Sr. Manager, Third Party Risk Management
Asurion · Nashville, TN · Yesterday
On-siteFinanceFull-time
Key Responsibilities
- Own strategy, design, and continuous improvement of the Third-Party/Vendor Risk Management (TPRM) program aligned to NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, and regulatory obligations.
- Define and maintain TPRM policy, standards, procedures, and risk-tiering methodology; secure governance approval and drive consistent adoption across the enterprise.
- Establish third-party risk appetite and tolerance thresholds with CISO and GRC leadership and apply them to vendor risk decisions.
- Embed risk gates within sourcing, onboarding, contracting, renewal, and offboarding in partnership with Procurement and Legal.
- Lead the full vendor risk lifecycle: intake, inherent-risk classification, due diligence, residual-risk determination, treatment/acceptance, contracting, continuous monitoring, reassessment, and offboarding.
- Operationalize inherent-risk tiering to scope assessment depth and cadence based on data sensitivity, access, criticality, and business impact.
- Direct security, privacy, and resilience assessments using methodologies such as SIG/Shared Assessments and evidence including SOC 2 Type II, ISO 27001, PCI AOC, and penetration test results.
- Evaluate fourth-party/Nth-party dependencies, vendor concentration, and systemic risk across the supplier portfolio.
- Establish and lead risk reviews for third-party AI/GenAI tooling with security and privacy teams; address model and data-handling risks and shadow AI.
- Translate findings into concise, business-relevant risk narratives and actionable remediation plans with owners and timelines.
- Operate continuous monitoring leveraging external risk ratings, periodic attestations, threat/breach intelligence, and event-driven triggers.
- Coincide third-party incident response with SOC/IR; assess impact, drive containment, and track remediation to closure.
- Manage the third-party risk register and findings inventory; escalate aging or accepted risks through governance.
- Partner with Legal and Procurement to define and negotiate security, privacy, and resilience terms (control requirements, right-to-audit, breach notification SLAs, data protection, subprocessor controls).
- Develop a standardized library of contractual security requirements scaled to vendor risk tier.
- Define and report outcome-driven metrics and KRIs (e.g., residual risk trends, assessment cycle time/coverage, time-to-remediate, monitoring coverage, exception aging); deliver executive-ready reporting to governance forums.
- Serve as the primary point of contact for internal/external audits, regulatory exams, and carrier-partner due diligence.
- Build, lead, and develop a high-performing team of vendor risk analysts; set objectives, coach performance, and scale capability through playbooks, training, and quality reviews.
- Drive operational efficiency via process automation and analyst-assistive tooling to focus effort on judgment-intensive decisions.
Education and Experience
- 8+ years in information security, IT risk, or GRC, including 4+ years focused on third-party/vendor risk management.
- 2+ years of direct people leadership managing analysts or a risk team.
- Demonstrated experience designing or maturing a TPRM program lifecycle end to end.
- Strong working knowledge of NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, and assessment standards such as SIG/Shared Assessments.
- Experience reviewing assurance artifacts (SOC 2 Type II, ISO certifications, penetration test reports) and translating them into risk decisions.
- Hands-on experience with TPRM/GRC platforms and continuous monitoring/security-rating tools (e.g., ProcessUnity, OneTrust, Prevalent/Mitratech, Whistic, BitSight, SecurityScorecard, or comparable).
- Experience partnering with Procurement and Legal on vendor contracting and security/privacy terms.
- Excellent written and verbal communication, including executive briefing and defensible risk narratives.
- Bachelor’s degree in a related field or equivalent professional experience.
- PREFERRED: certifications such as CTPRP, CISSP, CISA, CRISC, or CISM; experience in regulated consumer or financial environments (e.g., GLBA, PCI DSS, state privacy laws); experience with AI/GenAI risk assessment; familiarity with three lines of defense; experience with automation or AI-assisted workflows in GRC.