• Job Description

  Req#: 202307-116966

  The Position

  IT Risk, Audit and Compliance Expert

  Throughout our 125-year history, Roche has grown into one of the world’s largest biotech companies and a global supplier of transformative innovative solutions across major disease areas.

  At Roche, we believe every employee makes a difference. We are passionate about transforming patients’ lives. We are confident in both decision and action, we believe that good business means a better world.

  We are looking for an IT specialist to join one of our teams in the Roche Informatics division. In Roche Informatics we focus on delivering technology that evolves the practice of medicine and helps patients live longer, better lives.

  At Roche we are currently transforming our ways of working and are looking for motivated people to help strengthen the IT organization to prepare us for a more challenging future with stricter compliance requirements and more complex IT landscapes.

  Your team:

  We are a diverse and distributed team spanning the globe from San Francisco to Kuala Lumpur with broad expertise and knowledge. Come join our team in service of Roche's patient driven mission in support of teams being led in Switzerland.

  The position:

  Do you have a strong background in digital compliance ( i.e. , ensuring compliance with security and privacy controls as well as quality regulations related to data processing) with demonstrated experience on multiple projects? Are you looking for a creative, challenging and fun work environment and an opportunity to expand your skills? Then the Security, Testing and Validation Chapter is looking for you!

  The power of data at scale has transformed almost every industry, personalizing experiences in many aspects of our lives. Yet in healthcare, we’ve only scratched the surface. At Genentech and Roche we are accelerating the use of data insights and digital technologies to make significant strides to reach the full potential of personalized healthcare.

  As an IT Risk, Audit and Compliance Expert, you will join our diverse Informatics community of smart, fun, wholehearted, and engaged professionals from various functional areas. You will share our community values of passion, courage, integrity, and gratitude -- all in service of our mission, “doing now what patients need next.”

  Your primary accountability is to provide leadership and expert guidance in ensuring that our digital environment and products are in compliance with applicable regulations, operating securely, and that risks are being managed prudently. Responsible for risk assessments of systems, services as well as for third parties to evaluate cyber resiliency and compliance with internal and external requirements. Support of the ongoing development, implementation and management of information security procedures and controls in order to maintain the confidentiality, integrity, and availability of critical information assets. By being deeply engaged with our stakeholders ranging from business partners, legal, procurement, and quality professionals, you will develop a strong understanding of safety, clinical and medical data and build a strong framework to assess the quality and security of our suppliers; professionally you bring a strong competency in design, creation, and adoption of novel validation and line of control strategies, ensuring data integrity, security, and privacy to teams across the product development lifecycle - including projects deployed in the Clinical & Medical device space. You are self motivated and have the ability to engage your agile squad to bring impact to the business value stream. As an IT Risk, Audit and Compliance Expert, you will establish strong relationships and manage stakeholders across the globe. You are someone who can negotiate and influence at all levels.

  This position will be supporting Product Managers in Europe.

  Your key responsibilities:

  • Oversee and provide guidance, consultancy on Information Governance & Digital Compliance topics across projects where alignment is needed on a range of topics including:

    • Information Lifecycle

    • Product Ownership

    • GxP regulations (in particular GCP, GVP, and GLP)

    • Data Privacy (Standard Contractual Clauses [SCC's], HIPAA, PIPEDA, CCPA, EU GDPR, Country specific privacy liaison)

    • Intellectual property, open source software risks

    • Vendor / Service Provider security assessment & audit

    • Financial IT Audit Coordination

  • Conducting risk assessments for systems and services to assess security and data privacy control requirements

  • Conducting vendor risk assessments to evaluate whether 3rd parties have appropriate security controls and business disciplines in place to effectively minimize risks to themselves, to Roche, and to customers of Roche

  • Driving the optimization of processes and tools for assessing and monitoring compliance of IT systems

  • Facilitating execution of corrective actions ensuring that weaknesses identified in the IT management system are recorded, prioritized and addressed appropriately.

  • Preparing IT teams for audits and inspections using your knowledge of IT auditing

  • Developing strong working relationships and partnering effectively with IT delivery teams, global Business Quality, Corporate Audit, and the security/privacy organizations

  • Maintaining industry knowledge and skills in the areas of compliance, audit, and risk management and applying them to improve internal processes and practices

  • Foster information security awareness for employees and others with access to critical information assets

  • Able to articulate and facilitate the understanding of a system’s intended use and its compliance risk profile

  • Risk-based identification and classification of confidentiality and data privacy of IT systems, including GxP

  • Guide software project and product teams in understanding their role in establishing and maintaining the compliance of critical systems

  • Performing system audits on security, privacy & compliance areas

  • Performing vendor 3rd party assessments and audits for security and compliance, across multiple vendor partners including Roche Contracted Research Organizations (CROs), and providers of digital healthcare solutions

  • Collaborate with Product Managers, Owners, Architects, Engineers, Developers, and User Experience Designers on scope, solutions, constraints, and risks

