Manager, IT Governance, RiskFour Seasons Hotels and Resorts • Toronto, Ontario, Canada
Manager, IT Governance, Risk
Four Seasons Hotels and Resorts
- Toronto, Ontario, Canada
- Toronto, Ontario, Canada
Über
Four Seasons is powered by our people. We are a collective of individuals who crave to become better, to push ourselves to new heights and to treat each other as we wish to be treated in return. Our team members around the world create amazing experiences for our guests, residents, and partners through a commitment to luxury with genuine heart. We know that the best way to enable our people to deliver these exceptional guest experiences is through a world-class employee experience and company culture.
At Four Seasons, we believe in recognizing a familiar face, welcoming a new one and treating everyone we meet the way we would want to be treated ourselves. Whether you work with us, stay with us, live with us or discover with us, we believe our purpose is to create impressions that will stay with you for a lifetime. It comes from our belief that life is richer when we truly connect to the people and the world around us.
About the location:
Four Seasons Hotels and Resorts is a global, luxury hotel management company. We manage over 120 hotels and resorts and 50 private residences in 47 countries around the world and growing. Central to Four Seasons employee experience and social impact programming is the company's commitment to supporting cancer research, and the advancement of diversity, inclusion, equality and belonging at Four Seasons corporate offices and properties worldwide. At Four Seasons, we are powered by people and our culture enables everything we do.
Manager, IT Governance, Risk & Compliance (12 Month Contract)
Reporting to the Director, IT Governance, Risk & Compliance, the GRC Manager is responsible for leading governance and compliance initiatives across all properties and the home office, ensuring alignment with privacy regulations, PCI requirements, and internal policies. The ideal candidate will have experience operating in a global enterprise with complex, cross‑functional dependencies, preferably within hospitality or retail PCI environments where multiple locations across various geographic locations and time zones rely on a centralized GRC team for compliance support and guidance. This includes coordinating evidence collection, managing compliance activities across distributed locations, and ensuring consistent adherence to PCI DSS controls.
The role requires strong capabilities in PCI, IT, and cybersecurity risk management, including the ability to assess, identify, track, and mitigate risks across diverse business units and operational areas. The GRC Manager should also be skilled in developing risk remediation plans, driving them to completion, and maintaining ongoing compliance in environments. This includes leveraging GRC tooling such as ServiceNow to support workflow management, helpdesk operations, incident and request tracking, evidence collection, and dashboard reporting, as well as demonstrating strong proficiency in the Microsoft Office suite to produce clear documentation, reporting, and stakeholder communications.
The primary focus of this role is leading and maintaining PCI Home Office compliance, ensuring continuous alignment with PCI DSS requirements and internal standards. The role also encompasses managing and supporting compliance activities across properties globally, overseeing helpdesk GRC requests, onboarding new properties and teams, delivering targeted training sessions, and maintaining accurate, up‑to‑date compliance statistics and documentation.
This position provides broad exposure to current and future GRC initiatives and plays a critical role in sustaining the organization's overall IT governance, risk, and compliance posture.
This role is based in our temporary location of 20 York Mills Rd, then the Four Seasons Hotels and Resorts, Toronto Corporate Office, reporting to the Director, IT Governance, Risk & Compliance. This role involves interactions with primarily internal stakeholders at various levels.
What You'll Be Doing
Corporate Compliance Management
Lead The Corporate Office PCI Compliance Program, Including
Define, collect, and conduct internal reviews for the Corporate Quarterly PCI compliance cycles.
Lead the planning, evidence collection, and internal review processes for the Corporate Annual PCI assessment.
Scheduling and participating in all audit-related meetings to ensure consistent communication between teams and the QSA.
Overseeing remediation of audit findings and tracking progress to closure.
Work closely with the QSA to ensure the successful annual renewal of the company's AoC (Attestation of Compliance) and RoC (Report of Compliance) as a Level 1 service provider.
