Governance, Risk, and Compliance (GRC) Program Manager

Position Summary

The GRC Program Manager oversees strategic and operational programs to manage enterprise risk and ensure adherence to regulations and internal policies. This role drives regulatory compliance, executes risk assessments, manages controls, supports external audits, develops metrics, and aligns GRC initiatives with business objectives. The ideal candidate combines strong program leadership with hands-on technical skills, particularly SharePoint administration and Power Automate workflow design, to support a rapidly growing health-tech environment.

Key Responsibilities

Program Oversight & Strategic Planning

• Create, implement, and continuously improve Detego Health’s GRC framework aligned with enterprise goals and standards such as SOC 2, HIPAA, URAC, NIST 800-53, HITRUST, etc.
• Lead strategic planning to enhance program maturity and ensure GRC initiatives support broader organizational objectives.

Risk & Compliance Management

• Oversee enterprise risk assessments and maintain the company risk register and treatment plans.
• Implement and monitor controls to mitigate operational, Physical Security, Vendor, Cybersecurity, and Regulatory Risks.
• Ensure ongoing compliance with industry regulations and internal policies.

Stakeholder Coordination

• Partner with IT/MSP, Legal, HR, Finance, and business units handling PHI to coordinate risk management and compliance activities.
• Facilitate cross-functional reviews and risk committee meetings.

Documentation & Reporting

• Manage the policy lifecycle: drafting, updating, publishing, and tracking staff attestations.
• Create and maintain project documentation, dashboards, and reports for leadership and board-level audiences.

Audit & Certification Management

• Take ownership of external audits (SOC 2, HIPAA, URAC and others as required).
• Coordinate evidence collection, control testing, and remediation of findings, ensuring all audit requirements are met on schedule.

Vendor & Third-Party Risk

• Own vendor onboarding and risk tiering processes, including SIG questionnaires, risk assessments, and contract risk clauses (BAAs, DPAs, breach & security addenda).
• Track risk acceptances and exceptions and ensure timely reviews and renewals.

SharePoint & Workflow Development

• Serve as the SharePoint subject matter expert, designing and administering SharePoint sites, document libraries, and risk registers.
• Build and maintain Microsoft Power Automate flows to support procurement intake, incident management, complaints tracking, and other automated compliance processes.

Security & Privacy Controls

• Oversee identity and access management, including periodic access reviews and privileged access controls.
• Partner with IT to integrate GRC requirements into Microsoft 365 and Azure.

Incident Response & Bridge Call Oversight

• Coordinate and oversee incident response activities, ensuring timely detection, escalation, containment, and documentation of security and privacy incidents.
• Facilitate and manage bridge calls and cross-functional communications during major incidents, partnering with Cybersecurity, IT/MSP and Privacy.
• Lead post-incident reviews to capture lessons learned and ensure remediation actions are tracked to completion.

Business Continuity & Disaster Recovery (BCP/DR)

• Develop, maintain, and periodically test the Business Continuity Plan (BCP) and Disaster Recovery (DR) Plan, ensuring alignment with SOC 2, HIPAA, and URAC requirements.
• Coordinate tabletop exercises and real-world drills with IT, MSP, and key business units to validate recovery objectives (RTO/RPO).
• Oversee documentation of lessons learned and ensure corrective actions are tracked to completion.

Training & Awareness

• Coordinate company-wide security and privacy training and monitor completion.
• Foster a culture of proactive risk awareness and compliance.

Required Skills & Qualifications

• Bachelor’s degree in Risk Management, Information Security, Information Technology, or related field.
• 7+ years of progressive experience in GRC, IT risk, or security compliance, including demonstrated program or project leadership.

Technical Proficiency

• Strong hands-on experience with Microsoft SharePoint administration and Power Automate workflow development.
• Knowledge of IT General Controls (ITGC) and experience with SOC 2 readiness and audits.
• Familiarity with frameworks such as NIST 800-53/63, ISO 27001, COSO, COBIT, HITRUST, and URAC.

Leadership & Communication

• Demonstrated ability to lead cross-functional initiatives, be a self starter, influence without direct authority, and communicate effectively with technical teams, executives, internal customers, and auditors.

Preferred Certifications

• CISA, CRISC, CGRC, CISM, or CISSP.

Key Attributes

• Strategic thinker able to translate regulatory requirements into actionable controls and measurable outcomes.
• Detail-oriented and process-driven with a “finish strong” mindset.
• Collaborative and approachable, fostering trust across departments.

Job Type: Full-time

Pay: $105,000.00 - $115,000.00 per year

Benefits:

• 401(k)
• 401(k) matching
• Dental insurance
• Health insurance
• Life insurance
• Paid time off
• Retirement plan
• Vision insurance

Work Location: Hybrid remote in Omaha, NE 68164