SAP GRC Security Analyst II

At McCormick, we bring our passion for flavor to work each day. We encourage growth, respect everyone's contributions and do what's right for our business, our people, our communities and our planet. Join us on our quest to make every meal and moment better.

Founded in Baltimore, MD in 1889 in a room and a cellar by 25-year-old Willoughby McCormick with three employees, McCormick is a global leader in flavour. With over 14,000 employees around the world and more than $6 Billion in annual sales, the Company manufactures, markets, and distributes spices, seasoning mixes, condiments and other flavourful products to the entire food industry, retail outlets, food manufactures, food service businesses and consumers.

While our global headquarters are in the Baltimore, Maryland, USA area, McCormick operates and serves customers from nearly 60 locations in 25 countries and 170 markets in Asia-Pacific, China, Europe, Middle East and Africa, and the Americas, including North, South and Central America with recognized brands.

At McCormick, we have over a 100-year legacy based on our “Power of People” principle. This principle fosters an unusually dedicated workforce requiring a culture of respect, recognition, inclusion and collaboration based on the highest ethical values.

Position Overview

The GRC Application Analyst II is responsible for leading and continuously enhancing McCormick’s SAP Governance, Risk & Compliance (GRC) capabilities across Process Controls (PC), Access Controls (AC), and Emergency Access Management (EAM). This role focuses on strengthening enterprise risk management, internal control effectiveness, segregation of duties (SoD) governance, and audit readiness across McCormick’s global SAP landscape (e.g., S/4HANA, ECC, BW, Fiori, and integrated applications).

This position requires a deep understanding of SAP GRC frameworks, risk management methodologies, SOX compliance requirements, and control monitoring best practices. The analyst partners closely with Internal Audit, IT Security, business process owners, and external auditors to proactively identify risk, monitor control effectiveness, and provide actionable reporting that supports regulatory compliance and enterprise risk mitigation.

The incumbent will take ownership of GRC strategy execution, risk analytics, and continuous control improvement initiatives. This role is responsible for driving maturity in automated controls, access governance frameworks, firefighter oversight, and risk reporting processes aligned to enterprise policies and compliance standards as established by the Director of Information Systems Security.

The GRC Application Analyst II must demonstrate strong analytical, communication, and influencing skills, proactively collaborating with cross-functional stakeholders to ensure sustainable controls, transparency of risk posture, and alignment between compliance objectives and business operations.

• Lead SAP GRC strategy execution across Process Controls (PC), Access Controls (AC), and Emergency Access Management (EAM), ensuring alignment with enterprise risk management objectives, SOX requirements, and internal control frameworks.
• Own and maintain the Segregation of Duties (SoD) framework, including ruleset governance, risk catalog management, mitigating control design, and risk impact assessments for system implementations and business transformations.
• Oversee Emergency Access Management (Firefighter) governance, including provisioning standards, usage monitoring, log review processes, escalation management, and continuous improvement of emergency access controls
• Manage and optimize Process Controls (PC), including automated control design, control testing coordination, deficiency tracking, and validation of remediation efforts to ensure sustained control effectiveness.
• Generate, analyze, and present GRC risk reports, dashboards, and trend analyses for Internal Audit, IT Security leadership, and business stakeholders, translating technical risk data into clear business impact insights and remediation recommendations.
• Partner with business process owners, IT teams, and Internal Audit to evaluate control design, document risks, support walkthroughs, coordinate audit evidence, and ensure timely remediation of findings
• Drive continuous improvement of GRC governance standards, policies, procedures, and reporting methodologies, promoting automation, efficiency, and transparency across the enterprise control environment.

Qualifications

• Bachelor’s Degree in Information Systems, Accounting, Finance, Business Administration, Cybersecurity, or a related field preferred.
• May consider 10+ years of relevant experience in IT Risk, Compliance, Internal Controls, Audit, or SAP GRC administration in lieu of a degree.
• Relevant professional certifications such as CISA, CPA, CIA, CRISC, or SAP GRC certification are strongly preferred and demonstrate advanced competency in governance and compliance disciplines.
• 9+ years of experience in IT, Risk, Compliance, or Internal Controls, including at least 4 years focused on SAP Governance, Risk & Compliance (GRC) with hands-on experience in Access Controls (AC), Process Controls (PC), and Emergency Access Management (EAM). Demonstrates a strong understanding of Segregation of Duties (SoD) frameworks, automated control monitoring, risk assessment methodologies, and SOX compliance requirements across multiple SAP environments (e.g., ECC, S/4HANA, Fiori, BW).
• Experience working in a manufacturing or global enterprise environment with ERP systems, applying governance best practices to strengthen internal controls, enhance audit readiness, and balance compliance requirements with operational efficiency and business enablement.
• Ability to work effectively as part of a team and develop effective working relationships. Demonstrated organizational, verbal and written communication skills. Easily interacts with peers, manager and business partners. Performs role in a professional manner with the ability to develop effective working relationships.
• Strong analytical and organizational skills with the ability to adapt quickly to evolving security requirements and shifting project priorities. Sound judgment and critical thinking skills to assess last-minute changes, ensuring security controls remain compliant with while enabling projects to progress efficiently. Maintains a proactive and solution-oriented mindset that balances risk management with business agility.