Facilitating the Corporate annual tabletop major incident response exercise with Corporate TID teams.
Maintain and update the company's IT policies, standards, and procedures; develop new documentation and RACI matrices; communicate changes to relevant stakeholders; conduct reviews as required; and deliver ongoing training to ensure organization‑wide understanding and adherence.
Global Compliance Management
Lead TID activities to ensure properties globally meet PCI compliance requirements and regulations:
Identify opportunities to streamline property global compliance workflows and implement process optimizations or automation to increase efficiency and reduce operational risk.
Lead the annual Hotel Security Assessment program and guide properties on how to comply with control requirements.
Manage HSA findings in ServiceNow and follow up with property stakeholders to ensure timely remediation.
Oversee PCI helpdesk tickets efficiently.
Onboard new properties into the compliance program and deliver PCI compliance training and follow-up status calls.
Monitor PCI compliance status across all properties and oversee the timely renewal of PCI self‑attestations.
Compile and communicate program metrics, providing the GRC Director with clear visibility into compliance trends and remediation progress.
Maintain and enhance compliance dashboards, SharePoint sites, reports, and documentation to support program oversight and decision‑making.
Change Management
Onboard new corporate teams into the Change Management program and ensure alignment with established processes.
Collaborate with stakeholders to ensure changes are properly endorsed and effectively communicated to all impacted groups.
Evaluate change requests to determine PCI significance, working closely with corporate PCI teams to ensure adherence to the internal PCI‑significant change process, documentation, and evidence collection alignment with PCI standards.
Lead and facilitate weekly CAB (Change Advisory Board) meetings, including:
Preparing weekly agenda and presentation.
Reviewing and approving change requests.
Follow up on pending change requests and ensure post‑implementation reviews and root cause analyses are documented when unplanned service disruptions or service outages occur.
Vendor Management
Support vendor selection activities by evaluating vendor capabilities, assessing risk and compliance alignment, and recommending solutions that best meet program and business needs.
Manage GRC vendor relationships to ensure solutions and services align with the company's operational and business needs.
Conduct internal reviews and manage the renewal process for GRC‑owned contracts in collaboration with vendors and the Four Seasons internal legal team.
Support GRC Director in overseeing invoice tracking and budget reconciliation for the PCI program.
Technology Management
Leverage a Wide Range Of Technologies To Improve Operational Efficiency And Strengthen Compliance Management, Including Leading GRC Platforms Such As RSA Archer, ServiceNow, MetricStream, Refinitiv, And OpenPages. This Includes Proficiency Across The Following Functional Areas
IT Service Management:
Oversee helpdesk operations, ticketing, incident management, and IT service monitoring via dashboards.
Key features: ticketing, incident management, and real-time dashboards for service monitoring.
Internal Collaboration & Document Management:
Collaborate across teams using internal sites and updating policies, standards, and procedures.
Key features: ServiceNow GRC/IRM module, Internal SharePoint sites, and Governance Portal for content management and updates.
Compliance Management:
Support PCI compliance by managing access, providing training, and guiding properties in the proper use of the PCI self‑attestation tool to generate their Attestation of Compliance (AoC).
Security & Risk Management:
Resolve system and process issues while partnering with key stakeholders to support effective risk, compliance, and privacy governance.
Identify opportunities to optimize internal processes and pursue automation to improve efficiency across risk, compliance, and privacy workflows.
Risk Management
Identify, assess, and document cybersecurity and operational risks across systems, applications, vendors, and business processes, using established risk management practices.
Conduct regular risk analyses aligned with recognized industry frameworks (such as NIST CSF, NIST 800‑30, ISO to evaluate control effectiveness and determine overall risk exposure.
Translate technical findings into clear business impacts to support leaders and stakeholders in making informed, risk‑based decisions.
Monitor emerging threats, vulnerabilities, and regulatory requirements to proactively assess changes that may affect the organization's security or compliance posture.
