Manager and Senior Manager: Governance, Risk, & Compliance (GRC)
Job description
At WHOOP, we're on a mission to unlock human performance. WHOOP empowers members to perform at a higher level through a deeper understanding of their bodies and daily lives.
We're hiring for two separate roles at the Manager and Senior Manager levels. Final leveling will be based on each candidate's experience, leadership scope, demonstrated impact, and interview performance.
WHOOP is seeking a strategic and execution-oriented Manager and Senior Manager of Governance, Risk, and Compliance to lead the day-to-day execution and support the ongoing operation and enhancement of the GRC program in a fast-paced, high-growth environment. These roles are responsible for both the design and hands-on execution of GRC initiatives, collaborating across Legal, Security, Product, and other teams to advance compliance objectives, reduce enterprise risk, and strengthen operational resilience.
RESPONSIBILITIES
Drive the development, implementation, and continuous evolution of the governance program, driving both strategy and hands-on execution to maintain alignment with ISO 27001, SOC 2, GDPR, and other applicable regulatory frameworks
Partner in the development, implementation, and ongoing management of scalable security control frameworks, policies, standards, and security awareness programs, third-party risk assessment, SDLC assessment, and risk program management, contributing directly while guiding the team’s work to strengthen organizational compliance
Support incident response activities by ensuring regulatory requirements, breach documentation, and post-incident reviews are completed and translated into actionable improvements across the risk and compliance program
Actively manage the enterprise risk register, driving risk prioritization, maintaining visibility across key risk domains, and delivering executive-level reporting
Spearhead enterprise risk reviews by driving GRC intake and request triage, personally overseeing complex assessments while prioritizing and delegating work across the team
Coach, mentor, and develop GRC analysts while balancing hands-on execution with effective delegation and team enablement as the program scales
Lead the third-party risk management lifecycle by conducting and overseeing vendor risk assessments and due diligence in partnership with Legal, IT, and Security
Own the operational intake and triage process for all GRC requests, including third-party vendor risk assessments, security questionnaires, SDLC risk reviews, and compliance inquiries, ensuring work is prioritized, assigned, and completed within established service levels
Develop and report operational metrics and KPIs, providing weekly dashboards and status updates on assessment volumes, turnaround times, backlog, SLA performance, and program health to the leadership
Evaluate, implement, and continuously improve GRC tools, processes, and metrics through hands-on execution and operational leadership to support program scale, transparency, and accountability
QUALIFICATIONS
8+ years of experience in GRC, or information security preferably in health tech, SaaS, or regulated environments, with ~4+ years managing GRC, compliance, audit or cybersecurity professionals
Deep understanding of regulations and standards including, but not limited to ISO 27001, SOC 2, GDPR, PCI, NIST CSF, and privacy/security obligations applicable to regulated or sensitive health data, including HIPAA where relevant
Experience managing or mentoring compliance, audit, or GRC professionals
Demonstrated experience leading operational GRC programs, including workload prioritization, KPI reporting, and cross-functional coordination
Strong understanding of cybersecurity controls, cloud security concepts, third-party risk assurance, and regulatory compliance requirements
Proven ability to build scalable, process-driven programs in high-growth or rapidly evolving environments
Highly organized and detail-oriented, with strong project execution and prioritization skills across competing deadlines
Superior communication and interpersonal skills - written and verbal
Relevant certifications (CISA, CISSP, CRISC, CIPP/E, ISO Lead Auditor, HITRUST CCSFP, or similar) are strongly preferred
A minimum bachelor’s degree in any discipline. Computer science, cyber security and risk or technology degrees preferred.
One profile. Every role.
Create your candidate profile once. R1 handles the matching, the tailoring, and the applications.
Create your profile