Hims & Hers Health, Inc. (better known as Hims & Hers) is a multi-specialty telehealth platform building a virtual front door to the healthcare system. Hims & Hers connects consumers to licensed healthcare professionals, enabling people to access high-quality medical care—from wherever is most convenient—for numerous conditions related to primary care, mental health, sexual health, skincare, and more. Launched in November 2017, the platform also offers thoughtfully created and curated health and wellness products. With products and services available across all 50 states and Washington, D.C., Hims & Hers’ mission is to make it easier for all Americans to access affordable care and treatment for conditions that impact their daily lives. In January 2021, the company was listed on the NYSE at an initial valuation of $1.6 billion and is traded under the ticker symbol “HIMS”. To learn more about our brand and offerings, you can visit forhims.com and forhers.com.

The IT Governance, Risk and Compliance (GRC) Manager , will have the responsibility of managing the Technology & Security Risk & Compliance programs. This position will focus on Technology Controls and work as part of the Information Security Team in coordinating and executing the annual audits and assessments with our external audit firm(s). The candidate will ensure appropriate technology controls are in place, key stakeholders are engaged, senior leaders are informed while helping organization remain compliant with compliance and regulatory obligations and avoid events that could adversely impact our business objectives. The ideal candidate must be passionate about customers, stakeholders, and technology. Excellent interpersonal skills, communication, and leadership skills will be critical for success. Success depends on building rapport and credibility with multiple stakeholders across the organization to organize and drive execution.

 

Responsibilities:

  • Understand and apply the enterprise policies, standards and framework for governance, risk & compliance
  • Lead IT GRC program in accordance with our compliance, regulatory, and security obligations (including but not limited to (SOX, HIPAA, PCI DSS, etc.)
  • Work with different stakeholders and external auditors to maintain up-to-date documentation for scoping, testing and remediation of technology controls
  • Work with different stakeholders and external auditors to obtain and fulfill IT evidence requests as per the timelines committed
  • Validate the key controls with the stakeholders on a periodic basis to provide an early warning to management for timely correction and remediation action
  • Assess audit findings / gaps including control weaknesses in coordination with different stakeholders and assist with development of management action plans
  • Provide control consulting services to control owners and assist in redesigning the efforts that improve/automate the control environment
  • Understand the Enterprise Risk Management standard on how to identify, assess, mitigate, monitor, test and report on risks and controls required by the organization (which includes Technology & Security portfolios)
  • Partner with stakeholders to understand expectations for managing cross-functional risks and dependencies; deploy processes to comply with policy expectations which may require implementation of required controls and on-going monitoring & reporting
  • Developing and presenting recommendations to management based on risk and compliance impact in a Subject Matter Expertise capacity for multiple risk and compliance initiatives
  • Negotiating appropriate remediation plans for identified issues while maintaining internal and external relationships
  • Assess risk arising from third-parties, vendors and partners in our ecosystem and design controls to mitigate such risks
  • Manage overall reporting associated with Technology & Security Risk & Compliance programs

 

Experience & Skills:

  • 6+ years of experience in IT/Technology/Information Security Internal Audit, or ERM
  • Utilize a deep understanding of risk management methodologies, frameworks, and principles (e.g. SOX, HIPAA, COBIT, NIST, ITIL, PCI DSS, GDPR, etc.) to evaluate and recommend the best approach to mitigating risk with best in class controls
  • Be able to engage at all levels of the organization to organize, drive and communicate results
  • Operate in a fast-paced environment and able to handle a number of simultaneous projects and tasks while demonstrating urgency and ownership to drive issues to completion
  • Innovate in the dynamic workplace by designing repeatable, sustainable processes that operationalize the risk management function
  • Possess strong oral and written communication skills along with refined presentation skills and the ability to work with other departments and varying levels of management, including senior leadership
  • Have strong ability to work with minimum direction and possess a high drive for results
  • Bachelor’s degree in Computer Science, Engineering, or Information Management Systems
  • Certifications highly desired (CISA, CISM, CISSP, CRISC, etc.) 

Preferred Experience & Skills:

  • Certifications highly desired (CISA, CISM, CISSP, CRISC, etc.) Consultancy experience from Big-4 audit firms 

 

Hims is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Hims considers all qualified applicants in accordance with the San Francisco Fair Chance Ordinance.

Apply for this Job

* Required

  
  


U.S. Equal Opportunity Employment Information (Completion is voluntary)

Individuals seeking employment at hims & hers are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. You are being given the opportunity to provide the following information in order to help us comply with federal and state Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.


Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.