  • Leverage the technical expertise of the internal teams and external technology providers and vendors to deeply understand the risks

  • Stakeholder management for business partners and subject matter / functional experts

  • Characterize for compliance purposes as-built and vendor-provided business solutions that may involve automated systems and/or modifications to business processes

  • Engage with Procurement on acquisitions and assess compliance against internal expectations and SOPs

  • Be a trusted partner for teams and stakeholders throughout the organization, including but not limited to - the Global Privacy Office, IT Security, Business Quality

  • Maintain an expert-level knowledge of the dynamic health authority governance; inclusive of EU GDPR, CCPA, PIPL, PIPEDA, HIPAA, SaMD, 21 CFR part 11, Annex 11, ICFR

  • Understanding of IT Controls over Financial Reporting; good practical knowledge of IT audit methodology; understanding of Service Organization Control audit reports

  • Demonstrated understanding of industry standards certifications including: ISO 27001, ISO27002, ISO2703, ISO27701, ISO31000, CSA, HITRUST, Standard Information Gathering (SIG), Cobit, NIST, SOC report, etc.

  Your qualifications and experience:

  - You have a diverse background. Has managed change in the most trying of times. You are a fixer and a solver.

  - You want to tackle the biggest healthcare challenges that face us globally in the 21st century.

  - You excel at relationship building and networking.

  - You have demonstrated the ability to navigate complexity, is pragmatic, see the big picture, and can give examples of impact in a large global organization.

  - You have:

  • 5+ years’ experience in large global enterprise IT environment within the information security, risk or audit organization

  • BA or BS in, informatics, life science, business, or equivalent. MA or MS and post-graduate coursework are desirable

  • Professional experience in IT audit, IT compliance, Risk management or IT security

  • Industry recognized security certifications such as CISA, CISM, CISSP or ISO 27001 lead auditor

  • Familiar with health authority regulations, systems financial controls, software development lifecycle, computer systems validation, infrastructure qualification, information security, and ITIL processes

  • Strong understanding of risk and control frameworks such as COBIT, NIST and ISO standards (ISO 31000 & ISO 27000 family)

  • Demonstrated experience leading and conducting Information Security, Privacy and Regulatory compliance assessments/audits

  • 5 years of related experience, domain knowledge of the pharmaceutical industry and manufacturing/quality assurance processes and systems, computer systems validation, GxP, FDA 21 CFR Part 11, HIPAA, SaMD & ISO 13485, Data Privacy, ICFR and / or experience in risk management (ISO 27001) and / or as system auditor

  • Program or IT Project management experience

  • Understanding of Software Development Life Cycle methodologies, inclusive of Agile

  • Experience and understanding of application development methodology - including Agile and Waterfall approaches, functional requirements, process modeling and re-engineering, use case development, user acceptance testing, organizational change management, and large-scale system implementations. Experience in defining or applying quality frameworks and Quality-by-Design principles in DevOps, DevSecOps and MLOps is an asset. Understanding of scaled agile (SAFe) delivery is an asset

  • Experience leading cross-functional collaborative team environments, provide innovative solutions to complex business problems and make decisions with cross-functional impact

  • Strong communication skills - ability to communicate complex information, issues, and potential solutions at an executive level

  • Proven skills in relationship building, customer-focus, decision-making, and problem solving

  • Demonstrated ability to quickly learn business priorities in unfamiliar or ambiguous areas.

  What you get:

  • Good and stable working environment with attractive compensation and rewards package (according to local regulations);

  • Full time employment contract;

  • Annual bonus payment based on performance;

  • A dedicated training budget (training, certifications, conferences);

  • Access to various internal and external training platforms (e.g. Linkedin Learning);

  • Experienced and professional colleagues and workplace that supports innovation;

  • Multiple Savings Plans with Employer Match

  • Company’s emphasis on employees’ wellness and work-life balance ( (e.g. generous vacation days and OneRoche Wellness Days),

  • Flexible Workplace Policy #LI-Hybrid

  • State of art working environment and facilities;

  • And many more that the Talent Acquisition Partner will be happy to talk about!

  APPLY DIRECTLY

  If you feel this offer suits a friend of yours, feel free to share it.

  Want to know what it’s like to be a part of Roche IT first-hand? Check out our blog!

  https://www.roche.com/careers/weareroche.htm

  Who we are

  At Roche, more than 100,000 people across 100 countries are pushing back the frontiers of healthcare. Working together, we’ve become one of the world’s leading research-focused healthcare groups. Our success is built on innovation, curiosity and diversity.

  At Roche Poland, we are more than 800 professionals working together on one mission. We are proud of who we are, what we do and how we do it. Join us in the area of Clinical Research, Medical, Marketing, IT or business departments.

  Roche is an Equal Opportunity Employer.

• About the company

  606018 F. Hoffmann-La Roche AG is a Swiss multinational healthcare company that operates worldwide under two divisions: Pharmaceuticals and Diagnostics.

Notice