Risk & Compliance Lead

• Strategy and ownership
  • Own Elliptic’s Risk and Compliance strategy, frameworks, and annual plan
  • Define risk appetite and tolerances with leadership; translate into KRIs and control objectives
• Enterprise risk management
  • Maintain risk taxonomy, registers, and assessment cadence across business, product, data, third‑party, and operational risks
  • Facilitate risk identification with domain owners, evaluate inherent/residual risk, and drive treatment plans
• Compliance framework (SaaS‑appropriate)
  • Identify applicable obligations and industry standards for a SaaS provider and maintain a single control framework mapped to them
  • Keep policies and standards current, actionable, and adopted across teams
• Control assurance and continuous improvement
  • Plan and run a risk‑based assurance programme to test control design and effectiveness
  • Manage issues, nonconformities, and lifecycle with clear ownership and due dates
• Operational resilience and incident governance
  • Partner with Platform, SRE, and Security to validate backup, recovery, continuity, and disaster recovery capabilities
  • Chair or contribute to post‑incident reviews to ensure learnings are captured and risks addressed
• Third‑party and product risk
  • Set methodology and thresholds for vendor and product risk, partnering with Procurement, Legal, and Product to embed controls in lifecycle workflows
• Assurance and audits
  • Coordinate external audits and certifications as needed; ensure our evidence strategy is efficient and reusable
  • Provide executive reporting on risk posture, top risks, trends, and remediation progress
• Ways of working and culture
  • Enable teams through guidance, training, and practical tooling; make compliance easy and transparent

Team leadership and interfaces

• Directly lead the Risk and Compliance Analyst as a supporting role. Delegate analysis, evidence collation, routine testing, and first‑draft policy updates while retaining ownership of strategy, framework design, risk appetite, and executive reporting
• Work closely with Engineering, Platform/SRE, Product, Legal, Procurement, Sales/CS, and Data

• Proven ownership of an ERMF or equivalent risk programme in a SaaS or technology business
• Designing and operating a unified control framework mapped to multiple obligations or standards
• Knowledge of data protection and data governance practices relevant to SaaS
• Planning and executing risk‑based assurance and control testing, and managing CAPA to closure
• Partnering with engineering and product teams to embed quality and compliance controls into their operations
• Clear, concise written communication and executive risk reporting
• Strong stakeholder management across technical and non‑technical teams

Nice to have

• Experience with ISO 27001, SOC 2, or similar certifications, and familiarity with ISO 9001/22301/14001 as contributing inputs
• Exposure to model risk governance or validation practices
• Experience with evidence automation or compliance tooling

How We Work

• Hybrid working and the option to work from almost anywhere for up to 90 days per year
• £500 Remote working budget to set up your home office space

Learning & Development

• $1,000 Learning & Development budget to use on anything (agreed with your manager) that contributes to your growth and development

Vacation/Leave

• Holidays: 25 days of annual leave + bank holidays
• An extra day for your birthday
• Enhanced parental leave: we provide eligible employees, regardless of gender or whether they become a parent by birth or adoption, 16 weeks fully-paid leave
  

Benefits