Senior GRC Specialist

About the role:

We are looking for a Senior GRC Specialist to support implementation, maintenance and continuous improvement of operational risk and control frameworks across D&T. This role combines day-to-day risk management advisory (Line 1.5) with governance design, GRC system administration and regulatory alignment (APRA CPS 220/230/234, ISO 27001/27005, FAR, NIST Cybersecurity Framework). You will work closely with D&T teams, Group Risk & Compliance (Line 2), Internal Audit (Line 3), Legal, Privacy and other stakeholders to embed a strong risk culture and deliver timely, audit ready governance reporting. 

Key responsibilities:

• Maintain and improve D&T risk and control frameworks: update taxonomies, controls libraries and governance protocols. 

• Operate and administer the GRC system: maintain risks, controls, obligations, actions and KRI registers; ensure data integrity and accurate linkages. 

• Conduct risk assessments for business and technology activities; evaluate control effectiveness and recommend treatments. 

• Monitor KRIs and action tracking; flag trends and breaches and escalate appropriately. 

• Prepare risk dashboards, heatmaps and materials for governance forums, Board/Executive reporting and the CIO/D&T leadership. 

• Support obligation management and the annual risk profiling process. 

• Contribute to governance forums and cross functional risk initiatives; collaborate with Group Risk, Security, Technology and Business teams. 

• Ensure compliance with relevant regulatory and industry frameworks; support internal and external audits and attestation processes. 

• Promote continuous improvement of GRC practices and risk governance across D&T. 

What we’re looking for: 

• 5+ years’ experience in risk governance or risk management roles within technology, security or data domains. 

• Hands on experience with operational risk frameworks, risk assessments and control monitoring. 

• Practical experience with GRC tools (risk registers, controls, actions, issues). 

• Familiarity with APRA CPS 220/230/234, ISO 27001/27005, FAR, NIST Cybersecurity Framework or similar. 

• Proven ability preparing risk reporting and materials for management and governance forums; experience maintaining KRIs. 

• Strong analytical, communication and stakeholder engagement skills; detail oriented and audit ready documentation focus. 

Desirable: 

• Degree in Risk Management, Business, IT or related field. 

• Governance/risk certifications (CRISC, CISA, CGEIT, COBIT, ISO 31000). 

• Experience in regulated industries such as health insurance or critical infrastructure.