Assoc Director, IT Governance, Risk & Compliance (Hybrid)

Purpose and Scope

At Tolmar, we are committed to transforming patient care in the pharmaceutical industry through operational excellence, innovation, and integrity. The Associate Director of IT Governance, Risk, and Compliance (GRC) will play a pivotal role in safeguarding Tolmar's technology ecosystem by leading the design and execution of a scalable, results-oriented GRC program.

This role champions a strategic yet pragmatic approach to IT governance, aligning risk management and compliance frameworks with business goals. This includes defining security strategy, architecture, and developing GRC frameworks and adoption of best practices for establishing and maintaining SOX, data privacy and other highly regulated pharmaceutical operations, internal IT control governance, access reviews, IT change management relevant to SDLC process, conducting risk assessments, and managing IT security policies and procedures. Responsible for IT GRC training and awareness programs, audit management, and reporting. The ideal candidate is a confident, hands-on leader capable of navigating complexity while delivering measurable outcomes in a fast-paced, regulated environment.

Essential Duties & Responsibilities

• Design and lead a scalable enterprise-wide GRC framework tailored to a pharmaceutical setting, ensuring agility in risk management and compliance.
• Align IT policies and controls with business outcomes, enabling secure, compliant innovation across critical systems.
• Provide strategic leadership and influence cross-departmental initiatives to embed governance and compliance across enterprise systems and business units.
• Own policy development, security awareness programs, and GRC platform oversight to improve visibility, reduce risk, and increase efficiency.
• Partner with business and technology stakeholders to embed compliance into business-as-usual processes without slowing innovation.
• Identify and implement innovative technologies and process improvements that proactively enhance systemic compliance and operational efficiency.

• Identify and mitigate risks across IT and OT systems using control matrices, SOD analysis, and pragmatic risk remediation strategies.
• Champion a proactive risk culture by embedding GRC into daily operations, project delivery, and change management lifecycles.

• Ensure adherence to SOX, HIPAA, GDPR, 21 CFR Part 11, and other relevant standards by driving a pragmatic, audit-ready posture.
• Lead audit preparations and responses, coordinating cross-functional teams to implement effective corrective actions.

• Manage user access control for enterprise applications, including automation of provisioning, deprovisioning, and access reviews.
• Establish robust workflows for privileged access management and certification processes to ensure transparency and control.

• Own policy development, security awareness programs, and GRC platform oversight to improve visibility, reduce risk, and increase efficiency.
• Partner with business and technology stakeholders to embed compliance into business-as-usual processes without slowing innovation.

• Act as a point of contact for BCDR planning and testing, integrating incident response protocols with security frameworks, compliance, and privacy laws.

• Develop and deliver training materials, workshops, and targeted campaigns to build awareness and understanding of compliance requirements across all levels of the organization.
• Serve as a key communicator of GRC strategy, translating complex regulatory concepts into actionable insights for diverse audiences.

• Develop and deliver training materials, workshops, and targeted campaigns to build awareness and understanding of compliance requirements across all levels of the organization.
• Other duties as assigned.

Knowledge, Skills & Abilities

• Strong working knowledge of IT service management (e.g., ITIL-related disciplines).

• Results-Focused: Able to drive measurable outcomes in security and compliance programs, particularly in regulated environments.
• Demonstrated success balancing business needs with security, risk, and compliance-achieving results through pragmatism over perfection.
• Identity management expertise including integration with single sign-on (SSO), authentication (e.g. as Microsoft Active Directory, LDAP, OAuth, SAML), access controls, HR and user provisioning processes. Identity and access governance including role-based access control, access request and certification, user life cycle management processes, and IT change management.
• Deep knowledge of regulatory and cybersecurity standards: SOX, HIPAA, GDPR, NIST, ISO/IEC 27001.
• Technical fluency in identity management, IT change control, SDLC governance, and audit remediation.
• Strong organizational skills and technical documentation skills with an emphasis on detail.
• Communicative Leader: Strong written and verbal communication skills with the ability to influence and educate diverse stakeholders.
• Collaborative Partner: Builds cross-functional relationships and bridges gaps between business, audit, legal, and IT.
• Agile Thinker: Adapts quickly, balances competing priorities, and provides clear direction under pressure.

Core Values

This position is expected to operate within the framework of Tolmar's Core Values:

• Center on People: We commit to support the well-being of our patients. We are committed to treating our employees and those we serve as valued partners. By placing people at the heart of our actions, we actively engage, invigorate, acquire knowledge, and grow together.
• Are Proactive & Agile: We embody a culture of engagement and action. With a hands-on approach, we fearlessly adapt to change. We anticipate, respond swiftly and efficiently to ignite a spirit that propels us towards extraordinary outcomes.
• Act Ethically: We are committed to consistently conducting our business in an ethical, compliant, and socially aware manner, in line with our purpose of positively impacting lives. We actively cultivate diversity, equity, inclusion & sustainability in our workplace.
• Constantly Improve: We are committed to a collaborative & proactive effort to improve our products, systems, processes, and services by reducing waste, increasing efficiency & improving quality.
• Are Accountable: We think, act, and communicate with honesty, transparency, and clarity in alignment with our core values. We don't compromise our values for near term gain. We take accountability & ownership of our work, actions, successes, and setbacks. We strive to deliver our best as we shape the future.

Education & Experience

• Bachelor's or Master's degree in Computer Science, Information Systems, Cybersecurity, or related discipline.
• Minimum 10 years in technology implementation, including 8+ years in enterprise application security and 5+ years in architectural design for IAM solutions.
• Strong preference for experience in the pharmaceutical, biotech, or life sciences industry, particularly with compliance frameworks like 21 CFR Part 11, GAMP5 and Good x Practices (GxP) compliance
• Certifications such as CISSP, CISM, CRISC, or GRC-related credentials are highly desirable.

Working Conditions

• Hybrid work flexibility with occasional travel to support audits, stakeholder meetings, or training.
  Standard office or home office environments.

Compensation and Benefits

• Pay: $170,000-$180,000, depending on experience
• Bonus eligible
• Benefits summary: https://www.tolmar.com/careers/employee-benefits

Tolmar compensation programs are focused on equitable, fair pay practices including market-based base pay and a strong benefits package. The final compensation offered may vary from the posted range based on the selected candidates qualifications and experience.

Tolmar is an Equal Opportunity Employer. We do not discriminate on the basis age 40 and over, color, disability, gender identity, genetic information, military or veteran status, national origin, race, religion, sex, sexual orientation or any other applicable status protected by state or local law. It is our intention that all qualified applicants be given equal opportunity and that selection decisions are based on job-related factors.