Hims & Hers Health, Inc. (better known as Hims & Hers) is a multi-specialty telehealth platform building a virtual front door to the healthcare system. Hims & Hers connects consumers to licensed healthcare professionals, enabling people to access high-quality medical care—from wherever is most convenient—for numerous conditions related to primary care, mental health, sexual health, skincare, and more. Launched in November 2017, the platform also offers thoughtfully created and curated health and wellness products. With products and services available across all 50 states and Washington, D.C., Hims & Hers’ mission is to make it easier for all Americans to access affordable care and treatment for conditions that impact their daily lives. In January 2021, the company was listed on the NYSE at an initial valuation of $1.6 billion and is traded under the ticker symbol “HIMS”. To learn more about our brand and offerings, you can visit forhims.com and forhers.com.

The IT Governance, Risk and Compliance (GRC) Manager , will have the responsibility of managing the Technology & Security Risk & Compliance programs. This position will focus on Technology Controls and work as part of the Information Security Team in coordinating and executing the annual audits and assessments with our external audit firm(s). The candidate will ensure appropriate technology controls are in place, key stakeholders are engaged, senior leaders are informed while helping organization remain compliant with compliance and regulatory obligations and avoid events that could adversely impact our business objectives. The ideal candidate must be passionate about customers, stakeholders, and technology. Excellent interpersonal skills, communication, and leadership skills will be critical for success. Success depends on building rapport and credibility with multiple stakeholders across the organization to organize and drive execution.

Responsibilities:

• Understand and apply the enterprise policies, standards and framework for governance, risk & compliance
• Lead IT GRC program in accordance with our compliance, regulatory, and security obligations (including but not limited to (SOX, HIPAA, PCI DSS, etc.)
• Work with different stakeholders and external auditors to maintain up-to-date documentation for scoping, testing and remediation of technology controls
• Work with different stakeholders and external auditors to obtain and fulfill IT evidence requests as per the timelines committed
• Validate the key controls with the stakeholders on a periodic basis to provide an early warning to management for timely correction and remediation action
• Assess audit findings / gaps including control weaknesses in coordination with different stakeholders and assist with development of management action plans
• Provide control consulting services to control owners and assist in redesigning the efforts that improve/automate the control environment
• Understand the Enterprise Risk Management standard on how to identify, assess, mitigate, monitor, test and report on risks and controls required by the organization (which includes Technology & Security portfolios)
• Partner with stakeholders to understand expectations for managing cross-functional risks and dependencies; deploy processes to comply with policy expectations which may require implementation of required controls and on-going monitoring & reporting
• Developing and presenting recommendations to management based on risk and compliance impact in a Subject Matter Expertise capacity for multiple risk and compliance initiatives
• Negotiating appropriate remediation plans for identified issues while maintaining internal and external relationships
• Assess risk arising from third-parties, vendors and partners in our ecosystem and design controls to mitigate such risks
• Manage overall reporting associated with Technology & Security Risk & Compliance programs

Experience & Skills:

• 6+ years of experience in IT/Technology/Information Security Internal Audit, or ERM
• Utilize a deep understanding of risk management methodologies, frameworks, and principles (e.g. SOX, HIPAA, COBIT, NIST, ITIL, PCI DSS, GDPR, etc.) to evaluate and recommend the best approach to mitigating risk with best in class controls
• Be able to engage at all levels of the organization to organize, drive and communicate results
• Operate in a fast-paced environment and able to handle a number of simultaneous projects and tasks while demonstrating urgency and ownership to drive issues to completion
• Innovate in the dynamic workplace by designing repeatable, sustainable processes that operationalize the risk management function
• Possess strong oral and written communication skills along with refined presentation skills and the ability to work with other departments and varying levels of management, including senior leadership
• Have strong ability to work with minimum direction and possess a high drive for results
• Bachelor’s degree in Computer Science, Engineering, or Information Management Systems
• Certifications highly desired (CISA, CISM, CISSP, CRISC, etc.) 

Preferred Experience & Skills:

• Certifications highly desired (CISA, CISM, CISSP, CRISC, etc.) Consultancy experience from Big-4 audit firms 

Hims is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Hims considers all qualified applicants in accordance with the San Francisco Fair Chance Ordinance.