Title:  IT/OT Third Party Risk Management Leader

Graphic Packaging International, LLC (GPI) fosters a culture that protects, preserves, and enhances our reputation. The GPI IT Compliance team is seeking an experienced professional to oversee and manage various tasks related to GPI’s IT/OT Third Party Risk Management practices and technologies.

This role will encompass Third Party Risk practices being deployed to manufacturing facilities with the intent to minimize GPI’s risk exposure related to third parties in the GPI ecosystem.  This position is responsible for deploying risk management practices to the IT/OT footprint at GPI, and to provide leadership with transparency into GPI's risk exposure for both IT and OT respectively specific to third parties.  This role involves establishing new processes with focus on Industrial Control Systems, MES systems and all OT systems in use at GPI manufacturing facilities (plants and mill locations) across the globe.

Lead, IT/OT - Third Party Risk Management is expected to:

• Coordinate with external providers and internal technology teams regarding platform development, enhancements, integration and issue resolution
• Liaise with global risk and compliance groups and OT engineers and leaders related to due diligence matters and system requests or changes
• Collaborate across IT and manufacturing facilities with cross functional teams to escalate and resolve issues and risks identified and tracked
• Represent the IT Compliance Office with business teams, partners, and other GPI stakeholders, and with external third parties
• Identify key performance indicators to be used for management reporting at GPI
• Manage reporting and analyzing metrics for key performance indicators identified for GPI
• Identify risks, exceptions to policy or standards and other risk related issues for tracking and reporting or escalations to leadership
• Define and oversee processes and standards of operation performed by global IT/OT resources

Responsibilities

• Gain comprehensive knowledge and understanding of relevant policies, guidelines and compliance program elements which will be deployed to IT/OT processes to achieve risk minimization objectives
• Manage and perform monitoring activities on the IT/OT TPRM program activities, including use of the IT Risk Management and Third Party Risk Management modules within the GPI GRC system (OneTrust)
• Perform data analysis for ongoing monitoring of control violations, risk assessment activities, and reporting to management and senior leaders on key performance indicators on a recurring cadence
• Effectively interpret and document testing and monitoring results and develop recommendations for improvements and enhancements to reduce GPI risk profile for OT systems
• Utilize and develop data analytics capabilities to evaluate and improve third party management decisions, mitigation planning of obsolete technologies, and identifying reporting mechanisms to be leveraged for same
• Identify operational risks for OT third parties that need to be raised to leadership for remediation and risk reduction workstreams
• Oversee training of IT and OT TPRM team members, risk & compliance groups and GPI stakeholders on TPRM practices adopted and deployed at GPI
• Monitor, report and track compliance with policies and practices, including system security and access controls for OT systems and respective third parties
• Collaborate with cross functional engineers, leaders, colleagues, and global partners to achieve alignment on goals and objectives associated with risk reduction workstreams
• Effectively communicate with peers, managers, senior managers, and executive leaders cross functionally as a trusted subject matter expert and advisor for TPRM practices
• Recommend and implement process improvements to meet IT/OT Convergence TPRM, risk & compliance goals on an annual basis.
• Provide system and process training and support to the global IT organization and OT engineers and leaders for the ITRM platform TPRM module(s)
• Design and manage other IT third party assessment templates and workflows
• The role will evolve as IT/OT TPRM discipline expands and changes to meet compliance needs of GPI

Key Skills

• Aptitude to learn and utilize technology to perform and document responsibilities
• Moderate to advanced skills working with technical tools including Microsoft Office applications, specifically Excel, PowerPoint and Word
• Proven ability designing or enhancing third party risk management or compliance-related activities
• Excellent organizational aptitude
• Ability to analyze problems and facilitate solutions
• Excellent written and verbal communication skills
• Ability to think critically, objectively and analytically
• Detail-oriented with strong project management, organization, prioritization and time management skills
• Flexibility in working on several processes or projects simultaneously to meet team goals and responsibilities
• Possess high integrity to handle sensitive and confidential data
• Ability to work accurately and efficiently under pressure
• Proven ability to work independently and drive projects to completion
• Ability to work collaboratively with subject matter resources, often in a virtual and cross border environment
• Confidence and poise to work directly with GPI leadership teams
• Willingness and ability to readily respond to changing circumstances and expectations
• Interest in effectively developing other colleagues and creating a culture of compliance, inclusion and professional growth

Qualifications

• At least 5 years of experience working for a professional services organization providing one or more of the following: regulatory and compliance, audit, consulting, financial advisory, enterprise risk management and other related services
• Substantive direct experience in one or more of the following: third party due diligence, ethics and compliance programs, risk and controls, process management or change management
• Certified Public Accountant, Certified Internal Auditor, Certified Fraud Examiner and/or relevant compliance experience a significant advantage
• Bachelor's degree in accounting, finance, business or related field
• Information Security certifications (CRISC, CISM)
• Functional experience working in a manufacturing environment with MES and ICS systems
• Knowledge of GDPR and CCPA privacy rules associated to accessing, classifying, transferring, or modifying data in its lifecycle

Required Experience

 At Graphic Packaging International (NYSE: GPK), we produce the box you may have poured your child's cereal from this morning, the microwaveable tray that heated your lunch, the paper cup that held your coffee throughout the day, and the carrier of those bottles of craft beer you may enjoy tonight! We're one of the largest manufacturers of paperboard and paper-based packaging for some of the world's most recognized brands of food, beverage, foodservice, household, personal care and pet care products. Headquartered in Atlanta, Georgia, we are a team of collaborative, innovative, passionate individuals who are committed to providing consumer packaging that makes a world of difference. 

With almost 18,000 employees working in more than 70 locations in North and South America, Europe and the Pacific Rim, we strive to be an environmentally responsible leader in our industry and in the communities where we operate. We are committed to workplace diversity and offer compensation and benefits programs that are among the industry's best to reward the talented people who make our company successful. 

If this sounds like something you would like to be a part of, we'd love to hear from you. Learn more about us at www.graphicpkg.com.

Inspired Packaging. A World of Difference. 

 Graphic Packaging is an Equal Opportunity Employer. All candidates will be evaluated on the basis of their qualifications for the job in question. We do not base our employment decision on an employee's or applicant's race, color, religion, age, gender or sex (including pregnancy), national origin, ancestry, marital status, sexual orientation, gender identity, genetic identity, genetic information, disability, veteran/military status or any other basis prohibited by local, state, or federal law. Click here to view the EEO is the Law Poster