Senior Manager, IT Compliance and Risk

Work Location

About SNDL

SNDL is a public company whose shares are traded on the Nasdaq under the symbol "SNDL."SNDL is the largest private-sector liquor and cannabis retailer in Canada with retail banners that include Ace Liquor, Wine and Beyond, Liquor Depot, Value Buds, Spiritleaf, and Firesale Cannabis. SNDL is a licensed cannabis producer and one of the largest vertically integrated cannabis companies in Canada specializing in low-cost biomass sourcing, indoor cultivation, product innovation, low-cost manufacturing facilities, and a cannabis brand portfolio that includes Top Leaf, Contraband, Palmetto, Bon Jak, Versus, Value Buds, and Vacay. SNDL's investment portfolio seeks to deploy strategic capital through direct and indirect investments and partnerships throughout the North American cannabis industry.

Position Summary:

The Senior Manager of IT Compliance and Risk is responsible for leading and managing the organization’s IT compliance and risk management programs with a strong focus on Sarbanes-Oxley (SOX) compliance in a heavily regulated environment. This role involves developing, implementing, and maintaining policies and procedures to ensure compliance with regulatory requirements, industry standards, and internal controls. The Senior Manager will also oversee risk assessments, audit responses, and the mitigation of identified risks, working closely with IT, Finance, Legal, Internal Audit, and other business units to protect the organization’s information assets and ensure a compliant operating environment.

Key Responsibilities:

1. IT Compliance Management:

• Lead and manage the organization’s Sarbanes-Oxley (SOX) compliance efforts, including IT General Controls (ITGC) and application controls, ensuring compliance with Section 404 requirements.
• Oversee PCI-DSS compliance efforts, including maintaining and updating SAQs (Self-Assessment Questionnaires), coordinating PCI audits, and ensuring the security of cardholder data.
• Engage with third-party PCI-DSS auditors to complete requirements and attain an attestation of compliance.
• Develop and maintain IT compliance programs to ensure adherence to other regulatory requirements such as GDPR, CCPA, HIPAA, SOC and ISO 27001.
• Establish, document, and enforce IT policies, standards, and procedures aligned with compliance requirements.
• Conduct gap analyses and readiness assessments for new or updated compliance requirements, recommending necessary changes to policies or controls.
• Coordinate and support internal and external audits related to SOX, PCI-DSS, and other compliance requirements.
• Prepare and present compliance reports to senior management and relevant stakeholders.

2. Risk Management:

• Lead IT risk assessments, identifying potential threats and vulnerabilities that could impact the organization, with a focus on SOX-related risks.
• Develop and implement risk management strategies, controls, and action plans to mitigate risks.
• Monitor and report on the status of risk mitigation efforts to leadership.
• Collaborate with IT and business leaders to ensure alignment of risk management practices with business goals.  Partner with cross-functional leaders to develop approaches or strategies in addressing broader corporate emerging issues and risks.

3. Security Governance:

• Establish and oversee IT governance frameworks to ensure compliance and risk management objectives are met.
• Work closely with cybersecurity teams to integrate compliance and risk management requirements into security programs.
• Maintain an up-to-date understanding of industry best practices, regulatory changes, and emerging risks.

4. Incident Response and Business Continuity:

• Contribute to the development and testing of IT disaster recovery and business continuity plans.
• Lead investigations of compliance and security incidents, ensuring appropriate responses and documentation.
• Conduct post-incident analysis and recommend improvements to prevent recurrence.

5. Leadership and Training:

• Lead and mentor a team of IT compliance and risk professionals.
• Strong understanding of financial practices as well as a strong understanding of Internal Audit ideologies and strategies for engaging with external auditors.
• The Senior Manager will have a keen ability to engage directly with finance and internal audit team leadership members to drive compliance change as it relates to IT General Control and overall compliance efforts.
• Develop training programs to educate staff on compliance requirements, policies, and risk management practices.
• Promote a culture of compliance and risk awareness across the organization.  This manager should be well positioned to drive a compliance mindset across the entire technology landscape and be able to actively participate in discussions about technology roadmaps and raise compliance related issues in that process.

Qualifications:

Education:

• Bachelor’s degree in Information Technology, Cybersecurity, Accounting, Business Administration, or a related field.
• Master’s degree preferred.

Certifications:

• Relevant certifications such as CISM, CRISC, CISSP, CISA, or SOX-specific certifications are highly desirable.

Experience:

• 10+ years of experience in IT compliance, risk management, or information security, with at least 5 years focused on Sarbanes-Oxley (SOX) compliance in a heavily regulated environment.
• Proven experience managing compliance programs and leading risk assessments in a complex IT environment.
• Experience collaborating with internal and external auditors on SOX audits and remediation efforts.

Skills:

• Deep knowledge of SOX compliance requirements, including IT General Controls (ITGC) and application controls.
• Strong knowledge of other regulatory requirements and frameworks (e.g., GDPR, PCI-DSS, SOC, ISO 27001, NIST).
• Excellent analytical, problem-solving, and decision-making skills.
• Effective communication and presentation skills for both technical and non-technical audiences.
• Leadership abilities with experience managing and developing teams.
• A strong change agent by having the ability to challenge the status quo, taking initiative to engage the stakeholders proactively and delivering effective results of the changes.
• Strong interpersonal skills and executive presence, including a proven ability to develop and maintain executive relationships and manage expectations.

As a valued member of the SNDL team, you will enjoy:

• Competitive total compensation and incentives
• A top-notch extended benefits package including medical, extended health, and a healthcare spending account
• An entrepreneurial and innovative environment that fosters growth and continuous learning