GRC Manager(Governance,Risk

About Us

Exotel is the emerging markets leading full-stack customer engagement platform and business-focused virtual telecom operator. Incorporated in 2011, Exotel's cloud-based product suite powers 50 million daily engagements across voice, video and messaging channels. Exotel powers unified customer engagement to over 6000 companies in 60+ countries, including India, Southeast Asia, the Middle East, and Africa. Today, some of the fastest-growing companies in the emerging markets (Ola, Swiggy, Flipkart, GoJek, Byjus, Urban Company, HDFC Bank, Zomato, Oyo, etc.) manage their customer engagement with Exotels suite of communication APIs, Ameyos omnichannel contact centre (merger), and Cogno AI's conversational AI platform (acquisition) over the cloud. They're a $100 million Series D-funded company with $60 million in ARR.

Job overview:

Exotel GRC team drives risk management and compliance within the organisation, supporting Exotel and its product portfolio.

We are looking for a GRC Manager with experience in compliance and security to help protect and enable Exotel products and services. The GRC works as a line of defence by periodic audits against all the control owners, the platform team, the Security team and the Engineering stakeholders.

Key responsibilities :

Customer Trust Assurance Leadership:

• Develop and execute the strategy for Customer Trust Assurance, ensuring our security and compliance posture consistently meets and exceeds the expectations of a sophisticated client base, especially BFSI institutions.
• Serve as the primary customer-facing security and compliance expert, engaging directly with clients' security, audit, and procurement teams to present our controls, address concerns, and foster long-term trust.
• Maintain and continuously update a comprehensive Trust Portal or similar resource containing all relevant compliance documentation, certifications, and security white papers for client consumption.

Client Audit Management & Facilitation:

• Lead, coordinate, and manage all client-initiated audits, reviews, and due diligence activities, specifically focusing on BFSI clients' stringent regulatory requirements.
• Own the end-to-end audit lifecycle, including scoping, internal readiness reviews, direct client communication, on-site/virtual facilitation, artifact gathering, and managing post-audit remediation plans.
• Translate complex client-specific audit requirements (e.g., related to GDPR, CCPA, ISO 27001, SOC 2, and BFSI regulations) into actionable tasks for internal security and engineering teams.

Risk Management:

• Conduct risk assessments and identify, analyse, and evaluate potential risks across all areas of the business.
• Develop and maintain a comprehensive risk register, including risk assessments, mitigation plans, and key risk indicators (KRIs).
• Monitor and report on key risks and emerging threats.
• Assist in the development and implementation of risk mitigation strategies and controls.
• Coordinate with teams on the Implementation of risk management strategies aligned with stakeholders.

Compliance:

• Ensure compliance with all applicable laws and regulations (e.g., data privacy laws, industry-specific regulations, cybersecurity frameworks like NIST CSF 2.0, ISO 27001:2022).
• Conduct internal audits and compliance reviews to identify and address any gaps.
• Manage regulatory reporting requirements and ensure timely submission of all necessary filings.
• Advise on and implement best practices for compliance with relevant standards (e.g., ISO 27001, SOC 2, Data Privacy).

Governance:

• Assist in the development and implementation of internal policies and procedures related to governance, risk, and compliance.
• Contribute to the development and maintenance of a strong control environment.
• Support the development and implementation of a robust ethics and compliance program.

Stakeholder Management:

• Collaborate with business units, IT, legal, and other stakeholders to identify and address risk and compliance issues.
• Communicate effectively with all levels of management on risk and compliance matters.
• Build and maintain strong relationships with internal and external auditors.
• Work under CISO and facilitate Audits like ISO 27001, audits and findings closure by follow-up with respective teams.
• Identify stakeholders and their roles, keep them informed of project progress, address their concerns, and implement their feedback.
• Work with team members and stakeholders to understand and identify work challenges and program goals, obtain prioritized deliverables, and discuss program impacts.

Continuous Improvement:

• Stay abreast of evolving regulatory requirements, industry best practices, and emerging threats.
• Continuously evaluate and improve the organisation's GRC framework and processes.
• Proactively identify and implement new GRC initiatives.

Qualifications & skills required:

• 10+ years of experience in a GRC role, with a strong understanding of risk management frameworks, methodologies, and tools
• Experience: Proven track record in a GRC, Information Security, or Audit role, with at least 3 years in a leadership or client-facing capacity. Extensive experience managing security audits from major BFSI clients is mandatory.
• Knowledge: Deep understanding of BFSI compliance frameworks (e.g., FFIEC, GLBA, PCI DSS) and international standards (e.g., ISO 27001, SOC 2, HIPAA, NIST).
• Experience with one or more of the NIST CSF 2.0 framework, SOC2 Type2, ISO27001:2022
• Strong communication and interpersonal skills, with the ability to effectively communicate complex information to both technical and non-technical audiences.
• Experience working in a fast-paced and dynamic environment.
• 3+ years of experience in technology risk, including one or more domains (e.g., access management, vulnerability management, change management, business continuity, application security, asset management).
• 2+ years of experience in effectively analysing data and programs for security risk, compliance, and maturity.
• 2+ years of program management experience in a corporate environment.
• Experience with Certifications for SOC2 Type 2, ISO27001:2022

Good to have:

• CISSP, CISA, CISM, and CRISC certifications are desirable.
• Advanced degree and/or certification.
• Advanced program management skills, including planning, organising, pre-empting risks/blockers, and communicating with stakeholders to deliver successful programs or projects, while operating with minimal guidance.