IT Governance, Risk and Compliance Manager

Why Valvoline?

Weve been in the car business for more than 150 years, starting with the invention of the worlds first motor oil. Today, were a global leader in automotive services and lubricants, driven every day by a people-centered focus on innovation and service excellence.

As we often say, it starts with all of our people and thats where you come in. Were looking for humble, hungry and smart people to help us power the future of mobility. If youre looking for a collaborative and flexible work environment that invests in your growth and success, youve come to the right place.

Careers for the Driven

Valvoline has a rewarding opportunity as a IT Governance, Risk & Compliance (GRC) Manager. We whole-heartedly adopt a never idle' mindset. We also know that outstanding service begins and ends with our employees. So, were looking for good people to join our team. You bring your skills, talents and drive. We will give you a great place to work, a competitive salary and benefits, and the resources and support to develop and advance within our global company.

*Valvoline World Headquarters is located in Lexington, KY, but we invite remote candidates to apply as well. Ideally, we would like candidates located in nearby markets (Cincinnati, Louisville, and Nashville), but we are open to other locations.

How Youll Make an Impact

The IT Governance, Risk & Compliance (GRC) Manager is responsible for facilitating the development, implementation, documentation, and review of IT policies, procedures, processes, programs, and practices to guide toward continuous compliance with organizational and industry laws, regulations, and frameworks. The manager works with Information Technology, Information Security, Internal and External Audit resources and the business to support process documentation and review, reporting and analytics, and developing and maintaining the appropriate records related to policy, procedures, control self-assessments, risk, etc. The manager coordinates with the corporate accounting to identify, develop, and maintain a suite of appropriate IT Controls that support the organization's overall Internal Control over Financial Reporting (ICFR). The manager will assist in IT Risk Assessment projects including the identification and documentation of an IT Risk Register, Risk Assessments, Mitigating Controls, Residual Risk, and other related data.

In the role, you would be responsible for:

• Managing the company's GRC program ensuring all IT policies and procedures are documented and updated according to regulatory standards, maintains ICFR program and other policy/regulatory compliance, collaborates with information security, maintains version control documentation, and risk management along with repository/system of record up-to-date as defined by the IT Governance program.

• Leading risk assessments to identify security risks across business functions, products and systems; oversees risk register and ongoing risk treatment lifecycle, including exceptions; provides SOX subject matter expertise for testing of all IT Sarbanes-Oxley controls and liaison between audit and business personnel. Collaborates on identified program deficiencies from internal and external resources, determines appropriate mitigation strategies, coordinates the performance and review of ITGCs, and evaluates residual risks.
• Ensuring the organization maintains current compliance with all applicable Payment Card Industry Data Security Standard (PCI DSS) requirements across all payment channels. Generates annual Report on Compliance (ROC) and Attestation of Compliance (AOC) for each applicable channel.
• Leading organizational security and privacy awareness efforts and implements a measured and managed awareness program; collaborates with IT Security on penetration testing, vulnerability scanning and device/system health checks within the infrastructure; identifies tasks necessary to remediate identified risks and vulnerabilities, negotiate dates for completion of remediation tasks, and track progress on remediation of identified risks and vulnerabilities and provide reporting to appropriate members.
• Measuring security program maturity and builds plans for increasing maturity through projects, capabilities and controls.
• Evaluating all potential new vendors and systems for integration into enterprise environment, including vendor security posture, compatibility with existing enterprise solutions, Privacy Impact Assessment (GDPR PIA/DPIA), and compliance with internal controls and external regulations and requirements (SOX, GDPR, PCI-DSS).
• Managing the IT-specific application of the organization's data privacy program, ensuring compliance with applicable laws and regulations, and providing situational awareness and guidance to the relevant organizational groups.
• Functioning as the GRC repository system Subject Matter Expert (SME) and trains/supports clients with repository system usage, including one-on-one training and drafting training guidelines when necessary.
• Other duties and responsibilities as determined by Valvoline from time to time in its sole discretion

What Youll Need

• Bachelor's degree in business, accounting/finance, computer science, information systems, engineering, or a related field
• Minimum of five years of experience in IT and/or audit or minimum three years dedicated IT GRC related experience writing/reviewing IT policies and procedures
• PCI-DSS Internal Security Assessor certification
• Demonstrate a strong understanding of various compliance and regulatory areas (e.g. Sarbanes-Oxley, PCI, COBIT, HIPAA)
• Demonstrate an in-depth understanding of the risk register, risk exposure, risk reporting and handling of risk events
• Ability to recommend and influence business process changes with regards to Information Security policies, standards, processes, and processes (including the use of tools)
• Excellent written and verbal communication skills
• Strong analytical and problem solving skills
• Ability to work both independently and as part of a team to deliver quality work product in a timely fashion in a fast-paced environment
• Ability to multi-task and prioritize tasks
• Ability to exercise good professional judgment
• Ability to work well with people from many different disciplines with varying degrees of technical experience
• Ability to adapt to a dynamic, rapidly changing business and technical environment
• Ability to maintain confidentiality

• Must be authorized to work in the U.S.

What Will Set You Apart

• Participation in life cycle project implementations (from scoping/planning, requirements gathering, design, development, testing, launch and support)
• Risk, Audit and Security certification - CGEIT, CISSP, CIA, CISA, PCIP, etc.

Benefits That Drive Themselves

• Health insurance plans (medical, dental, vision)
• HSA and flexible spending accounts
• 401(k)
• Incentive opportunity*
• Life insurance
• Short and long-term disability insurance
• Paid vacation and holidays*
• Employee Assistance Program
• Employee discounts
• Tuition reimbursement*
• Adoption assistance*

*Terms and conditions apply and benefits may differ depending on position.

Females and minorities encouraged to apply.

Valvoline provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. Are you good at what you do? Join us.

The Company endeavors to make its recruitment process accessible to any and all users. Reasonable accommodations will be provided, upon request, to applicants with disabilities in order to facilitate equal opportunity throughout the recruitment and selection process. Please contact Human Resources at 1-800-Valvoline or email 1-800Valvoline@valvoline.com to make a request for reasonable accommodation during any aspect of the recruitment and selection process. The contact information is for accommodation requests only; do not use this contact information to inquire about the status of applications.

#GGL