Senior IT GRC Advisor at Community Care of North Carolina

About CCNC

From the mountains to the coast, from large cities to small towns, Community Care of North Carolina is transforming health care. Informed by statewide data and predictive analytics, community-based care-managers work with local physicians and diverse teams of health professionals to develop whole-person plans of care that connect people to the right local resources and increase equity and access to high quality care.

CCNC Mission Statement

To improve the health and quality of life for all North Carolinians by building supporting better community-based healthcare delivery systems.

Position Summary

The Senior IT GRC Advisor is responsible for leading and maturing CCNC's enterprise IT governance, risk, and compliance program. This role serves as a senior advisor to leadership and works in alignment with IT security and IT leadership on IT risk, cybersecurity governance, internal controls, regulatory obligations, and audit readiness, while maintaining practical, business-aligned processes that strengthen the control environment across infrastructure, applications, cloud platforms, vendors, data protection, and strategic technology initiatives. The Senior IT GRC Advisor is accountable for the development, implementation, and continuous improvement of IT GRC methodologies, policies, standards, risk assessments, issue management, reporting, and advisory services that support secure and compliant operations.

Essential Functions

• Lead the enterprise IT GRC program, including governance structures, risk management processes, policy oversight, control framework alignment, and reporting on program effectiveness to leadership.
• Demonstrate strong critical thinking and professional skepticism to assess control design and operating effectiveness, analyze requirements, data, and processes in context, and provide defensible, risk-based recommendations to management.
• Plan, lead, and execute IT risk assessments, audits, and advisory engagements across infrastructure, applications, cloud services, cybersecurity processes, data protection controls, and enterprise technology initiatives.
• Develop, maintain, and mature the IT risk register and issue management process, including documenting risks, assigning ownership, tracking remediation plans, validating closure, and reporting residual risk and trends to leadership.
• Establish and maintain GRC metrics, dashboards, KPIs, and KRIs to provide leadership with meaningful visibility into control effectiveness, audit readiness, remediation status, and emerging risk trends.
• Collaborate with IT, Security, Privacy, Legal, Compliance, Internal Audit, and business stakeholders to strengthen internal controls and implement sustainable corrective and preventive actions.
• Advise on large-scale enterprise projects, system implementations, and technology changes by embedding risk, compliance, control, and governance requirements throughout the project and system lifecycle.
• Lead third-party and vendor risk management activities, including due diligence, control reviews, evidence evaluation, contract and security requirement alignment, ongoing monitoring, and escalation of material risks. Assess third-party controls, including SOC reports, HITRUST certifications, penetration testing results, policy documentation, and other independent assurance artifacts to evaluate control design and operating effectiveness.

• Conduct cloud and SaaS compliance assessments across platforms such as AWS and Azure, with emphasis on shared responsibility, configuration governance, access management, identity governance, and evidence-based validation of security controls.
• Evaluate identity and access management controls, including privileged access management, role-based access control, user provisioning and deprovisioning, and workforce access appropriateness.
• Support the organization’s preparedness for internal and external audits, regulatory reviews, and control assessments by coordinating evidence, validating remediation, and improving documentation quality and audit readiness.
• Assess IT and security policies, standards, procedures, and governance artifacts for alignment to recognized frameworks and regulatory expectations. Provide risk based and business centric recommendations to address gaps.
• Develop and facilitate workforce education and awareness programs related to security, privacy, compliance, and internal controls, with a focus on practical risk ownership and control accountability.
• Coordinate with operational and technical teams to evaluate incident response, disaster recovery, and business continuity control design and testing from a GRC perspective.
• Support responsible AI governance and AI assurance efforts by assessing governance structures, usage controls, risk mitigation approaches, and emerging compliance expectations related to AI-enabled tools and processes.
• Develop and maintain GRC methodologies, templates, repositories, internal sites, and reporting artifacts that improve consistency, efficiency, and program maturity.
• Fulfill other GRC responsibilities as assigned by management.