Collaborate with technology and business teams to drive timely remediation of identified risks, track mitigation progress, and confirm closure through appropriate evidence.
Maintain and enhance risk registers, dashboards, and reporting mechanisms within the organization's GRC tool to support leadership reporting, governance activities, and audit readiness.
Advise teams on secure practices, policies, and control requirements to promote a strong risk‑aware culture across the organization.
Ensure risk management activities support compliance with relevant standards and regulations (e.g., PCI DSS, data protection requirements, cybersecurity frameworks).
What You Bring
Bachelor's degree or equivalent business qualifications.
Minimum 5 years of experience with PCI standard and GRC methodologies.
Information Security Certification or Accreditation is an asset.
Professional security management certifications are highly preferred (ie. CISSP, CRISC).
PCI Compliance: Strong understanding of PCI DSS requirements and the use of compliance tools to support adherence to the standards.
Reporting & Analytics: Proficient in reporting tools for creating dashboards, analyzing program data, and generating compliance and risk reports that support leadership decision‑making.
IT Governance: Strong knowledge of governance frameworks such as COBIT and ISO 27001, applying these structures to strengthen compliance and manage risks effectively.
Ticketing & ITIL: Proficient in ITIL‑based ticketing systems such as ServiceNow to manage incidents, problems, and changes, ensuring smooth service delivery and timely issue resolution.
Risk Management: Comprehensive understanding of IT and cybersecurity risk practices, including identifying and evaluating risks and supporting remediation efforts.
Change Management: Experienced in managing and reviewing IT change requests to assess compliance and risk impact, ensuring proper approvals, documentation, and alignment with internal change governance processes.
Business Productivity Tools: Strong proficiency in the Microsoft Office suite, using these tools to develop reports, presentations, and documentation that support compliance and risk management activities, and to effectively communicate information and updates to stakeholders.
Key Skills/Who You Are
Strong attention to detail and stakeholder awareness, ensuring all work aligns with compliance standards.
Results‑focused, with disciplined execution around deadlines, documentation, and reporting.
Confident presence and professional authority, effectively guiding teams and stakeholders through compliance and risk decisions.
Analytical thinker capable of evaluating complex issues and making sound, strategic decisions.
Self‑directed, able to work independently while consistently delivering high‑quality outcomes.
Improvement‑oriented, with a mindset that seeks root causes and drives continuous enhancement.
Highly organized multitasker, effective in fast‑paced and evolving environments.
Clear communicator, able to translate technical and compliance concepts for diverse audiences.
Experienced in managing compliance activities with centralized oversight across multiple business units and sites, including reviewing evidence, identifying control gaps, and maintaining accurate documentation to support PCI, IT risk, change management, and governance requirements.
Effective at monitoring compliance performance, analyzing data, and generating clear, meaningful reports that inform decision‑making and ensure alignment with regulatory and internal standards.
Skilled in preparing clear, well‑structured technical documentation and tailoring content for both technical and non‑technical audiences.
Capable translating complex risk, compliance, and TID control concepts into practical guidance that supports effective collaboration with stakeholders, vendors, and external partners.
Salary Range: $85,000 - $125,000
This role will be a Hybrid working model, which will require 3 days per week at our temporary 20 York Mills Road, Toronto, Ontario location with travel, as needed, to our the Four Seasons Corporate Office located at 1165 Leslie Street, Toronto, Ontario
Four Seasons is committed to providing employment accommodation in accordance with the Ontario Human Rights Code and the Accessibility for Ontarians with Disabilities Act. If contacted for an employment opportunity, please advise Human Resources if you require accommodation.
Sprachkenntnisse
- English
Hinweis für Nutzer
Dieses Stellenangebot stammt von einer Partnerplattform von TieTalent. Klicken Sie auf „Jetzt Bewerben“, um Ihre Bewerbung direkt auf deren Website einzureichen.