Director of Governance, Risk, & Compliance

Responsibilities:

• Define and execute the enterprise-wide GRC strategy in alignment with WHOOP business objectives, risk appetite, and evolving regulatory landscape, driving implementation across policies, processes, tooling, and metrics
• Lead, grow, and mentor a high-performing GRC team, establishing clear operating rhythms, ownership models, and performance expectations while fostering a culture of accountability and  continuous improvement
• Oversee compliance programs across key frameworks including SOC 2, ISO 27001, HIPAA, GDPR, and emerging health data regulations
• Establish and maintain the enterprise risk management program, including risk identification, quantification, mitigation, and reporting to executive leadership and the board
•  Own the third-party risk management program, ensuring vendors and partners meet WHOOP’s security and compliance requirements
• Lead and evolve governance for responsible AI use, including risk assessment, vendor oversight, regulatory alignment, and policy development in coordination with Product, Legal, and Engineering
• Partner with Legal, Product, Engineering, and Privacy teams to ensure regulatory requirements are embedded into product development and business processes
•  Lead engagement with external auditors, regulators, and certification bodies
• Translate strategic objectives into operational controls and program enhancements, personally driving key initiatives as the function continues to scale
•  Develop and present risk and compliance reporting to the C-suite, delivering clear, business-aligned risk insights
•  Drive policy governance, ensuring security and compliance policies are current, enforceable, and aligned with industry best practices
• Champion a culture of security awareness and compliance across the organization

Qualifications:

• 10+ years of progressive experience in GRC, information security, risk management, or compliance, with at least 5 years in a leadership role

• Proven track record of scaling and maturing GRC programs in high-growth technology or health-tech companies

• Deep expertise across multiple compliance frameworks (SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI-DSS) with familiarity in emerging AI governance and regulatory standards

• Strong understanding of cloud security architectures (AWS preferred) and their implications for compliance and risk

• Experience evaluating AI/ML risk, data governance implications, or responsible AI frameworks in regulated environments

• Experience presenting risk posture and compliance metrics to executive leadership and board-level audiences

• Exceptional leadership skills with a demonstrated ability to attract, develop, and retain top GRC talent

• Strong business acumen with the ability to translate technical risk into business terms

• Relevant certifications preferred (CISSP, CISM, CRISC, CISA, or equivalent)