Director of Governance, Risk, & Compliance

At WHOOP, we’re on a mission to unlock human performance and healthspan. Our wearable technology provides personalized insights that help millions of members better understand their bodies and make smarter decisions about training, recovery, and lifestyle.

We are seeking a Director of Governance, Risk & Compliance to lead and advance the WHOOP enterprise GRC program. Reporting to the CISO, you will define and execute the strategy for governance, risk management, and compliance across the organization, translating strategic priorities into scalable programs, controls, and measurable outcomes. 

This is a senior leadership role responsible for strengthening and expanding a world-class GRC function that enables WHOOP to move quickly while maintaining the highest standards of security, privacy, and regulatory compliance.

• Define and execute the enterprise-wide GRC strategy in alignment with WHOOP business objectives, risk appetite, and evolving regulatory landscape, driving implementation across policies, processes, tooling, and metrics
• Lead, grow, and mentor a high-performing GRC team, establishing clear operating rhythms, ownership models, and performance expectations while fostering a culture of accountability and  continuous improvement
• Oversee compliance programs across key frameworks including SOC 2, ISO 27001, HIPAA, GDPR, and emerging health data regulations
• Establish and maintain the enterprise risk management program, including risk identification, quantification, mitigation, and reporting to executive leadership and the board
•  Own the third-party risk management program, ensuring vendors and partners meet WHOOP’s security and compliance requirements
• Lead and evolve governance for responsible AI use, including risk assessment, vendor oversight, regulatory alignment, and policy development in coordination with Product, Legal, and Engineering
• Partner with Legal, Product, Engineering, and Privacy teams to ensure regulatory requirements are embedded into product development and business processes
•  Lead engagement with external auditors, regulators, and certification bodies
• Translate strategic objectives into operational controls and program enhancements, personally driving key initiatives as the function continues to scale
•  Develop and present risk and compliance reporting to the C-suite, delivering clear, business-aligned risk insights
•  Drive policy governance, ensuring security and compliance policies are current, enforceable, and aligned with industry best practices
• Champion a culture of security awareness and compliance across the organization

• 10+ years of progressive experience in GRC, information security, risk management, or compliance, with at least 5 years in a leadership role

• Proven track record of scaling and maturing GRC programs in high-growth technology or health-tech companies

• Deep expertise across multiple compliance frameworks (SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI-DSS) with familiarity in emerging AI governance and regulatory standards

• Strong understanding of cloud security architectures (AWS preferred) and their implications for compliance and risk

• Experience evaluating AI/ML risk, data governance implications, or responsible AI frameworks in regulated environments

• Experience presenting risk posture and compliance metrics to executive leadership and board-level audiences

• Exceptional leadership skills with a demonstrated ability to attract, develop, and retain top GRC talent

• Strong business acumen with the ability to translate technical risk into business terms

• Relevant certifications preferred (CISSP, CISM, CRISC, CISA, or equivalent)