Jobs · Finance · Tennessee

Sr. Manager, Third Party Risk Management

Asurion · Nashville, TN · Yesterday
On-siteFinanceFull-time

Key Responsibilities

  • Own strategy, design, and continuous improvement of the Third-Party/Vendor Risk Management (TPRM) program aligned to NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, and regulatory obligations.
  • Define and maintain TPRM policy, standards, procedures, and risk-tiering methodology; secure governance approval and drive consistent adoption across the enterprise.
  • Establish third-party risk appetite and tolerance thresholds with CISO and GRC leadership and apply them to vendor risk decisions.
  • Embed risk gates within sourcing, onboarding, contracting, renewal, and offboarding in partnership with Procurement and Legal.
  • Lead the full vendor risk lifecycle: intake, inherent-risk classification, due diligence, residual-risk determination, treatment/acceptance, contracting, continuous monitoring, reassessment, and offboarding.
  • Operationalize inherent-risk tiering to scope assessment depth and cadence based on data sensitivity, access, criticality, and business impact.
  • Direct security, privacy, and resilience assessments using methodologies such as SIG/Shared Assessments and evidence including SOC 2 Type II, ISO 27001, PCI AOC, and penetration test results.
  • Evaluate fourth-party/Nth-party dependencies, vendor concentration, and systemic risk across the supplier portfolio.
  • Establish and lead risk reviews for third-party AI/GenAI tooling with security and privacy teams; address model and data-handling risks and shadow AI.
  • Translate findings into concise, business-relevant risk narratives and actionable remediation plans with owners and timelines.
  • Operate continuous monitoring leveraging external risk ratings, periodic attestations, threat/breach intelligence, and event-driven triggers.
  • Coincide third-party incident response with SOC/IR; assess impact, drive containment, and track remediation to closure.
  • Manage the third-party risk register and findings inventory; escalate aging or accepted risks through governance.
  • Partner with Legal and Procurement to define and negotiate security, privacy, and resilience terms (control requirements, right-to-audit, breach notification SLAs, data protection, subprocessor controls).
  • Develop a standardized library of contractual security requirements scaled to vendor risk tier.
  • Define and report outcome-driven metrics and KRIs (e.g., residual risk trends, assessment cycle time/coverage, time-to-remediate, monitoring coverage, exception aging); deliver executive-ready reporting to governance forums.
  • Serve as the primary point of contact for internal/external audits, regulatory exams, and carrier-partner due diligence.
  • Build, lead, and develop a high-performing team of vendor risk analysts; set objectives, coach performance, and scale capability through playbooks, training, and quality reviews.
  • Drive operational efficiency via process automation and analyst-assistive tooling to focus effort on judgment-intensive decisions.

Education and Experience

  • 8+ years in information security, IT risk, or GRC, including 4+ years focused on third-party/vendor risk management.
  • 2+ years of direct people leadership managing analysts or a risk team.
  • Demonstrated experience designing or maturing a TPRM program lifecycle end to end.
  • Strong working knowledge of NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, and assessment standards such as SIG/Shared Assessments.
  • Experience reviewing assurance artifacts (SOC 2 Type II, ISO certifications, penetration test reports) and translating them into risk decisions.
  • Hands-on experience with TPRM/GRC platforms and continuous monitoring/security-rating tools (e.g., ProcessUnity, OneTrust, Prevalent/Mitratech, Whistic, BitSight, SecurityScorecard, or comparable).
  • Experience partnering with Procurement and Legal on vendor contracting and security/privacy terms.
  • Excellent written and verbal communication, including executive briefing and defensible risk narratives.
  • Bachelor’s degree in a related field or equivalent professional experience.
  • PREFERRED: certifications such as CTPRP, CISSP, CISA, CRISC, or CISM; experience in regulated consumer or financial environments (e.g., GLBA, PCI DSS, state privacy laws); experience with AI/GenAI risk assessment; familiarity with three lines of defense; experience with automation or AI-assisted workflows in GRC.

Similar jobs

Sr. Manager, Risk

Concora CreditBeaverton, OR· 3 wk ago
Finance$100/hrapply on careers-concoracredit.icims.com