Information Risk and Privacy Manager

It is truly rewarding to be part of an organization where individuals sincerely BELIEVE in their roles! This position is responsible for supporting and implementing the strategic vision and roadmap to enhance IT Governance, Risk, and Compliance, in line with the broader Pick n Pay Information Security Charter and essential Information Security principles. This includes leading, executing, and assisting with programs aimed at implementing the relevant policies, frameworks, structures, processes, controls, and technologies. Furthermore, it involves managing and executing various risk management and control improvement activities to support our business and Information and Technology Services. This role also requires ensuring compliance with applicable external and internal requirements, laws, and regulations. Additionally, it includes promoting and facilitating adherence to relevant frameworks and processes for the ongoing management of IT GRC activities.

Key Qualifications:

• Relevant professional certifications such as CRISC, CISA, CISM, and/or CGEIT (or equivalent)
• At least 5 years of professional experience in the GRC field
• Knowledge of relevant frameworks, guidelines, and standards (particularly NIST CSF and PCI-DSS)
• Understanding of pertinent regulatory requirements and standards such as PCI, POPI, KING, EMV, etc.
• Experience with conducting PCI-DSS Assessments
• Solid understanding of IT Governance, Information Security, Privacy, IT Risk, and Internal/External Audit concepts
• Experience within a multi-vendor and outsourced IT environment (preferred)

IT Governance Responsibilities:

• Uphold the overarching GRC Framework that aligns with the Info-Risk, Security, and Privacy control frameworks, driven by the overall GRC and Information Security strategies.
• Develop and maintain a consistent dialogue with senior management and executives to ensure that GRC risks are clearly understood and communicated to relevant stakeholders.
• Create, review, and assist in implementing relevant frameworks, policies, standards, and guidelines, as well as key security and privacy controls, ensuring alignment with supporting IT operational processes.
• Collaborate with Internal/External Audit and Regulatory Reviews to ensure high-quality outcomes, with actionable management comments agreed upon following such reviews.
• Benchmark and enhance the IT control environment according to industry best practices to achieve agreed maturity levels.
• Establish and oversee procedures to ensure that IT operations are monitored for compliance with applicable policies.
• Develop, manage, and support the reporting of Key Risk Indicators (KRIs) for each IT Head of Department concerning information risk, security, privacy, and compliance matters.
• Provide support and participate in business impact analyses to strengthen the IT Business Continuity and Disaster Recovery Plans, aligning with the organization’s overall Business Continuity initiatives.
• Actively advocate for the importance and value of robust Governance, Risk, and Security practices, fostering a risk-aware culture, and supporting the corporate-wide User Awareness campaign, including developing relevant training materials.
• Serve as a trusted advisor to both business and IT regarding technology and information-related decisions.
• Engage and contribute in various forums (such as regular Management meetings, Information Security and Risk forums, etc.) to support oversight of operational control effectiveness and facilitate ongoing enhancement of key control measures and practices.
• Drive operational process and performance improvements to reduce the cost of failure or rework.
• Advance and deliver Management Information Systems reporting tailored to the relevant audience (both IT and business-related).
• Stay updated on GRC, Information Security, and Privacy best practices, including the evaluation of relevant emerging technologies, opportunities, and threats.
• Assist Pick n Pay subsidiaries as needed through training, consultative advice, and sharing of materials.
• Provide Subject Matter Expert support for projects and routine activities, particularly focusing on IT Governance, Information Risk, Information Security, Privacy, and Compliance issues.

Information Risk Management Responsibilities:

• Enhance the overall Information Risk Framework to generate value for both IT and the business.
• Identify risk tolerance levels and risk appetite based on expectations from IT and the business.
• Conduct and oversee a series of internal risk assessments based on potential risk exposures within the IT landscape.
• Perform an annual review of current and future risk scenarios (per IT division) in relation to the existing IT risk appetite, ensuring this is translated into applicable roadmaps for the upcoming financial year.
• Monitor high-impact risk exposures against allocated budget, projects, and/or routine activities to address prioritized risk exposures on a bi-annual basis.
• Design, implement, and oversee control remediation according to a prioritized, risk-based approach (whether project-oriented or routine) in collaboration with business and IT management.
• Support business and/or risk owners in mitigating threats and/or exposures.
• Manage and enhance the IT Risk Register (SharePoint) and Risk Dashboard (Power-BI) to improve the management and reporting of IT-related risk exposures (including audit findings).
• Coordinate regular reviews of controls.
• Sustain third-party risk management practices, including managing the Data/Information Asset Management process and engaging with risk owners alongside Legal and/or Corporate Procurement.
• Advocate for security-by-design and privacy-by-design principles, particularly within the project management domain.
• Coordinate the collection of IT support to enhance group cyber insurance in collaboration with Investor Relations.

