Jobs · Engineering · Indiana

Senior Director - GRC Engineer

Eli Lilly and Company · Indianapolis, IN · 1 wk ago
Engineering$155k–$227k/yrFull-time

About the role

The Senior Director, Governance Risk and Compliance (GRC) Engineer is a senior leader within the Digital Legal Office (DLO) GRC & Service Management organization. The role translates the DLO’s privacy, AI, and data governance frameworks into effective, auditable, and increasingly automated control designs. The GRC Engineer bridges the gap between what regulatory and policy obligations require, and how those obligations are implemented as operational controls by business control owners across the enterprise.

Responsibilities

  • Own end-to-end design of DLO-owned privacy, AI, and data governance controls—translating regulatory obligations, policy requirements, and risk appetite into auditable, repeatable control architectures.

  • Define and retain control design specifications for each control in the DLO GRC Framework, including procedures, evidence requirements, data flows, and automation targets.

  • Apply privacy-by-design and AI-by-design principles throughout the control engineering lifecycle, from inception through deployment and ongoing sustainment.

  • Lead technical analysis to identify control gaps, design deficiencies, and automation opportunities; propose and drive remediation with appropriate urgency.

  • Develop and publish design documentation, technical specifications, and implementation guides that create consistency in how controls are built and validated.

  • Develop reusable control design frameworks, templates, and implementation patterns that business teams can adapt to their specific processes and technology environments.

  • Provide support and direction on how to translate assessment findings, incidents, and issues into actionable control improvements.

  • Triage and advise on sophisticated, ambiguous control scenarios where regulatory guidance, technical constraints, and business priorities must be carefully balanced.

  • Partner with GRC Analysts and Service Management to align the control maturity roadmap with the risk assessment calendar and service delivery capacity.

  • Engage DLO leadership and senior stakeholders regularly to communicate roadmap progress, emerging risks, and recommended strategic investments in control maturity.

  • Serve as the senior technical enablement partner for the DLO Embedded Team, providing control design blueprints, reference architectures, and technical guidance that equip them to work effectively with business control owners.

  • Partners with the CISO organization’s Engineering and Security Architecture teams for matters of control design, technical integration, and shared control boundaries.

  • Partner on control design reviews where DLO and Cyber controls intersect (e.g., data protection controls that serve both privacy and security objectives).

  • Contribute to the DLO service catalog by ensuring controls are represented as managed services with defined inputs, outputs, SLAs, and continuous improvement mechanisms.

Requirements

  • Bachelor’s degree in Computer Science, Information Systems, Engineering, Cybersecurity, or a related technical field.

  • 10+ years of progressive experience in GRC, risk engineering, privacy engineering, or security architecture.

  • 5+ years of experience focused on control design, implementation, or assurance at an enterprise scale.

Qualifications

  • Demonstrated ability to translate regulatory and policy requirements into technical control specifications and implementation guidance.

  • Experience influencing senior team members on control design decisions in a matrixed, federated operating model.

  • Experience with GRC platforms (ServiceNow IRM preferred) including control configuration, evidence management, and reporting design.

  • Deep solid understanding of privacy and AI regulatory frameworks (GDPR, NIST Privacy Framework, NIST AI RMF, EU AI Act, U.S. state privacy laws).

  • Experience developing and owning control maturity roadmaps, including defining maturity models, setting progression targets, and aligning investment to risk posture.

  • Experience operating within a federated risk model, enabling business control owners rather than implementing controls directly.

  • Strong verbal and written communication skills, with demonstrated ability to convey technical control design concepts to non-technical senior leaders.

  • Experience in regulated industries—pharmaceutical, healthcare, or life sciences strongly preferred.

  • Professional certification in privacy, risk, or security (e.g., CIPP/E, CIPT, CRISC, CISSP, CDPSE).

  • Experience with privacy-enhancing technologies (PETs), AI governance tooling, or data classification technologies.

  • Familiarity with ISO 27001/27701, SOC 2 controls, or equivalent control frameworks.

  • Experience scaling control capabilities across a large, matrixed enterprise with multiple lines of defense.

  • Hands-on experience with control automation, including workflow orchestration, API-based evidence collection, or AI-assisted monitoring.

  • Prior exposure to 2nd/3rd line of defense coordination (Internal Audit, Enterprise Risk, Quality).

  • Track record of partnering with cybersecurity engineering and architecture functions on shared control design.

Similar jobs

Senior GRC Engineer

Nexus Venture PartnersSan Francisco, CA· 6 days ago
Engineering$180k–$200k/yrapply on job-boards.greenhouse.io

Senior GRC Engineer

PostmanSan Francisco, CA· 1 wk ago
Engineering$180k–$200k/yrapply on job-boards.greenhouse.io

Senior GRC Engineer

FlockUnited States· 1 wk ago
RemoteEngineering$130k–$145k/yrapply on jobs.ashbyhq.com

Senior GRC Engineer

BiographNew York, NY· 1 mo ago
Engineering$150k–$200k/yrapply on jobs.ashbyhq.com