Risk and Compliance Lead

This role leads and enhances the organisation’s Governance, Risk, and Compliance (GRC) and identity security capabilities by overseeing IGA, IAM, IT risk management, compliance, third‑party risk, and cybersecurity awareness. It ensures secure and compliant access across all systems, drives audit readiness and regulatory alignment, strengthens control maturity, manages identity‑related risks, and embeds a cyber‑aware culture. The role provides strategic oversight, operational coordination, and cross‑functional collaboration to improve visibility, resilience, and trust in the organisation’s digital environment.

Roles and Responsibilities

• Coordinate access attestation cycles by generating certification reports, ensuring timely manager reviews, and maintaining a complete audit trail.
• Define and maintain role lifecycle standards and Segregation of Duties (SoD) matrices to prevent conflicting access across systems.
• Review RBAC and PAM audit logs to identify anomalies, policy violations, or privileged misuse, and drive remediation actions.
• Ensure compliance with frameworks such as ISO 27001, NIST, POPIA, and GDPR by monitoring control effectiveness and closing identified gaps.
• Monitor adherence to security policies, track violations, investigate issues, and drive corrective and preventive actions.
• Oversee IAM operations, ensuring effective RBAC and PAM controls, and lead periodic access reviews to confirm ongoing access appropriateness.
• Manage user identity lifecycles—provisioning, changes, and deprovisioning—while enforcing least‑privilege and timely access adjustments.
• Prepare audit evidence, documentation, and control demonstrations to support internal, external, and regulatory audits.
• Report on identity and access‑related risks, providing actionable insights and recommendations to senior leadership for informed decision‑making.

Qualifications & Experience

• • Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related technical or business discipline.
  • Postgraduate qualification is advantageous
  • Professional certifications in risk, compliance, identity governance, and information security, including at least one or more of the following: Certified Information Systems Auditor (CISA) – for audit, controls, and risk governance

• • Microsoft Certifications relevant to identity, compliance, and data governance:

• • SC-900: Microsoft Security, Compliance, and Identity Fundamentals
  • SC-300: Microsoft Identity and Access Administrator – for IAM, RBAC, and privileged access oversight
  • SC-400: Microsoft Information Protection Administrator – for data classification, DLP, and compliance tooling in Microsoft Purview

• • Proven experience designing, implementing, and maintaining compliance with international standards and frameworks, including ISO/IEC 27001, NIST CSF, COBIT, POPIA, GDPR, and PCI-DSS.
  • Hands-on leadership of Identity Governance and Administration (IGA) and Identity and Access Management (IAM) programs, including:
  • Proven experience designing, implementing, and maintaining compliance with international standards and frameworks, including ISO/IEC 27001, NIST CSF, COBIT, POPIA, GDPR, and PCI-DSS.
  • Hands-on leadership of Identity Governance and Administration (IGA) and Identity and Access Management (IAM) programs, including: Role-based access control (RBAC)

• • Exposure to enterprise IT environments, including identity integration with ERP platforms such as SAP, and the ability to design and align technical access controls to compliance and SoD requirements.
  • Experience in the development and enforcement of security policies and standards, including tracking policy violations, root cause analysis, and reporting to executive stakeholders and governance forums.

Key Competencies

• High attention to detail and accuracy, particularly in access certification, compliance reporting, and audit documentation.
• Unwavering integrity and ethical conduct in managing confidential data, risk decisions, and security controls.
• Analytical and systems-oriented thinking, with the ability to prioritise risk, interpret audit findings, and recommend structured control improvements.
• Proactive, collaborative, and solutions-driven mindset, capable of working across multidisciplinary teams and influencing without direct authority.
• Strong leadership presence and communication skills, with the ability to confidently engage executive stakeholders, articulate risk implications, and lead behavioural change.
• Adaptability and resilience in fast-paced, dynamic environments, with the ability to respond to emerging threats, audit findings, and regulatory changes.

AECI respects your right to privacy. Please review our privacy policy at https://investor.aeciworld.com/governance.