AVP, IT Compliance Risk and Audit

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential. 

The AVP, Global IT Compliance, Risk and Audit role leads the execution of our technology risk strategy across globally. This senior leadership role is responsible for aligning regional risk practices with global frameworks, ensuring regulatory compliance, and driving continuous improvement in risk posture through automation, governance, and cross-functional collaboration.

Demonstrates Technology risk management, regulatory engagement, and control assurance, with a proven ability to influence and hold senior stakeholders accountable and lead through change in a complex, global environment.

JOB DESCRIPTION:

Essential Duties & Responsibilities

Performs a combination of duties in accordance with departmental guidelines:

•  Serves as the senior global authority on technology risk and compliance, representing the local regions in global risk forums and regulatory engagements. 

•  Provides and guides strategic direction to senior technology and business leaders on risk implications of technology initiatives and transformation programs. 

•  Leads the regional implementation of the global PRC (Process, Risk, Control) framework, ensuring alignment with enterprise risk appetite and regulatory expectations. Partners with the global GRC team to ensure timely and effective implementation of risk and compliance changes. 

•  Oversees regional Technology risk assessments, mitigation strategies, and risk profiling across infrastructure, applications, and business processes. 

•  Ensures adherence to cybersecurity frameworks (e.g., ISO 27001, NIST, CIS) and regulatory mandates (e.g., SOX, GDPR, OSFI, DORA). 

•  Understands changes to the regulatory landscape for the regions and communicate such changes globally, creating awareness and lead required implementation. Ensures regions identify any control gaps and collaborate with the global team to address and implement controls. 

•  Leads the continuous monitoring of technology controls and real-time reporting of deficiencies. 

•  Drives the adoption of the use of the GRC platforms (e.g., ServiceNow) within all regions to enhance visibility and operational efficiency. Drives automation of compliance workflows and control testing to reduce manual effort and increase assurance coverage. 

•  Coordinates and liaises with global team to ensure audit readiness and execution for internal and external audits, acting as the primary liaison with auditors and regulators for the regions. Ensures timely and accurate reporting on control effectiveness, remediation progress, and regulatory compliance metrics for the regions. 

•  Direct regional efforts to identify and remediate End-of-Life (EOL) and End-of-Support (EOS) technology assets.  Collaborate with global and regional infrastructure and application teams to manage lifecycle risks and reduce technical debt. 

• Domestic and international travel expectations ~20%

• May perform additional duties as assigned.

Reporting Relationship: Typically reports to VP and above

Skills, Knowledge & Abilities

• Deep knowledge of Technology risk frameworks (e.g., NIST, ISO 27001), regulatory standards (e.g., SOX, GDPR, DORA, OSFI, PIPEDA), and audit practices.

• Strong executive presence with the ability to influence and communicate effectively at all levels of the organization.

• Experience with GRC platforms (preferably ServiceNow IRM) and control automation technologies.

• Proven experience with Technology Governance and risk functions with a focus on identifying, assessing, and mitigating Technology risks within a corporate environment.

• Experience in collaborating with cross-functional teams, including Technology, security, compliance, and business units, to drive risk management initiatives

• Experience with technology process, risk and control framework

Education & Experience

• Bachelors or masters degree in information technology, Cybersecurity, Risk Management, or a related field.

• 10+ years of progressive experience in technology risk, Technology governance, or cybersecurity leadership roles.

• Demonstrated success in leading regional or global risk programs within a complex, regulated enterprise.

• Technology Risk and Compliance, Audit, or Quality certifications preferred (e.g. CISSP, CISM, CISA, CIA, CRISC, CGEIT, CIAC, ISO, etc.).

#LI-GV1

In certain jurisdictions, CNA is legally required to include a reasonable estimate of the compensation for this role. In District of Columbia, California, Colorado, Connecticut, Illinois, Maryland, Massachusetts, New York and Washington, the national base pay range for this job level is $152,000 to $242,000 annually. Salary determinations are based on various factors, including but not limited to, relevant work experience, skills, certifications and location. CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals.  For a detailed look at CNA’s benefits, please visit cnabenefits.com.

CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact leaveadministration@cna.com