Dimension

The SAP Security groups’ actions have a direct impact on over 10,000 global users of the SAP system. May be involved in up to 10 concurrent projects. Most problems are of a technical nature involving research via vendor support services, reviews of program language code and logic, and business processes. Although the incumbent does not directly interact with customers, the results of the SAP Security group's work can impact most customer-facing functions within the corporation and will affect strategies for automating trading partner interactions. The results of the SAP Security group's actions have a direct impact on all users of McCormick's SAP system including all global regions of the Corporation

Position Overview

The GRC Application Analyst II is responsible for leading and continuously enhancing McCormick’s SAP Governance, Risk & Compliance (GRC) capabilities across Process Controls (PC), Access Controls (AC), and Emergency Access Management (EAM). This role focuses on strengthening enterprise risk management, internal control effectiveness, segregation of duties (SoD) governance, and audit readiness across McCormick’s global SAP landscape (e.g., S/4HANA, ECC, BW, Fiori, and integrated applications).

This position requires a deep understanding of SAP GRC frameworks, risk management methodologies, SOX compliance requirements, and control monitoring best practices. The analyst partners closely with Internal Audit, IT Security, business process owners, and external auditors to proactively identify risk, monitor control effectiveness, and provide actionable reporting that supports regulatory compliance and enterprise risk mitigation.

The incumbent will take ownership of GRC strategy execution, risk analytics, and continuous control improvement initiatives. This role is responsible for driving maturity in automated controls, access governance frameworks, firefighter oversight, and risk reporting processes aligned to enterprise policies and compliance standards as established by the Director of Information Systems Security.

The GRC Application Analyst II must demonstrate strong analytical, communication, and influencing skills, proactively collaborating with cross-functional stakeholders to ensure sustainable controls, transparency of risk posture, and alignment between compliance objectives and business operations.

Key Responsibilities

• Lead SAP GRC strategy execution across Process Controls (PC), Access Controls (AC), and Emergency Access Management (EAM), ensuring alignment with enterprise risk management objectives, SOX requirements, and internal control frameworks.
• Own and maintain the Segregation of Duties (SoD) framework, including ruleset governance, risk catalog management, mitigating control design, and risk impact assessments for system implementations and business transformations.
• Oversee Emergency Access Management (Firefighter) governance, including provisioning standards, usage monitoring, log review processes, escalation management, and continuous improvement of emergency access controls
• Manage and optimize Process Controls (PC), including automated control design, control testing coordination, deficiency tracking, and validation of remediation efforts to ensure sustained control effectiveness.
• Generate, analyze, and present GRC risk reports, dashboards, and trend analyses for Internal Audit, IT Security leadership, and business stakeholders, translating technical risk data into clear business impact insights and remediation recommendations.
• Partner with business process owners, IT teams, and Internal Audit to evaluate control design, document risks, support walkthroughs, coordinate audit evidence, and ensure timely remediation of findings
• Drive continuous improvement of GRC governance standards, policies, procedures, and reporting methodologies, promoting automation, efficiency, and transparency across the enterprise control environment.

Qualifications

• Bachelor’s Degree in Information Systems, Accounting, Finance, Business Administration, Cybersecurity, or a related field preferred.
• May consider 10+ years of relevant experience in IT Risk, Compliance, Internal Controls, Audit, or SAP GRC administration in lieu of a degree.
• Relevant professional certifications such as CISA, CPA, CIA, CRISC, or SAP GRC certification are strongly preferred and demonstrate advanced competency in governance and compliance disciplines.
• 6+ years of experience in IT, Risk, Compliance, or Internal Controls, including at least 4 years focused on SAP Governance, Risk & Compliance (GRC) with hands-on experience in Access Controls (AC), Process Controls (PC), and Emergency Access Management (EAM). Demonstrates a strong understanding of Segregation of Duties (SoD) frameworks, automated control monitoring, risk assessment methodologies, and SOX compliance requirements across multiple SAP environments (e.g., ECC, S/4HANA, Fiori, BW).
• Experience working in a manufacturing or global enterprise environment with ERP systems, applying governance best practices to strengthen internal controls, enhance audit readiness, and balance compliance requirements with operational efficiency and business enablement.
• Ability to work effectively as part of a team and develop effective working relationships. Demonstrated organizational, verbal and written communication skills. Easily interacts with peers, manager and business partners. Performs role in a professional manner with the ability to develop effective working relationships.
• Strong analytical and organizational skills with the ability to adapt quickly to evolving security requirements and shifting project priorities. Sound judgment and critical thinking skills to assess last-minute changes, ensuring security controls remain compliant with while enabling projects to progress efficiently. Maintains a proactive and solution-oriented mindset that balances risk management with business agility.

Dimension

The SAP Security groups’ actions have a direct impact on over 10,000 global users of the SAP system. May be involved in up to 10 concurrent projects. Most problems are of a technical nature involving research via vendor support services, reviews of program language code and logic, and business processes. Although the incumbent does not directly interact with customers, the results of the SAP Security group's work can impact most customer-facing functions within the corporation and will affect strategies for automating trading partner interactions. The results of the SAP Security group's actions have a direct impact on all users of McCormick's SAP system including all global regions of the Corporation

McCormick & Company is an equal opportunity/affirmative action employer. All qualified applicants will receive consideration for employment without regard to sex, gender identity, sexual orientation, race, colour, religion, national origin, disability, protected veteran status, age, or any other characteristic protected by law.