IT Governance, Risk & Compliance Manager

About the Company:

CapBay operates an award-winning Supply Chain Finance and Peer-to-Peer (P2P) Financing platform. We facilitate inclusive business financing, using existing trade data and relationships. Through our proprietary credit-decisioning model, businesses of all sizes can obtain short-term financing while banks and investors can participate in high-quality financing deals. You can find out more about us at www.capbay.com

About The Role:

The IT GRC Manager is a hybrid role combining IT risk management with broader governance, risk, and compliance responsibilities. This role is suited to a hands-on practitioner who can operate across the full GRC lifecycle — from policy and framework development, to risk assessment, control testing, regulatory compliance, and audit coordination.

Key Responsibilities:

In this role, you will be expected to:

1.Governance & Frameworks

• Develop, maintain, and operationalise the GRC framework, including policies, standards, and procedures across IT, information security, and broader operational risk domains.
• Ensure governance documentation is current, version-controlled, and aligned with relevant regulatory and industry standards (e.g., Securities Commission’s GTRM, ISO 27001, NIST CSF, PDPA).
• Drive adoption of policies through training, communication, and stakeholder engagement.

2.IT & Operational Risk Management

• Maintain the enterprise and IT risk registers; facilitate risk identification, assessment, treatment, and monitoring across business and technology functions.
• Conduct periodic risk assessments covering infrastructure, applications, cloud services, data, and third parties.
• Define and track KRIs and risk appetite metrics; report on trends, emerging risks, and control effectiveness.
• Support business units in performing risk and control self-assessments (RCSA).

3.Compliance

• Track applicable regulatory obligations and ensure controls are in place to meet them (e.g., data protection, financial services regulations, anti-fraud, business continuity).
• Monitor regulatory developments and assess impact on the organization; coordinate gap assessments and remediation.
• Manage compliance attestations, regulatory submissions, and responses to regulator queries where applicable.

4.Controls & Audit

• Design, document, and test IT general controls (ITGCs), application controls, and key process controls.
• Coordinate internal and external audits, including PBC list preparation, walkthroughs, evidence gathering, and management responses.
• Track audit findings and remediation through to closure; report status to management and governance forums.

5.Third-Party Risk

• Run vendor risk assessments and due diligence, particularly for critical, data-sensitive, or outsourced services.
• Maintain a vendor risk inventory and ensure ongoing monitoring of key suppliers.

6.Incident, Issue & BCM Support

• Support investigation, root cause analysis, and lessons learned for IT, security, and operational incidents.
• Contribute to business continuity and disaster recovery planning, testing, and reporting.

7.Reporting & Stakeholder Engagement

• Produce concise, decision-useful reports for senior management, Risk Committee, and the Board.
• Act as a trusted advisor to IT, business, and project teams on risk, control, and compliance matters.
• Promote a pragmatic, business-aware risk culture.

Key Qualifications & Requirements:

We are looking for someone who is:

• Bachelor's degree in Information Technology, Computer Science, Risk Management, Business Administration, Finance, or a related field.
• 3–7 years of combined experience across IT risk, IT audit, information security, compliance, or GRC roles.
• Solid working knowledge of ITGCs, information security principles, and at least one major GRC framework (ISO 27001, NIST CSF, COBIT).
• Hands-on experience running risk assessments, control testing, and audit coordination.
• Ability to operate independently in a lean environment — comfortable owning processes end-to-end with minimal supervision.
• Strong written and verbal communication; able to translate technical and regulatory complexity into clear business language.
• Professional certifications such as CRISC, CISA, CISM, CISSP, ISO 27001 LA/LI, or CCEP would be a plus
• Experience in financial services or another regulated industry (BNM, MAS, or equivalent jurisdiction) is an advantage
• Familiarity with GRC tools (Archer, ServiceNow GRC, OneTrust, Vanta) and cloud platforms (Alicloud, AWS, Azure, GCP)
• Exposure to data privacy regimes (PDPA, GDPR) and third-party / outsourcing risk frameworks.

Our Achievements 🏆

• Top 200 Global Fintech Companies – CNBC
• EY Emerging Entrepreneur Of The Year
• Fintech Start-up of the Year Malaysia – The Asset's Triple A Digital Awards
• Best Fintech for Plug & Play Tech Center
• Best FinTech Platform for Supply Chain Finance – The Asian Banker
• Finalist at Global FinTech Hackcelerator and featured at Singapore Fintech Festival

Apply now and be part of CapBay’s growth story! 🚀