Manager, IT Risk & Compliance

How You Will Achieve More:

The Manager, IT Risk & Compliance, is a key leadership role within the IT organization, responsible for safeguarding information assets and ensuring sustained compliance as the company matures into a public, commercial entity. Reporting to the Sr. Director of GRC, you will act as a strategic bridge between technical IT operations and corporate governance. You will lead the IT Risk Management program with a primary focus on Third-Party Risk Management (TPRM), SOX ITGC compliance, and ISO framework alignment.

This role owns the full lifecycle of supplier risk assessments—with a critical emphasis on high-stakes biotech partners such as CROs and CDMOs—and serves as the primary IT liaison for external auditors. You will partner closely with Finance, Legal, Quality (GxP), Clinical and Commercial stakeholders to embed a unified, risk-aware culture across the organization.

Responsibilities:

Third-Party Risk Management (TPRM):

• Oversee the security risk lifecycle for all IT suppliers and applications (SaaS, On-Prem, Clinical and Commercial systems). Evaluate security attestations (SOC2, ISO 27001), credentials, and evidence to report on the overall risk posture of the supply chain.

Sustained Compliance (SOX/ISO):

• Lead the continuous monitoring of IT General Controls (ITGCs) to ensure SOX 404 readiness and ongoing compliance. Partner with Finance, Legal and IT to map controls across ISO and regulatory frameworks, minimizing redundant testing.

Audit Management & Execution:

• Serve as the primary lead and point of contact for external and internal IT audit cycles (e.g., Year-end SOX testing). Manage the collection of evidence, coordinate walkthroughs, and ensure timely remediation of any identified deficiencies.

Data Privacy Liaison:

• Partner with Legal and Clinical teams to ensure IT systems and third-party vendors comply with global data privacy regulations (GDPR, CCPA/CPRA, HIPAA). Conduct Privacy Impact Assessments (PIAs) for new systems handling sensitive patient or employee data.

Risk Assessment & Remediation:

• Perform IT Risk Assessments to identify and remediate threats within internal systems and 3rd-party ecosystems. Maintain the IT Risk Register and track mitigation strategies to completion.

Policy & Governance:

• Develop and maintain Information Security policies, standards, and Standard Operating Procedures (SOPs) to ensure consistency in IT service delivery, commercial readiness and audit-readiness.

Cross-Functional Collaboration:

• Act as the primary IT GRC liaison to the Quality Management team. Coordinate integrated risk reporting to ensure IT security vetting (ISO/SOC2) complements clinical/GxP quality auditing.

About You:

• Risk-to-Business Translation: Exceptional ability to synthesize complex IT, Privacy, and TPRM risks into clear, metrics-based insights that drive informed executive decision-making.
• Cross-Functional Change Management: A "hands-on" leader capable of building consensus across Clinical, Quality, Legal, Finance and Commercial to drive the cultural shift from R&D to a disciplined, public-company environment.
• Scalable Control Design: Skill in designing "right-sized" ITGC and Privacy controls that meet SOX/ISO/GDPR standards without hindering the speed of a scaling biotech firm.
• Audit Defensibility & Rigor: High level of discipline in documentation and evidence collection, ensuring all GRC workflows and vendor assessments are robust enough to withstand external audit.
• Conflict Resolution & Negotiation: Proven success in resolving cross-functional friction and negotiating security remediation plans with critical third-party partners.
• Educational Foundation: Bachelor’s degree in information systems, Computer Science, or a related field. Master’s degree is preferred.
• Core Certifications: CISA, CRISC, CTPRP, or CISM strongly preferred.
• Note: Candidates without a core certification must be willing to obtain one within 9–12 months of hire.
• Industry Knowledge (Preferred): Understanding of Life Sciences regulations (GxP, 21 CFR Part 11) or Privacy frameworks (GDPR/CCPA) is highly desirable.
• Professional Foundation: 4–6 years in IT Risk, Audit, or Compliance; minimum 3 years specifically focused on Information Security domains.
• Public Company & Scaling Expertise: Direct experience implementing or maturing SOX (ITGC) and ISO 27001 frameworks in a regulated environment (Biotech/Life Sciences preferred).
• Stakeholder & Audit Management: Proven track record of serving as a primary liaison for internal/external auditors and collaborating with cross-functional partners (Legal, Quality, Finance).
• Technical Stack: Proficiency with GRC systems (e.g., OneTrust, ServiceNow) and security rating tools (e.g., BitSight, Blackkite).
• Continuous Monitoring: Experience integrating tools like CrowdStrike into a holistic vendor risk lifecycle.
• Stationary Work: Ability to remain in a stationary position for extended periods while operating a computer and standard office equipment.
• High-Volume Communication: Must be able to frequently exchange complex, accurate information with internal stakeholders and external auditors.
• Analytical Focus: Requires sustained mental concentration to analyze risk data and interpret evolving regulatory requirements.
• Travel: Minimal travel required (less than 10%), primarily for occasional on-site vendor audits or team offsites.

#LI-Remote

EEOC Statement: Intellia believes in a diverse environment, and is committed to equal employment opportunity for all its employees and qualified applicants. We do not discriminate in recruitment, hiring, training, promotion or any other employment practices for reasons of race, color, religion, gender, national origin, age, sexual orientation, marital or veteran status, disability, or any other legally protected status. Intellia will make reasonable accommodations for qualified individuals with known disabilities, in accordance with applicable law.

Applications are accepted on a rolling basis, and will continue to be accepted until the position is filled at which point the position will be taken down.

The salary offered is determined based on a range of factors including, but not limited to, relevant education and training, overall related experience, specialized, rare or in-demand skill sets, internal comparators and other business needs. Upon joining Intellia, your salary will be reviewed periodically and additional factors such as time in role and performance will be considered. Intellia may change the published salary range based on company and market factors.

Additional compensation includes a performance-based annual cash bonus, a new hire equity grant, and eligibility to be considered for annual equity awards the value of which are determined annually at the Company’s discretion.

For more information about Intellia’s benefits, please click here.