Information Security Management Responsibilities:

• Maintain the Information Security Management System (ISMS) with a focus on data protection across the group, governing all business units.
• Ensure compliance with the NIST Cyber Security Framework by evaluating current practices against established security requirements.
• Oversee the information policies’ exemption process in conjunction with the relevant IT Heads of Department.
• Actively promote the significance and value of effective Information Security Practices.
• Support the development and monitoring of the implementation of the annual Cyber Security Plan and Roadmap to ensure the effectiveness of security controls in support of a sustainable and measurable information security initiative.
• Collaborate with IT and Information Security leadership, security architecture, capacity leads of functional areas, and operational security to ensure adequate security solutions are integrated across all systems and platforms to effectively mitigate identified risks and meet business objectives and regulatory requirements.
• Encourage security awareness and training while managing the Learning Management System (LMS).
• Coordinate an annual security incident response simulation related to the current or new playbook, ensuring that roles and responsibilities are clear and identifying any areas for process and/or control improvement.
• Keep the Incident Response Plan updated in alignment with changes in business, risk, technology, and personnel.
• Coordinate the investigation of significant (high impact) security incidents or control failures, conduct root cause analyses, and ensure that effective improvement actions are defined, assigned ownership, and implemented to reduce the likelihood of similar incidents occurring in the future.
• Support and manage the annual PCI/DSS re-certification process, including the transition to v4 compliance.
• Assist with threat and vulnerability management as well as annual and ad-hoc penetration testing to ensure that identified vulnerabilities are addressed through the risk management process.

Competencies:

• Strong interpersonal skills for engaging senior stakeholders, business owners, and the risk community.
• A collaborative and business-enabling mindset (not solely compliance or audit-focused).
• Excellent written and verbal communication skills, including the ability to convey technical concepts to both technical and non-technical audiences.
• Advanced analytical and problem-solving abilities, with the capacity to derive practical solutions to complex issues.
• Ability to work independently as well as collaboratively within a team to produce quality work products in a timely manner within a fast-paced environment.
• Capability to maintain strict confidentiality.
• A strong desire to learn and improve, with the ability to quickly adapt personal paradigms and ideas when new options or opportunities arise.
• A deep passion for the mission and vision of the Pick n Pay business, our customers, and employees.

If you thrive in a rapidly expanding environment and enjoy working alongside passionate, high-performing individuals, you will discover a fulfilling career with us!

Discover Who We Are: At Pick n Pay, we are more than just a retail organization; we are a collective of dedicated individuals striving to provide an exceptional shopping experience for our customers while fostering a vibrant, enriching workplace for our employees. Founded in 1967, Pick n Pay is one of the largest retail chains in South Africa, serving millions of customers across the African continent. Our reputation is built on our commitment to delivering the best quality and value to our customers.

Our Mission: We serve with our hearts to create a great place to be, and with our minds, we design an excellent shopping experience.

Our Values: Our values are deeply embedded in our culture and guide our actions:

• Passion for Our Customers: We are committed to our customers and will advocate for their rights. Their satisfaction is our success.
• Respect and Care: We treat each other with kindness and understanding, valuing the diversity of our team.
• Personal Growth and Opportunity: We encourage personal development and offer opportunities for learning and advancement.
• Leadership and Innovation: We promote leadership and reward innovative thinking, nurturing our employees to be leaders in their roles.
• Honesty and Integrity: We uphold honesty and integrity, ensuring transparency and trustworthiness in all interactions.
• Community Support: We believe in making a positive impact and giving back to our communities.
• Individual Responsibility: We take accountability for our actions and decisions.
• Accountability: We hold ourselves accountable for fulfilling our commitments to our customers, colleagues, and our business.

Why Choose Pick n Pay? At Pick n Pay, our strength is rooted in our people. We aspire to be the employer of choice, attracting and retaining the best talent in the industry. We foster a work environment that encourages growth, celebrates achievements, and values individual contributions. Here, your work will be meaningful, recognized, and rewarded. Experience the fulfillment of being part of Pick n Pay. Together, let’s shape the future of retail in Africa. Explore our career opportunities.