Job Description - Lead, Third-Party Risk Management (TPRM)

Role Summary

The Lead - Third-Party Risk Management (TPRM) is responsible for leading and operating the organization's third-party cybersecurity risk management program. This role ensures that cybersecurity risks introduced by vendors, suppliers, and partners are identified, assessed, monitored, and mitigated in alignment with enterprise risk appetite, regulatory requirements, and internal security standards.

The role provides hands-on program ownership, strong stakeholder coordination, and governance oversight across the complete third-party risk lifecycle, including onboarding, due diligence, periodic assessments, remediation tracking, renewals, and off-boarding.

Key Responsibilities

Third-Party Risk Program Ownership

- Lead the end-to-end third-party cybersecurity risk management lifecycle including vendor onboarding, risk assessments, renewals, and off-boarding

- Operationalize enterprise TPRM policies, standards, and minimum security requirements across all third-party engagements

- Define and maintain vendor risk tiering, assessment methodologies, and review frequency based on data sensitivity, criticality, and regulatory impact

- Ensure consistent application of risk assessment processes across business units

Risk Assessment & Issue Management

- Review and validate third-party security assessments, questionnaires, and supporting evidence

- Identify cybersecurity, privacy, and operational risks associated with third-party services

- Drive remediation plans with business owners and vendors for identified gaps and control deficiencies

- Support risk acceptance and exception processes, including documentation and leadership approvals

- Track remediation status, overdue actions, and residual risk

Stakeholder & Cross-Functional Collaboration

- Partner with Procurement, Legal, Privacy, Compliance, IT, and Business Owners throughout the vendor lifecycle

- Provide advisory input during contract reviews to ensure appropriate cybersecurity and data protection clauses are included

- Act as a trusted advisor to business stakeholders on third-party cyber risk implications and mitigation strategies

- Support onboarding of new vendors by guiding business teams through risk assessment requirements

Governance, Reporting & Continuous Monitoring

- Maintain accurate third-party risk records in enterprise GRC / TPRM platforms (e.g., ServiceNow)

- Develop and present executive-level dashboards, metrics, and risk summaries for leadership consumption

- Monitor third-party risk trends, concentration risks, and systemic control gaps

- Support internal and external audits, regulatory reviews, and compliance assessments related to third-party risk

Program Maturity & Continuous Improvement

- Identify opportunities to streamline, automate, and enhance third-party risk processes

- Contribute to the evolution of TPRM policies, standards, and operating procedures

- Support continuous monitoring initiatives and integration of external risk intelligence where applicable

- Drive consistent, scalable, and auditable TPRM practices across the enterprise

Required Skills & Experience

- 8+ years of experience in cybersecurity risk management, GRC, or third-party risk management

- Strong hands-on experience operating or leading TPRM programs in complex enterprise environments

- Solid understanding of security and regulatory frameworks such as NIST CSF, ISO 27001, HIPAA, HITRUST, and PCI-DSS

- Experience working with GRC / TPRM platforms and workflow tools (ServiceNow preferred)

- Strong analytical, documentation, and stakeholder communication skills

- Ability to clearly articulate risk to both technical and non-technical audiences

Preferred Qualifications

- Experience in healthcare or other highly regulated industries

- Professional certifications such as CISA, CRISC, CISM, CISSP, or equivalent

- Experience supporting audits and regulatory engagements related to vendor risk

Key Success Metrics

- Timely completion of third-party risk assessments

- Reduction in high-risk and overdue vendor findings

- Improved audit outcomes and regulatory alignment

- Increased visibility of third-party cyber risk for leadership

- Mature, consistent, and scalable TPRM operations