Associate, Third-Party Risk Management
Vendor Risk Assessments
Conduct risk assessments and due diligence for new and existing third-party vendors. Collect and analyze vendor responses (such as security questionnaires, audit reports, SOC reports), identify potential risk areas, recommend appropriate mitigation strategies, and summarize findings for management review.
Third-Party Lifecycle Support
Help coordinate the end-to-end third-party lifecycle, including vendor onboarding, ongoing performance management and risk monitoring, contract reviews, issue management, and offboarding. Ensure all required risk checks and approvals are completed and documented at appropriate lifecycle stages.
Documentation & Reporting
Maintain accurate TPRM documentation and records, including risk assessment results, remediation plans, and risk acceptance decisions. Prepare regular reports and dashboards on third-party risk metrics and Key Risk Indicators (KRIs) for review by senior risk management.
Tool Management
Use approved technology to support automation of TPRM workflows. This includes managing vendor inventories, issuing and tracking risk assessment questionnaires, monitoring vendor compliance status, and generating risk reports.
Risk Monitoring & Issue Tracking
Continuously monitor third-party risk profiles and compliance status. Track open risk issues or remediation plans in the TPRM system and follow up with vendors or internal stakeholders to ensure timely completion of mitigation actions. Escalate significant findings or delays to the Director, as needed.
Stakeholder Collaboration
Work closely with internal teams such as IT Security, Compliance, Legal, Procurement, and business units to gather necessary information for vendor evaluations. Support communication with stakeholders and vendors to clarify requirements, obtain documentation, and resolve any identified risk or compliance issues.
Program Administration
Assist in the development, maintenance, and enhancement of TPRM policies, procedures, standards, and templates. Support audits, regulatory examinations, and compliance reviews related to third-party risk management activities. Contribute to ongoing process improvements and program maturity initiatives.
Required Qualifications
- Bachelor’s degree in Business, Information Systems, Cybersecurity, or related field.
- 3-5 years of experience in risk management, vendor management, compliance, or information security, with exposure to third-party risk management or vendor due diligence processes.
- Familiarity with key compliance and security frameworks and regulations (such as CPRA, HIPAA, SOX, ISO 27001, NIST) and an understanding of how they apply to third-party/vendor risk.
- Professional Certifications: Certified Third-Party Risk Professional (CTPRP), Certified Risk and Compliance Management Professional (CRCMP) or Certified Regulatory Vendor Program Manager (CRVPM).
- Experience using vendor risk management technology to manage risk assessments, workflows, and reporting.
- Proficient with standard business software (Excel, PowerPoint, Word) for data analysis and presentation.
- Strong analytical and problem-solving skills with keen attention to detail. Ability to interpret risk assessment data, identify trends or red flags in vendor responses, and assist in developing mitigation steps.
- Excellent written and verbal communication skills. Capable of preparing clear reports and effectively communicating findings and requirements to internal stakeholders and vendors.
- Demonstrated ability to work collaboratively in cross-functional teams. Strong organizational and time-management skills, with the ability to manage multiple vendor assessments and tasks concurrently and meet deadlines.
Preferred Qualifications
- Experience in optimizing risk management processes or workflows.
- Familiarity with automation features in GRC platforms or other risk management tools to improve efficiency and reporting.
- Working understanding of vendor contract terms related to security and privacy, as well as awareness of emerging third-party risk trends (such as cloud security, data protection, artificial intelligence fourth-party risk).
- Experience supporting third-party risk management programs within banking, financial services, insurance, fintech, or other highly regulated industries.
- Ability to manage multiple assignments/projects and meet deadlines in a fast-paced environment.