Senior Manager Governance, Risk & Compliance (GRC)

CN
Toronto, ON
$100K-$150K a year (estimated)
Full-time

At CN, we work together to move our company and North America forward. Be part of our Information & Technology (I&T) team, a critical piece of the engine that keeps us in motion.

From enterprise architecture to operational technology, our teams use the agile methodology to automate and digitize our railroad ensuring our operations run optimally and safely and our employees can focus on value-added tasks.

You will be able to develop your skills and career in our close-knit, safety-focused culture working together as ONE TEAM.

The careers we offer are meaningful because the work we do matters. Join us!

Job Summary

The purpose of this role is to establish and maintain an industry leading Governance, Risk & Compliance (GRC) practice, develop & mentor a team, and develop policies, standards, risk registries and metrics to comply with business and regulatory requirements and build resilience in people, systems and data to enable CN to reach strategic goals and objectives in the face of evolving cyber threats.

Main Responsibilities

Leading Others

  • Partner with HR to maintain and bring new talent to the organization by determining which skills and roles will be required in the future, supporting, and demonstrating diversity and inclusion, and by making thoughtful hiring decisions
  • Provide a positive and welcoming onboarding experience to all new employees by ensuring they have access to the tools and resources needed to fulfill the requirements of their job
  • Recognize employee milestones (service awards, retirements, etc.) as well as significant contributions and enhanced responsibilities
  • Focus on communications and foster collaboration by regularly providing updates to teams about ongoing initiatives and encouraging teams to work together to accomplish common goals and learning
  • Manage employee performance to enable potential and ensure employees not meeting expectations are identified and supported through the performance improvement process
  • Create and enable a positive and engaging work environment by ensuring individual strengths are uncovered and leveraged through frequent and focused conversations - collaborate, coach, and build connections with employees
  • Participate in succession planning by contributing to the yearly talent review cycle and identifying employees with the potential to move up the management and expertise paths
  • Support employee development by having regular career conversations with all employees (documented and tracked) and supporting them in reaching their career goals
  • Ensure knowledge is preserved through cross-training for key skill sets in the team (knowledge transfer)

Governance, Risk & Compliance (GRC) Practice Development

Direct and put in place the proper GRC organizational structure and practices to track and manage information and cyber risk for both IT and OT (Operational Technologies) environments and ensure compliance while enabling the business for digital transformation.

Incorporating behavioral change as a key risk management strategy with security awareness training and testing.

  • Ensure the GRC processes are sustainable and properly documented
  • Maintain and build relevant, current, valid and reliable team knowledge related to governance, risk and compliance programs and practices.
  • Advance team accomplishments and competence by planning delivery of solutions; answering technical and procedural questions for less experienced team members;

teaching improved processes; mentoring team members

Ensure the full documentation and timely updates of policies, standards, guidelines, risks, exceptions, management action plans, and GRC processes through clear diagrams and well-written documents

GRC Continuous Improvement

  • Collaborate with the CISO, cybersecurity team, portfolio managers, architects, business and I&T leadership to understand the business direction and consequent impact on the security posture and risk appetite
  • Monitor threat intelligence sources, Security Operations Center (SOC) reports, vulnerability management reports, internal audit reports, regulatory changes, industry reporting and business impact analysis to accurately identify and articulate the risk priorities and implement appropriate controls to maintain an appropriate security posture
  • Engage the cybersecurity vendor ecosystem to understand capabilities and limitations to drive improvements in the security posture of current products, and assist in the selection of the right partners
  • Continuously monitor and evaluate the environment, including third party risk and subsidiaries, through self-assessments and independent security reviews as well as metrics against the framework.

Identify deficiencies and inefficiencies and initiate improvement actions though engaging leadership and architecture.

Working Conditions

Occasional business travel (Canada and US) in accordance with CN policy

Requirements

Experience

  • Minimum 15 years overall work experience in audit, IT sales, or IT delivery
  • Minimum 10 years experience in IT audit or IT governance, risk and compliance
  • Minimum 5 years experience in managing IT governance, risk and compliance
  • Railroad, transportation, or Global industrial experience is a significant plus (asset)

Education / Certification / Designation

  • Bachelor's degree in Computer Science, Business Administration, System Analysis or other relevant field (or) an additional 5 years of relevant experience.
  • At least one recognized cybersecurity certification appropriate for GRC : e.g. Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Privacy Professional (CIPP), Certified in Risk and Information Systems Control (CRISC), etc.

