance, and third‐party assurance disciplines.

Key Deliverables:

• Security risk register, reviewed and updated monthly with full audit trail in the GRC platform.
• PCI DSS compliance roadmap and continuously maintained evidence repository.
• Monthly Cyber and Tech risk and compliance report for CISO and ELT.
• Quarterly KRI dashboard and risk trend analysis for Risk Committee reporting.
• Annual third‐party security assurance plan with tiered assessment calendar and completion tracking.
• Control framework mapping document (controls mapped to PCI DSS4.0 / FCA / UK GDPR / DORA requirements).
• Risk assessment calendar (cyclical and event‐driven) with capacity planning.
• Risk acceptance authority matrix and active acceptance register.

Required Skills and Experience:

• CISM, CRISC, or CISSP certification.
• Experience with DORA (Digital Operational Resilience Act) compliance requirements and implementation.
• ISO27001 Lead Auditor or Lead Implementer certification.
• PCI QSA or Internal Security Assessor (ISA) qualification.
• Previous experience in FinTech, Digital Banking, Payment Acquiring organisation.
• Experience with Visa GACS and Mastercard SDP acquirer compliance programmes.
• Significant experience of progressive experience in information security governance, risk, and compliance, with at least 5 years leading a GRC team in a regulated environment.
• Strong understanding of UK GDPR and the role of security controls in meeting data protection obligations, including breach notification requirements and data protection impact assessments.
• Experience designing and operating security control frameworks mapped to multiple regulatory requirements simultaneously.
• Understanding of cloud‐native architectures and their implications for compliance and risk management.
• Proven ability to translate technical security risks into business language for executive audiences.
• Experience managing internal and external audit relationships, regulatory examinations, and QSA assessments.
• Understanding of risk quantification methodologies and experience producing risk reporting that supports investment decisions.
• Proven people management experience, developing analysts and building team capability in a growing organisation.
• Experience with GRC tooling and platforms (e.g., Drata, Vanta, ServiceNow GRC, OneTrust, or equivalent).