Senior Manager, Governance, Risk & Compliance

About The Opportunity

As part of an ongoing fractional HR partnership, One People Team (OPT) is working alongside a growing organisation in Malaysia that is scaling its technology, risk, and governance capabilities.

The organisation operates mission-critical systems that power financial transactions and payment infrastructure across the ecosystem. As it continues to expand, there is a need to strengthen governance, risk, compliance, and information security practices to support sustainable and compliant growth.

This role offers the opportunity to shape and lead GRC capabilities in a high-impact, regulated environment, working closely with engineering and business teams to embed risk and security into how systems are designed, built, and operated.

About Rhe Role

You will lead the day-to-day management of the organisation’s governance, risk, compliance, and information security frameworks, while helping shape how these capabilities evolve over the next 3–5 years.

This is a “player-coach” leadership role: you will develop a team of specialists while remaining hands-on in key risk, security, and compliance decisions, engaging credibly with engineering teams on technical risk and security trade-offs.

Working closely with engineering, product, and leadership teams, you will ensure that risk management and compliance are embedded into design, build, and run — influencing decisions early rather than validating them after the fact.

You will strengthen governance maturity by operationalising the Three Lines of Defense (3LoD), clarifying decision rights and escalation paths, and ensuring clear accountability for risk ownership, oversight, and assurance.

You are expected to bring strong cybersecurity judgment — not to operate security systems directly, but to shape security decisions, challenge technical assumptions, and ensure security considerations are embedded into architecture and operations.

Why This Role Matters

The organisation builds and operates technology that supports banking and payment systems across Malaysia. Trust, security, regulatory integrity, and strong governance are fundamental to the platforms that power financial transactions.

This role is critical in shaping and leading both the strategic direction and day-to-day execution of GRC practices that safeguard the organisation’s technology platforms. You will act as the bridge between regulatory expectations, enterprise governance, and operational execution — ensuring systems scale responsibly while maintaining the trust of financial institutions and regulators.

Key Responsibilities

Risk Management & Governance Execution

• Lead the implementation and management of the enterprise risk management framework at the operational level.
• Maintain the enterprise risk register, ensuring risks are systematically identified and mitigated across technology and business functions.
• Operationalise the Three Lines of Defense, ensuring strong alignment between first and second line functions.

Regulatory Compliance & Audit Leadership

• Lead internal and external audits, including PCI-DSS and regulatory assessments, managing end-to-end evidence collection and remediation.
• Act as Subject Matter Expert (SME) for payment security standards, including cryptographic key management and secure data handling.
• Monitor regulatory developments (e.g., BNM, MAS) and translate requirements into actionable policies and controls.

Information Security & Data Governance

• Support the development of ISMS and ensure security-by-design principles are embedded into the product development lifecycle.
• Manage cross-border data transfer controls and ensure compliance with regional data privacy regulations (e.g., PDPA).
• Oversee cybersecurity risk assessments and security control monitoring.

Resilience & Team Leadership

• Coordinate BCP/DR drills to ensure operational resilience of systems and infrastructure.
• Lead and mentor the Risk & Compliance team, setting clear priorities aligned with business objectives.
• Support vendor governance and third-party risk management.

Key Requirements

Education & Experience

• Bachelor’s or Master’s degree in Information Security, Computer Science, or Risk Management.
• 8–10 years of experience in risk management, regulatory compliance, or information security.
• Proven experience in highly regulated environments (FinTech, Digital Payments, or Banking).
• At least 3 years of experience leading or mentoring a team.

Technical Expertise

• Strong familiarity with regulatory frameworks: BNM RMiT, PCI-DSS, PDPA, AMLA / AML-CFT.
• Experience implementing or managing enterprise GRC frameworks and the Three Lines of Defense model.
• Strong understanding of ISMS (ISO 27001), ISO 9001, and BCP/DR lifecycle management.
• Experience leading audits and managing remediation across technical teams.

Preferred / Good-to-Have

• Professional certifications such as CISM, CISSP, CISA, or CDPM.
• Exposure to PCI 3DS and cryptographic key management.
• Experience engaging with regulators across Southeast Asia (e.g., BNM, MAS, OJK).

Technical Scope

• Regulatory: BNM RMiT • AMLA / AML-CFT • PCI-DSS • PCI 3DS • PDPA.
• Governance: Enterprise GRC • 3LoD • ISMS • ITGC • ISO 27001 • SOC 2 • ISO 9001.
• Resilience: BCP/DRP • Incident Management • Key Management Oversight.

Expected Outcome from this Role

• Ensure continuous compliance of platforms with BNM RMiT, PCI‑DSS, PDPA, AMLA/AML‑CFT and other applicable standards.
• Establish data‑driven GRC practices that give leadership clear, actionable insights into risk exposure, control effectiveness and readiness.
• Own the audit lifecycle, leading regulatory engagements and certifications while ensuring zero “surprises” through proactive remediation and governance reporting.
• Drive operational resilience by ensuring BCP/DRP, incident governance and key management frameworks are technically robust, regularly tested and reported at governance forums.
• Cultivate a security‑first, compliance‑by‑design culture, translating complex regulatory and governance requirements into practical habits for engineering and business teams.