GRC Analyst - Third Party Risk Management in Birmingham

We have an exciting opportunity for a GRC Analyst – Third Party Risk Management to join our award‑winning Business Change and Technology (BC&T) team on a 12‑month Fixed Term Contract. You will be based in Birmingham City Centre, working in a hybrid role. Reporting to the IT Licensing & Compliance Manager, these roles support Mitchells & Butlers’ governance, risk, and compliance (GRC) activities, with a strong focus on information security, privacy, and regulatory assurance across the organisation.

You will be well rewarded with:

• 35 hours per week, Monday to Friday, with flexibility around personal commitments.
• 33% discount across all M&B brands and hotels.
• A pension that pays, with contributions matched at 1.5x, up to 5%.
• Private healthcare, dental plan, cycle‑to‑work, and keep‑fit schemes.
• 26 days annual leave plus bank holidays.

The Opportunity – GRC Analyst

This specialism focuses on supplier assurance and third‑party risk management, ensuring that vendors handling M&B data or connecting to M&B systems operate in line with security, privacy, and compliance expectations.

Key Responsibilities Include:

• Conducting and coordinating security and privacy risk assessments for new and existing third‑party suppliers.
• Evaluating supplier controls relating to data protection, information security, data hosting, subcontractor usage, and system access.
• Catalouging and maintaining records of M&B data shared with third parties, including purpose of use, information security classification, data sensitivity, and processing location.
• Ensuring third‑party data handling arrangements clearly define data retention, archiving, and deletion requirements in line with M&B policies and regulatory obligations.
• Performing data cataloguing activities directly, or coordinating with BC&T teams to ensure data ownership and accountability are clearly assigned.
• Maintaining third‑party risk documentation and tracking remediation actions with suppliers and internal teams.
• Working closely with Vendor Management, Procurement, Legal, Information Security, and IT to ensure supplier risks are identified early and addressed prior to onboarding or renewal.
• Escalating high‑risk supplier findings to the IT Licensing & Compliance Manager and relevant stakeholders.

What You’ll Need To Bring:

• Strong understanding of GDPR, the UK Data Protection Act, and privacy and security control requirements.
• Experience working in GRC, information security, data protection, supplier assurance, or a related compliance role.
• Ability to interpret and assess technical and organisational controls.
• Strong analytical skills with excellent attention to detail.
• Confident written and verbal communication skills, able to engage across legal, technical, and operational teams.
• Experience contributing to incident or breach investigations.
• Ability to manage multiple competing priorities and constructively challenge established processes.

Qualifications:

• Minimum 3 years’ experience in a relevant role.
• CIPP/E, CIPM, CompTIA Security+, or BCS Practitioner Certificate in Data Protection desirable.

At M&B, a career isn’t just about clocking in. We care about our people and value every contribution from a diverse workforce that reflects our guests and communities. By fostering a culture of inclusion, respect, and collaboration, we create an environment where colleagues can thrive and deliver great guest experiences.

Join us and be a part of a great team.