Governance Risk Compliance Manager Jobs (NOW HIRING)

Who We Are
Accommodations Plus International (API) is a technology and services company focused on driving innovation across the travel and transportation industry. We partner with organizations in the airline, cruise, and rail sectors to deliver solutions that improve layover operations, enhance customer experience, and support long-term growth.
Our mission is to make layovers simpler and more efficient for crew members-and we bring that to life through deep industry expertise and a practical, results-driven approach.
Today, API's platform powers over 18 million crew room nights each year for 100+ airlines and travel operators worldwide. Our Global Reach ensures that airline crews are rested, transported, and connected so global aviation runs on time.
At API, we're building a culture rooted in succeeding and thriving together. It's a place where people are encouraged to take ownership, develop their skills, and contribute to work that matters.
If you're looking to grow your career in a company that values steady progress, real impact, and long-term development, we'd like to meet you!
Overview
The Director of Governance, Risk Management & Compliance (GRC) will lead API's global IT and security GRC program, reporting to the CISO. This leader is accountable for the company's cyber risk management framework, regulatory compliance posture, vendor risk program, and data governance strategy.
Success in this role requires the ability to identify, evaluate, and communicate security risks - and to influence strategy across a diverse technology landscape that spans new platforms and legacy business-critical systems. This leader must balance rigorous risk management with business agility, positioning security as an enabler rather than an obstacle.
Key Responsibilities

• Risk Management: Lead organization-wide risk analysis, maintaining a risk register with documented remediation and mitigation plans. Serve as the primary advisor on information security risks to security management and business unit leads.
• Compliance & Audit: Establish and own the strategy for managing security audits, compliance checks, and external assessments - including GDPR, SOC 2, ISO 27001, CCPA, and other applicable standards. Liaise with internal and external auditors to implement and sustain required controls.
• Vendor & Third-Party Risk: Build and manage a comprehensive vendor risk program, evaluating the cybersecurity and data protection controls of third parties, vendors, and business partners.
• GRC Program Maturation: Drive ongoing security program improvement by amplifying areas of strength and developing actionable plans to address gaps. Develop and report key metrics to security and business leadership.
• Data Governance & Protection: Lead data governance and data protection programs, ensuring alignment with enterprise risk management principles and up-to-date documentation of systems and processes.
• Controls & IT Compliance: Facilitate IT compliance across identified controls, including IT general controls (ITGCs), application, cloud, and cybersecurity controls.
• Policy & Communications: Document, communicate, and enforce security policies that balance risk with business operations. Champion cybersecurity best practices across all business units to reduce the organization's attack surface.
• Incident Response: Oversee GRC-related incident response activities, tracking occurrences and resolutions with strict documentation and reporting protocols.
• Access Review: Manage the access review process to ensure appropriate access is consistently granted, maintained, and revoked.

Success Metrics
Risk register is current, with documented mitigation plans and clear ownership for all identified risks.
SOC 2, ISO 27001, and other applicable certifications and audits are managed on schedule with no critical findings.
Vendor risk program covers all strategic third parties with completed assessments and remediation tracking.
Security metrics are reported regularly to executive leadership with measurable program improvement over time.
Security policies are actively communicated, adopted, and embedded across business units.
Data governance documentation is current and aligned with enterprise risk and compliance requirements.
Required Skills, Education and Experience
7-10+ years of experience in cybersecurity, spanning security analysis, compliance and regulatory affairs, risk management, or audit.
Demonstrated experience leading and managing GRC programs, including risk registers, remediation planning, and executive-level reporting.
Proven track record managing security audits and assessments for SOC 2, ISO 27001, GDPR, CCPA, and other standards; familiarity with PCI, HITRUST, and GLBA is a plus.
Hands-on experience with vendor and third-party risk management programs, including evaluation of cybersecurity and data protection controls.
Experience with incident response tracking, documentation, and reporting.
2+ years of experience with AWS and/or Microsoft Azure cloud security configuration and management preferred.
Skills & Competencies
Proven ability to lead and influence across business units, translating complex risk concepts for both technical and non-technical audiences.
Strong understanding of IT general controls, cloud controls, and how they intersect with business operations.
Balances risk management with business efficiency - security controls should enable, not obstruct, business objectives.
Strong project management skills with the ability to manage multiple audits, assessments, and programs simultaneously.
High integrity and professionalism, with the confidence to represent the organization at the executive level.
Outstanding written and verbal communication skills, producing thorough documentation and presenting clearly to varied audiences.
Organized, efficient self-starter capable of operating with minimal supervision.
Education & Certifications
Bachelor's degree, trade school certification, or equivalent professional experience required; Master's degree desirable.
Preferred certifications (not required): CISSP, CISM, CISA, CRISC, or GSLC.
Compensation:
$160,000 - $190,000 USD, commensurate with experience.
Other Duties
Duties, responsibilities and activities may change at any time according to business needs.
The performance of additional responsibilities if you are designated as a Data Protection Champion (DPC), Senior Information Risk Owner (SIRO) or Information Assurance Accounting Officer (IAAO).
Work Environment
This position operates in a professional office environment. This role routinely uses standard office equipment such as computers, phones, photocopiers, filing cabinets and fax machines.
Physical Demands
The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. While performing the duties of this job, the employee is regularly required to talk or hear. The employee frequently is required to stand, walk; use hands to finger, handle or feel; and reach with hands and arms.
AAP/EEO Statement
Accommodations Plus International is an Equal Opportunity Employer that does not discriminate on the basis of actual or perceived race, creed, color, religion, alienage or national origin, ancestry, citizenship status, age, disability or handicap, sex, marital status, veteran status, sexual orientation, genetic information, arrest record, or any other characteristic protected by applicable federal, state or local laws. Our management team is dedicated to this policy with respect to recruitment, hiring, placement, promotion, transfer, training, compensation, benefits, employee activities and general treatment during employment.
Privacy Statement
API may use the contact information you provide to communicate about this role, including via text message. See our [Privacy Policy] for details. By clicking "Apply" you agree to Rippling's Terms of Service / User Privacy Notice.