Director, Governance, Risk, Compliance & Privacy

Our mission is to create the Experience of a Lifetime for our employees, so they can, in turn, create the Experience of a Lifetime for our guests. We own and operate the most renowned destination resorts in the world as well as regional and local ski areas outside major cities, and connect them all through one unrivaled network. We are looking for ambitious leaders, innovators and creators to join our talented team. If you’re ready to pursue your fullest potential, we want to get to know you!

Candidates for year-round positions are reviewed on a rolling basis. Applications will be accepted up to 90 days after the posting date, or until the position is filled (whichever is first).

Job Summary:

Vail Resorts is seeking a Director of Governance, Risk, Compliance & Privacy (GRC&P) to lead enterprise GRC and privacy programs across a global, highly regulated, and technology-enabled business. This role is responsible for defining strategy, driving execution, and enabling informed risk decisions that protect the company while supporting business growth and innovation.

Reporting to the Vice President of Platform Services, this leader partners closely with Technology, Legal, Audit, Finance, and Business stakeholders to ensure risk and compliance practices are scalable, pragmatic, and aligned to business objectives. This role operates at the intersection of risk, technology, and business enablement, with regular interaction with senior executives.

Job Specifications:

• Starting Wage: $155,949.76 - $189,493.34 + annual bonus + equity
• Employment Type: Year Round 
• Shift Type: Full Time hours available
• Minimum Age: At least 18 years of age 
• Housing Availability: No

Job Responsibilities:

Enterprise GRC & Privacy Leadership

• Own and evolve the enterprise GRC and Privacy strategy aligned to business priorities, regulatory requirements, and industry best practices.
• Establish governance frameworks that enable consistent, transparent, risk-based decision making.
• Serve as a trusted advisor to senior leaders on risk, compliance, and privacy matters.

Risk Management & Compliance

• Define and drive enterprise audit strategy, including audit readiness, evidence standardization, and control rationalization.
• Reduce audit fatigue by streamlining control frameworks across SOX, PCI, and privacy.
• Act as the primary interface with QSAs and external auditors to ensure efficient, predictable outcomes.
• Lead enterprise risk assessment, mitigation, and monitoring across technology and business domains.
• Oversee compliance programs including SOX, PCI DSS, and global privacy regulations (GDPR, CCPA).
• Partner with Legal, Internal Audit, and external auditors to ensure well-governed audits and assessments.
• Oversee or partner on third-party risk management.

Privacy & Data Governance

• Lead privacy and data governance programs including policy, operations, and regulatory response.
• Embed privacy by design into systems and business processes.
• Serve as escalation point for privacy risk and regulatory inquiries.
• Partner with Legal to operationalize global privacy regulations.
• Lead data classification, retention, and lifecycle governance.
• Support AI governance and responsible data use.

Program Management, Metrics & Reporting

• Define KPIs, dashboards, and reporting to measure program maturity.
• Provide executive-level reporting on risk posture and trends.
• Drive continuous improvement through benchmarking and lessons learned.
• Rationalize and harmonize controls across frameworks (PCI, SOX, NIST, privacy).
• Drive adoption of common control frameworks and automation.
• Leverage GRC platforms to improve monitoring, evidence collection, and reporting.
• Drive maturity toward continuous compliance.

People & Leadership

• Build and lead a high-performing GRC & Privacy team.
• Foster a culture of collaboration, accountability, and growth.
• Mentor talent and contribute to leadership development.
• Define and implement a clear GRC operating model.
• Drive a “risk owned by the business” model with GRC as an enabler.

What Success Looks Like

• Scalable GRC and privacy programs enabling informed decisions.
• Reduced audit friction and predictable compliance outcomes.
• Strong executive confidence in risk visibility.
• A high-performing, trusted team.
• Risk practices that accelerate business initiatives.
• Clear guidance enabling fast, informed decisions.

Job Requirements:

Experience & Background

• 10+ years in governance, risk, compliance, privacy, or information security.
• Strongly preferred: QSA experience or leading PCI DSS assessments from assessor and client perspectives.
• Deep expertise in PCI DSS in complex environments.
• Experience scoping and optimizing PCI environments.
• Experience building and maturing enterprise programs.
• Proven ability to lead cross-functional initiatives and influence executives.
• Experience in regulated, global environments.

Leadership & Skills

• Strong executive communication and stakeholder management.
• Ability to balance risk management with business enablement.
• Strategic, practical, outcome-oriented mindset.
• Experience leading and developing teams.

Education & Certifications

• Bachelor’s degree in a related field (Master’s preferred).
• Certifications such as CISSP, CISM, CRISC, CISA, or privacy certifications are a plus.

The expected Total Compensation for this role is $155,949.76 - $189,493.34 + annual bonus + equity. Individual compensation decisions are based on a variety of factors.
 

Job Benefits

• Ski/Mountain Perks! Free passes for employees, employee discounted lift tickets for friends and family AND free ski lessons
• MORE employee discounts on lodging, food, gear, and mountain shuttles
• 401(k) Retirement Plan
• Employee Assistance Program
• Excellent training and professional development

Full Time roles are eligible for the above, plus:

• Health Insurance; Medical Insurance, Dental Insurance, and Vision Insurance plans (for eligible seasonal employees after working 500 hours)
• Free ski passes for dependents
• Critical Illness and Accident plans

Employees can work remotely from British Columbia, Washington D.C., and the 16 U.S. states* in which we currently operate. This includes: California, Colorado, Indiana, Michigan, Minnesota, Missouri, New Hampshire, New York, Nevada, Ohio, Pennsylvania, Utah, Vermont, Washington State, Wisconsin, and Wyoming.

Please note that the ability to work in person or off-site, and the particulars related to such work, are subject to change at any time; and, accordingly, the Company reserves the right to change its policies and/or require in-person/in-office work or off-site work at any time in its sole discretion. 

In completing this application, and when submitting related documentation, applicants may redact information that identifies their age, date of birth, and/or dates of attendance at or graduation from an educational institution. 

We follow all federal, state, and local laws including restrictions on child/minor labor. Minors hired into this position will not be asked or permitted to engage in any activities restricted to adult workers.

Vail Resorts is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability, protected veteran status or any other status protected by applicable law.

Requisition ID  514162
Reference Date: 04/01/2026 
Job Code Function: IT Security