Competencies

  • Demonstrated capability to understand the security implications of complex business operations and how they are linked to technological or process solutions that provide practical risk mitigation and business enablement
  • Significant experience in applying a structured approach to problem resolution in large, geographically dispersed organizations with 24 / 7 operations
  • Proven collaborative leadership and teamwork aligning to strategic business objectives
  • Excellent written and verbal English communication skills with French highly desirable, able to interact with a broad cross-section of personnel to explain risks and enforce security measures
  • Detail-oriented self-starter with a high level of commitment and personal motivation
  • Knack for prioritizing tasks and working in a fast-paced, Agile environment

Technical Skills / Knowledge

Knowledge and practical experience applying standards, frameworks, regulations, and legislation governing information security and privacy, e.

g. NIST, ISO 27001, COBIT, SOX, PIPEDA

  • Knowledge and general understanding of IT and OT security controls and control models.
  • Knowledge of data classification, security policies and standards, strategic threat intelligence, threat modeling, vulnerability management, risk assessments, third party risk programs, risk management techniques, risk registries, regulatory compliance, security awareness training and testing, security metrics, security enforcement, and other relevant GRC areas of practice.

This position is posted as a grade LEVEL 5. For internal candidates, note that the grade level of the position may adjust based on the employee's experience.

About CN

CN is a world-class transportation leader and trade-enabler. Essential to the economy, to the customers, and to the communities it serves, CN safely transports more than 300 million tons of natural resources, manufactured products, and finished goods throughout North America every year.

As the only railroad connecting Canada's Eastern and Western coasts with the Southern tip of the U.S. through a 19,500 mile rail network, CN and its affiliates have been contributing to community prosperity and sustainable trade since 1919.

CN is committed to programs supporting social responsibility and environmental stewardship. At CN, we work as ONE TEAM, focused on safety, sustainability and our customers, providing operational and supply chain excellence to deliver results.

For internal candidates, note that the grade level of the position will depend on the employee's experience.

CN is an employment equity employer and we encourage all qualified candidates to apply. We thank all applicants for their interest, however, only candidates under consideration will be contacted.

Please monitor your email on a regular basis, as communication is primarily made through email.

4 days ago
Related jobs
Deloitte
Toronto, Ontario

The Global License Management (GLM) Governance and Compliance Manager will oversee license tracking, conduct periodic software compliance, and lead compliance mitigation efforts of Deloitte's global software agreements using ServiceNow SAMPro and other software reporting tools. Manage all aspects of...

Starlight Group Property Holdings Inc.
Toronto, Ontario

Reporting to the VP of Risk Advisory and Compliance, the manager will execute risk, internal audit and compliance activities across the organization. Anticipate/​identify and analyze the risk and consequences of unaddressed risk factors/​compliance gaps and recommend appropriate controls. The succes...

The Toronto-Dominion Bank (Canada)
Toronto, Ontario

Manage oversight process, risk-based identification and monitoring of related risks and regulatory compliance across the supported functions, while ensuring key controls and processes are effectively managed. Oversee or lead the facilitation and/or implementation of action / remediation plans to add...

Fairstone Bank
Toronto, Ontario

Minimum of 5 years of experience in compliance, regulatory compliance, or a related field, preferably within the financial services industry. Collaborate with technology teams to ensure that new and existing products and services comply with regulatory requirements, including conducting impact asses...

CIBC
Toronto, Ontario

Risk Management governance, capital adequacy, stress testing, risk appetite assessment, environmental risk and reputation risk), and Operational Risk (e. In this individual contributor role of Senior Audit Manager, you'll provide leadership, insight and proactive control advice to management and sta...

Scotiabank
Toronto, Ontario

Manage Cedar Leaf's compliance program in a way that supports risk culture and the relevant risk appetite frameworks and limits with respect to operational risk, regulatory compliance risk, AML/ATF risk and conduct risk;. As the Senior Manager, Compliance & Operations, you will be integral to the on...

Deloitte
Toronto, Ontario

Minimum 5 years (Manager) / 8 years (Senior Manager) of relevant experience; consulting experience, experience working in financial services related to regulatory and non-financial risk matters, and/or experience dealing with/working for financial services regulatory bodies in Canada is preferred. A...

Company 1 - The Manufacturers Life Insurance Company
Toronto, Ontario

This role will concentrate on information and technology risks accountable for identifying, designing, and refining key senior management metrics (Key Performance Indicators and KRIs) for reporting, which are essential to the governance, oversight, and control programs. Lead investigative analysis i...

QuadReal
Toronto, Ontario

As an integral member of the Enterprise Risk, Regulatory Compliance and Internal Audit functions, the successful applicant will be responsible for overseeing, driving, and executing high-impact regulatory compliance risk projects and supporting the Director in all compliance and enterprise risk init...

The Toronto-Dominion Bank (Canada)
Toronto, Ontario

The Senior Manager, Insider Risk, AML Investigations is responsible for support, management, and strategic design of the Insider Risk, AML Investigations Program while partnering with stakeholders, working with people managers and investigators to ensure the controls are designed and operating effec...