Senior Manager, Governance, Risk, & Compliance (GRC)

At WHOOP, we're on a mission to unlock human performance. WHOOP empowers members to perform at a higher level through a deeper understanding of their bodies and daily lives. 

WHOOP is seeking a strategic and execution-oriented Senior Manager of Governance, Risk and Compliance to lead the next phase of the GRC program in a fast-paced, high-growth environment. This role will lead both the design and hands-on execution of the GRC function. Initially, this includes building structure, implementing tools, and guiding day-to-day activities while laying the foundation to scale team capabilities and delegate ownership over time. The ideal candidate will partner across Legal, Security, Product, and other teams to ensure alignment with regulatory frameworks, reduce enterprise risk, and strengthen operational resilience.

Responsibilities:

• Lead the development, implementation, and evolution of a comprehensive governance, risk, and compliance program aligned with standards such as ISO 27001, SOC2, GDPR, and other global regulatory expectations
• Own the enterprise risk register, delivering ongoing visibility, prioritization, and executive-level reporting across key risk domains
• Drive the third-party risk management lifecycle, overseeing vendor risk assessments and due diligence in partnership with Legal, IT, and Security
• Oversee the development and lifecycle of scalable policies, standards, and training programs that promote security awareness and strengthen organizational compliance
• Serve as the lead point of contact for internal and external audits and assessments, managing evidence workflows and driving remediation to completion
• Identify, implement, and improve GRC tools, processes, and metrics to support program scale, transparency, and accountability
• Support incident response processes by ensuring regulatory alignment, breach documentation, and post-incident reviews are conducted and integrated into risk and compliance programs
• Lead by doing - execute critical GRC workstreams directly while scaling team capabilities, maturing processes, and transitioning ownership to analysts over time
• Manage and mentor GRC analysts, balancing direct execution with team enablement as the program grows

Qualifications:

• 6+ years of experience in GRC, information security, audit, or compliance roles, preferably in health tech, SaaS, or regulated environments
• Deep understanding of regulations and standards including GDPR, ISO 27001, SOC 2, and NIST CSF
• Experience managing organizational risk registers and applying risk-informed decision-making
• Proven ability to lead third-party risk management in collaboration with internal stakeholders
• Familiarity with audit workflows, evidence collection, and control testing in fast-paced or audit-intensive environments
• Experience managing or mentoring compliance, audit, or GRC professionals
• Relevant certifications such as CISA, CISSP, CIPP/E, CRISC, ISO Lead Auditor, HITRUST CCSFP, or PMP are a plus
• Proven ability to build scalable, process-driven programs in high-growth or rapidly evolving environments
• Highly organized and detail-oriented, with strong project execution and prioritization skills across competing deadlines
• Demonstrated accountability to metrics, data-driven reporting, and outcome-based program management
• Strong commitment to embracing and leveraging AI tools in day-to-day tasks, ensuring AI-assisted work aligns with the same high-quality standards as personal contributions, with awareness of emerging governance and ethical considerations such as data privacy and model transparency

Interested in the role, but don’t meet every qualification? We encourage you to still apply! At WHOOP, we believe there is much more to a candidate than what is written on paper, and we value character as much as experience. As we continue to build a diverse and inclusive environment, we encourage anyone who is interested in this role to apply.

WHOOP is an Equal Opportunity Employer and participates in E-verify to determine employment eligibility.  It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.