Head of Governance, Risk & Compliance(Director)

Job Description

#LI-KO1

The Head of GRC is responsible for leading and maturing the organization’s Governance, Risk, and Compliance functions, ensuring a unified, lifecycle-driven approach across risk management, compliance, audits, policy/standards development, and security training & awareness. This role partners closely with the CISO and senior stakeholders to identify, assess, prioritize, and manage risks across the enterprise while fostering strong communication, collaboration, and accountability.

Key Responsibilities

GRC Strategy & Leadership

·        Define and execute a comprehensive GRC strategy aligned with business objectives and cybersecurity priorities.

·        Lead and develop a high-performing GRC team, fostering a culture of ownership, transparency, and continuous improvement.

·        Establish and maintain a unified GRC operating model that integrates governance, risk management, compliance, audit, and security awareness activities into a cohesive lifecycle.

Risk Management

·        Design and oversee the enterprise risk management framework, including risk identification, assessment, triage, mitigation, and tracking throughout the risk lifecycle.

·        Partner with business and technology stakeholders to identify emerging risks and ensure appropriate risk treatment plans are defined and executed.

·        Maintain a centralized risk register and provide clear reporting and insights to leadership.

Compliance & Audits

·        Oversee compliance programs to ensure adherence to applicable regulations, standards, and internal policies.

·        Lead internal and external audit engagements, ensuring readiness, coordination, and timely remediation of findings.

·        Drive continuous improvement of compliance processes and controls.

Policy & Standards Development

·        Establish and maintain a robust framework for policy, standards, and procedures development and governance.

·        Ensure policies and standards are aligned with regulatory requirements, industry best practices, and organizational risk appetite.

·        Promote adoption and awareness across the organization.

Security Training & Awareness

·        Develop and lead a comprehensive security awareness and training program for all employees and relevant stakeholders.

·        Ensure training content aligns with current threat landscape, regulatory expectations, and organizational policies.

·        Measure effectiveness through metrics such as participation rates, phishing simulations, and behavioral improvements.

·        Foster a security-first culture by embedding awareness into daily operations and decision-making.

·        Partner with HR, IT, and business units to ensure onboarding and ongoing training requirements are met.

Lifecycle Integration & Program Management

·        Ensure all GRC components (risk, compliance, audit, policy, and awareness) are integrated and operate within a consistent lifecycle model.

·        Lead major cross-functional programs to enhance GRC capabilities, tools, and processes.

·        Implement and optimize GRC tooling to enable efficient tracking, reporting, and collaboration.

Stakeholder Engagement & Communication

·        Act as a key liaison between security, IT, business units, and executive leadership.

·        Translate complex risk and compliance topics into clear, actionable insights for diverse audiences.

·        Drive strong collaboration across teams to ensure alignment and shared ownership of risk and security responsibilities.

Reporting & Metrics

·        Develop and deliver meaningful metrics, dashboards, and reports on risk posture, compliance status, audit outcomes, and awareness program effectiveness.

·        Provide regular updates to the CISO and executive leadership, enabling informed decision-making.

Qualifications & Experience

·        Proven experience leading GRC, risk management, compliance, or security awareness functions in a complex organization.

·        Strong understanding of cybersecurity frameworks, regulatory requirements, and audit practices.

·        Demonstrated ability to build and scale GRC and security awareness programs and integrate them into business operations.

·        Experience leading large, cross-functional initiatives and influencing senior stakeholders.

·        Excellent communication, organizational, and leadership skills.

Key Competencies

·        Strategic thinking with strong execution focus

·        Collaborative and stakeholder-oriented mindset

·        Highly organized with the ability to manage multiple priorities

·        Strong analytical and problem-solving capabilities

·        Effective communicator with the ability to simplify complexity

Success in This Role Looks Like

·        A fully integrated GRC lifecycle with clear ownership and accountability

·        Improved visibility into enterprise risk and proactive risk management

·        Strong alignment between security, compliance, and business objectives

·        A measurable, effective security awareness culture across the organization

·        Successful delivery of major GRC initiatives with measurable impact

Applications are reviewed on an ongoing basis. However, please note we do amend or withdraw our jobs and reserve the right to do so at any time, including prior to any advertised closing date. So, if you're interested in this role we encourage you to apply as soon as possible.

What’s in it for you?

Here is what you can expect:

Family Care Leave - We offer enhanced paid leave options for those important times.

Insurances – All colleagues are covered by our life and disability insurance which provides protection and peace of mind.

Wellbeing - We want our people to feel well and thrive. We offer resources and benefits to nurture physical and mental wellbeing along with opportunities to build community and inspire creativity.

Colleague Discount – We know you'll love to build, so from day 1 you will qualify for our generous colleague discount.

Bonus - We do our best work to succeed together. When goals are reached and if eligible, you'll be rewarded through our bonus scheme.

Workplace - When you join the team you'll be assigned a primary workplace location i.e. one of our Offices, stores or factories. Our hybrid work policy means an average of 3 days per week in the office. The hiring team will discuss the policy and role eligibility with you during the recruitment process.

Children are our role models. Their curiosity, creativity and imagination inspire everything we do. We strive to create a diverse, dynamic and inclusive culture of play at the LEGO Group, where everyone feels safe, valued and they belong.

The LEGO Group is highly committed to equal employment opportunity and equal pay and seeks to encourage applicants from all backgrounds (eg. sex, gender identity or expression, race/ethnicity, national origin, sexual orientation, disability, age and religion) to apply for roles in our team.

The LEGO Group is fully committed to Children’s Rights and Child Wellbeing across the globe. Candidates offered positions with high engagement with children are required to take part in Child Safeguarding Background Screening, as a condition of the offer.

Thank you for sharing our global commitment to Children’s Rights.

Just imagine building your dream career.

Then make it real.

Join the LEGO® team today.