Manager, Governance Risk and Compliance

Position Summary:

Responsible for developing, implementing, and maintaining the Governance Risk and Compliance Manager (GRC) security program at AdaptHealth. This position will work closely with Information Services leadership, Corporate Compliance, Internal and External Auditors, Legal, and other stakeholders across company to ensure that information security GRC is implemented and operating effectively. Supervises a team of Enterprise Security personnel to maintain and support AdaptHealth information security policies and procedures, information security risk management processes, third-party risk management, and other GRC operational workflows. Provides information security and GRC consulting on complex organizational projects. Evaluates existing systems and procedures and makes recommendations for improvements of system controls. 

Essential Functions and Job Responsibilities:

• Collaborates with Enterprise Security leadership to develop and mature ADAPTHEALTH’s information security program through effective governance, risk management, and security-control monitoring.
• Manage the Enterprise Security Policies & Standards lifecycle: creation, annual reviews, internal testing, and NIST alignment, serving as the framework for our information security management system.
• Manage the Information Security Risk Management Program, including:
• Defining program standards and guidelines
• Maintaining the Risk Register (identifying, analyzing, rating risks; documenting compensating controls and remediation plans)
• Reviewing and approving exceptions to security policies
• Developing Risk Metrics and Key Risk Indicators for Board-level reporting
• Evaluates third-party vendor security and compliance practices, establishes vendor-risk processes, and monitors contractual obligations.
• Oversees Third-Party Risk Management:
• Managing vendor security questionnaires and interpreting responses
• Reporting vendor-profile results and remediating gaps to meet minimum security requirements.
• Preparing regular governance reports and improvement recommendations for cross-functional stakeholders
• Identifies needs for security awareness training and partners with Learning & Development and Compliance to develop and implement relevant courses.
• Delivers IT security and compliance training and educational materials to promote a culture of awareness.
• Develops and executes the GRC maturity roadmap, leading related projects, and initiatives.
• Partners with IT management, risk managers, corporate compliance, and legal to perform and maintain business-impact and risk assessments (e.g., system downtime, unauthorized access).
• Coordinates with internal and external auditors to facilitate IT audits, respond to findings, and implement corrective actions.
• Provides input to—and supports implementation of—security controls for clinical and finance applications, maintaining strong relationships with application owners to address emerging issues.
• Keeps informed on new and emerging information security trends and best practices.
• Oversee periodic and on-demand system and vulnerability assessments to ensure compliance (including user and application access reviews).
• Manage incident response and disaster recovery and business continuity efforts in the event of security breaches or IT incidents.
• Implements IT governance metrics and reporting to evaluate initiative effectiveness.
• Conducts ongoing IT risk assessments and recommends mitigation strategies in alignment with business objectives.
• Establishes and manages compliance programs and the Periodic User Access Review (e.g., Sarbanes-Oxley, HIPAA, SOC, SOX), ensuring adherence and coordinating related audits.
• Develops and maintains IT governance frameworks, standards, and policies, collaborating with executive management to enforce them.
• Provides regular updates and reports to senior management on IT governance, risk, and compliance, translating technical matters for non-technical stakeholders.
• Contributes to or leads other department-specific and cross-functional initiatives as needed.
• Maintain confidentiality of all investigations, projects, patient confidentiality, and function within the guidelines of HIPAA.
• Completes assigned compliance training and other educational programs as required.
• Perform other related duties as assigned.

Management/Supervision:

• Responsible for selection and hiring of qualified staff, ensuring an effective on-boarding, and providing comprehensive training and regular feedback.
• Accomplishes staff results by communicating job expectations; planning, monitoring, and appraising job results; coaching, counseling, and disciplining employees; developing, coordinating, and enforcing systems, policies, procedures, and productivity standards.
• Establishes annual goals and objectives for the department based on the organization’s strategic goals.
• Responsible for achieving organizational performance and retention goals, including timely completion of performance evaluations.

Competency, Skills, and Abilities:

• Excellent verbal and written communications skills.
• Self-starter with ability to work independently to create, build, and manage frameworks and programs. 
• Ability to analyze and present critical information to all levels of staff from general employee level to Board-level reporting metrics.
• Ability to source, analyze, negotiate, select, and manage third-party vendors to achieve program deliverables.
• Must have excellent interpersonal skills to effectively communicate with all levels of hospital personnel, vendors, IT personnel, and direct reports.
• Strong prioritization, multi-tasking, and time management skills.
• Explicit knowledge of cyber security controls, implementation, compliance, and governance across the cyber security stack of technologies.
• Ability to investigate and discover root challenges, issues, and complexity of implementations to uncover cyber issues.
• Thorough understanding of risk analysis and audit tracking.
• Extensive knowledge of current common paradigms for violating system integrity.
• Must possess the ability to deliver clear, concise communications and presentations. Must be able to train others quickly and thoroughly on key Enterprise Security concepts. 
• Knowledge of Federal and State regulations including HIPAA and SOX. 
• Knowledge of industry leading frameworks including NIST CSF, HIPAA, ISO 27001, SOC 2, ITIL, and SOX. 

Education and Experience Requirements:

• Bachelor's Degree in Computer Science, Computer Engineering, MIS, or related field
• 8+ years of relevant experience focusing on security policy creation and lifecycle management, auditing methodology, technology risk management, and third-party risk management.
• Experience in conducting risk assessments and implementing risk management strategies. Security industry certifications such as CISM, CISSP, CRISC, and ISSMP are desirable.

Physical Demands and Work Environment:

• Must be able to bend, stoop, stretch, stand, and sit for extended periods.
• Work environment may be stressful at times, as overall office activities and work levels fluctuate.
• Ability to perform repetitive motions of wrists, hands, and/or fingers due to extensive computer use.
• Subject to long periods of sitting and exposure to computer screen.
• May be required to work at various locations. 
• Must possess mental alertness to make quick decisions and interpret complex information.
• Excellent ability to effectively communicate both verbally and written with customers with the ability to demonstrate empathy, compassion, courtesy, and respect for privacy.
• Mental alertness to perform the essential functions of position. 
• Ability to work after non-business hours as needed.