Third Party Risk Management Lead
Sungrow · United States · 3 mo ago
RemoteRemoteFinanceContract
Key Responsibilities
- Build and operate the TPRM program lifecycle, including:
- Vendor intake and risk tiering
- Security assessments and due diligence
- Ongoing monitoring and reassessment
- Define and enforce minimum security requirements for vendors and suppliers
- Partner with legal and procurement to embed security and risk clauses into contracts
- Establish processes for exception management and risk acceptance
- Risk Assessment & Due Diligence:
- Lead execution of third-party security reviews, including:
- Questionnaires and evidence validation
- Review of SOC 2, ISO certifications, and supporting artifacts
- Identify and communicate material risks and required mitigations
- Ensure alignment to frameworks (NIST, ISO 27001, SOC 2, NERC CIP where applicable)
- Continuous Monitoring & Issue Management:
- Implement ongoing monitoring capabilities for vendor risk posture
- Track and drive remediation of identified third-party risks
- Maintain visibility into fourth-party and supply chain dependencies where relevant
- Business Continuity & Resilience (BCDR/BIA Support):
- Support development of Business Impact Analysis (BIA) across critical functions
- Partner with business and IT stakeholders to define:
- Critical processes
- Recovery time objectives (RTO) / recovery point objectives (RPO)
- Contribute to the development of BCDR plans and testing frameworks
- Ensure third-party dependencies are integrated into continuity planning
- Governance, Reporting & Audit Readiness:
- Develop and track TPRM KPIs and risk metrics
- Provide executive-level reporting on third-party risk posture
- Maintain documentation and evidence to support:
- Audits
- Customer security reviews
- Regulatory inquiries
- Ensure program is defensible and repeatable
- Cross-Functional Collaboration:
- Partner with:
- Procurement (vendor onboarding)
- Legal (contractual protections)
- IT and engineering (technical validation)
- Act as the central point of coordination for third-party risk decisions
Requirements
- 7–10+ years of experience in third-party risk management, GRC, or vendor risk programs
- Proven experience building or leading a TPRM program in a regulated or enterprise environment
- Strong understanding of:
- Vendor risk assessment methodologies
- Security frameworks (NIST, ISO 27001, SOC 2)
- Experience reviewing:
- Security documentation (policies, controls, audit reports)
- Third-party attestations (SOC 2, ISO certifications)
- Working knowledge of business continuity and resilience concepts (BIA, BCDR)
- Ability to drive cross-functional alignment and accountability
Preferred Experience
- In energy, industrial, or critical infrastructure sectors
- Familiarity with NERC CIP requirements
- Experience implementing or operating TPRM platforms/tools
- Certifications such as CRISC, CISM, CISSP, or CTPRP
Competencies
- Program Builder: Can stand up and mature TPRM from structure to scale
- Risk Translator: Converts vendor risk into business and contractual impact
- Governance-Oriented: Ensures decisions are documented and defensible
- Cross-Functional Operator: Effective with procurement, legal, IT, and engineering
- Pragmatic Enforcer: Balances risk reduction with business enablement
- Strategic Fit: Establishes control over external risk exposure
- Strengthens customer trust and regulatory alignment
- Enables defensible procurement and vendor onboarding decisions
- Buils foundation for enterprise resilience and continuity planning