Director of Governance, Risk, and Compliance / TPRM
Indexed description
We believe pet insurance is more than a financial product and build solutions to simplify the pet parenting journey and help improve the well-being of pets. As a leading authority in the pet category, we operate with a full stack of resources, capital, and services to support pet parents. Our multi-brand and omni-channel approach include our own insurance carrier, insurance brands and partner brands.
Director, Governance, Risk & Compliance (GRC) and Third-
Party Risk Management (TPRM)
Location: Chicago, IL (Hybrid)
Reports To: Chief Information Security Officer (CISO)
Position Overview
The Senior Director of Governance, Risk & Compliance (GRC) and Third-Party Risk Management (TPRM) is an
enterprise leadership role accountable for the design, implementation, and continuous maturation of a unified
risk and compliance program across a $2.5 billion insurance holding company.
This position holds end-to-end accountability for the information security compliance posture of an
organization comprised of 12 Managing General Agencies (MGAs) and 2 insurance carriers, operating
within a complex and highly regulated environment.
Operating at the intersection of cybersecurity, regulatory compliance, and third-party governance, this leader
serves as the central authority for aligning disparate control environments into a cohesive, measurable, and
defensible enterprise risk framework. The role requires executive-level influence, regulatory fluency, and the
ability to drive consistency across a federated, acquisition-driven operating model.
Key Responsibilities
Enterprise Accountability & Regulatory Posture
- Own and maintain the enterprise-wide information security compliance posture across all
- Establish a defensible, evidence-driven control environment capable of withstanding regulatory
- Serve as the authoritative leader for compliance strategy across MGAs and carrier entities with differing
Enterprise GRC Strategy & Architecture
- Design and implement a unified GRC operating model across multiple insurance entities with varying
- Establish a control-centric framework leveraging NIST 800-53, ISO 27001, SOC 2, and PCI DSS.
- Transition the organization from periodic, interview-based assessments to continuous, evidence-driven
- Define and operationalize KRIs, control effectiveness metrics, and executive reporting.
- Serve as the central point of accountability for regulatory readiness, including NYDFS, state insurance
- Lead enterprise-wide audit strategy (SOC 2 Type II, ISO 27001, internal audits).
- Interface directly with regulators and external auditors to ensure consistent narratives, defensible
- Drive enterprise remediation strategies with measurable timelines and executive accountability.
- Build and scale a comprehensive TPRM program across the full vendor lifecycle.
- Establish risk tiering, due diligence, and continuous monitoring aligned with enterprise risk tolerance.
- Integrate TPRM into procurement, legal, and business operations to ensure consistent enforcement.
- Oversee risk acceptance and exception governance frameworks.
- Harmonize fragmented GRC practices across acquired entities into a centralized and scalable function.
- Drive automation strategy leveraging GRC platforms (auditboard, Drata, or equivalent) to enable
- Embed security, privacy, and identity governance into enterprise-wide control frameworks.
- Advance organizational maturity toward a “Security First” operating model.
- Provide regular reporting to executive leadership and board-level stakeholders (e.g., Audit Committee,
- Collaborate daily with the Chief Privacy Officer (CPO) and Chief Risk Officer (CRO) organizations
- Translate complex regulatory and technical requirements into business-aligned decision frameworks.
- Influence enterprise investment decisions through quantified risk exposure and control effectiveness.
- Lead a multi-layered global GRC and TPRM organization, including:
- 4 senior GRC functional leaders
- A transversal offshore operations team
- A dedicated outsourced delivery pod (India-based) supporting scaled compliance and
- Establish governance models, performance management, and operational rigor across distributed
- Drive talent strategy, succession planning, and capability development aligned to enterprise scale.
- 12–15+ years of progressive experience in cybersecurity, risk management, compliance, or audit.
- 5–7+ years in senior leadership roles within insurance or highly regulated financial services
- Proven success leading enterprise GRC and TPRM programs across complex, multi-entity organizations.
- Licensed attorney (JD) or Certified Public Accountant (CPA) strongly preferred, particularly with
- Background in external audit, internal audit, or regulatory advisory highly desirable.
- MBA or equivalent advanced business degree preferred.
- CISSP (Certified Information Systems Security Professional)
- CISM (Certified Information Security Manager)
- CRISC (Certified in Risk and Information Systems Control)
- CISA (Certified Information Systems Auditor)
- CGRC (Certified in Governance, Risk and Compliance)
- CIA (Certified Internal Auditor)
- CIPP / CIPM (privacy certifications)
- ISO 27001 Lead Implementer or Lead Auditor
- Deep knowledge of NIST 800-53, ISO 27001, SOC 2, PCI DSS, and regulatory regimes such as NYDFS.
- Strong command of third-party risk methodologies and vendor lifecycle governance.
- Experience implementing and scaling GRC tooling platforms.
- Ability to design and operationalize scalable, evidence-based control frameworks.
- Executive presence with the ability to influence across Legal, Audit, Technology, Privacy, and Risk
- Strong strategic and analytical thinking with the ability to translate risk into financial and operational
- Exceptional communication skills, including board-level engagement.
This role represents enterprise ownership of information security compliance and risk governance across a
complex insurance ecosystem. It is critical to enabling regulatory confidence, integrating acquired entities, and
ensuring that risk is managed as a measurable, accountable, and strategic business function.
- In collaboration with Senior Leadership, designs, develops, and implements focused strategies.
- Leads the development of programs that are critical to the organization and ensures execution of the function.
- Provides advice and consultation to senior and executive management related to operational and/or strategic decisions and resolves critical issues.
- Actively participates in the budget and goal setting process for the department.
- Provides guidance, counseling, and continuing education opportunities to staff. Selects, develops, coaches, mentors, and assesses performance of staff.
- Provides guidance to consistently improve the processes of the area(s) of focus.
- Develops, implements, and maintains administrative policies and procedures.
- Provides leadership through influencing and directing the work of others to execute plans to meet strategic and operational objectives.
- Performs other duties and responsibilities as assigned.
- Comprehensive full medical, dental and vision Insurance
- Basic Life Insurance at no cost to the employee
- Company paid short-term and long-term disability
- 12 weeks of 100% paid Parental Leave
- Health Savings Account (HSA)
- Flexible Spending Accounts (FSA)
- Retirement savings plan
- Personal Paid Time Off
- Paid holidays and company-wide Wellness Day off
- Paid time off to volunteer at nonprofit organizations
- Pet friendly office environment
- Commuter Benefits
- Group Pet Insurance
- On the job training and skills development
- Employee Assistance Program (EAP)
By continuing with the interview, you consent to this use.
Text Messaging Notice
If you provide a mobile phone number, you may receive job-related communications via text message. Message and data rates may apply.
You may opt out of text communications at any time by replying “STOP.”
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search