Qualifications

• Bachelor’s degree in information technology, cybersecurity, information systems, accounting, audit, risk management, or a related field.
• Minimum of 7 years of progressive experience in IT audit, IT risk management, cybersecurity compliance, or GRC program leadership.
• Demonstrated experience planning and leading complex IT audit, risk assessment, or advisory engagements.
• Experience developing or maturing GRC programs, frameworks, policies, risk registers, metrics, or issue management processes.
• Experience assessing third-party and vendor risk and reviewing assurance artifacts such as SOC reports, penetration tests, and security certifications.
• Experience conducting cloud risk or compliance assessments in AWS, Azure, or similar environments.

Certifications

• One or more of the following certifications is required: CISA, CISSP, CISM, CRISC, CGEIT, CDPSE, or equivalent.

Preferred

• Working knowledge of the HIPAA Security Rule and recognized security practices relevant to safeguarding ePHI.
• Experience with AI governance, AI risk assessments, or AI assurance reviews.
• Experience in continuous controls monitoring, executive reporting, and program maturity improvement.
• Experience in healthcare, regulated environments, or privacy and security compliance programs preferred.

Knowledge, Skills, and Abilities

• Knowledge of enterprise IT governance, risk management, and compliance principles.
• Knowledge of IT general controls, internal control frameworks, and audit methodologies.
• Knowledge of cybersecurity concepts, including identity and access management, vulnerability management, incident response, disaster recovery, business continuity, and cloud security.
• Knowledge of healthcare security and privacy requirements, including HIPAA Security Rule concepts.
• Knowledge of third-party and vendor risk management practices, including review of SOC reports, security questionnaires, and other assurance documentation.
• Knowledge of policy, standards, and procedure development to support a strong internal control environment.
• Knowledge of issue management, remediation tracking, and continuous improvement practices.
• Knowledge of recognized frameworks and standards such as NIST CSF, NIST 800-53, COBIT, ISO 27001, PCI DSS, and HITRUST.

• Skill in leading IT risk assessments, audits, and advisory engagements.
• Skill in evaluating control design and operating effectiveness and identifying gaps and remediation priorities.
• Skill in developing and maintaining risk registers, issue logs, corrective action plans, and supporting documentation.
• Skill in reviewing vendor documentation and assurance artifacts such as SOC reports, penetration test results, certifications, and policy evidence.
• Skill in drafting and revising policies, standards, and procedures.
• Skill in preparing dashboards, executive reports, KPIs, KRIs, and risk summaries.
• Skill in facilitating interviews, walkthroughs, stakeholder meetings, and remediation follow-up discussions.
• Skill in assessing cloud, access management, and identity governance controls.
• Skill in communicating clearly in writing and verbally with technical and non-technical audiences.
• Ability to analyze complex information, processes, and control environments.
• Ability to exercise sound judgment and professional skepticism.
• Ability to develop practical, risk-based recommendations.
• Ability to influence and collaborate with leaders and cross-functional stakeholders.
• Ability to manage multiple priorities with minimal supervision.
• Ability to translate technical and regulatory requirements into business-friendly guidance.
• Ability to support audit readiness and continuous improvement efforts.
• Ability to identify emerging risks involving third parties, cloud environments, data protection, and AI-related governance.
• Ability to maintain confidentiality when handling sensitive organizational, compliance, and security information.

Working Conditions

• Routinely there may be some minor physical inconveniences or discomforts in the work setting, including sitting for moderate periods of time
• Must be able to utilize office equipment, computer, keyboard, and phone with or without assistive devices
• Repetitive wrist motion and occasional lifting/carrying of up to 25 pounds

Why Join Us

• Make a meaningful impact on youth and families across North Carolina
• Work with a supportive and collaborative care team
• Competitive Benefits Package effective first day of employment
• Opportunities for growth, training, and bonus incentives*

Ready to improve the health and quality of life of all North Carolinians by building and supporting better community-based health care delivery systems?

• Apply today and join us in delivering compassionate care that makes a difference.