About the Role:

We are seeking an experienced Third Party Risk & Compliance Analyst to lead our vendor risk management program while supporting broader governance, risk, and compliance initiatives. The successful candidate will conduct comprehensive third-party risk assessments, ensure compliance with regulatory requirements, and develop robust vendor risk management frameworks to protect our organization from external threats.

What You'll Do:

• Your primary focus will be to focus on Third Party Risk Management which will include conducting thorough information security risk assessments on external parties to ensure associated risks are within acceptable tolerance
• You will determine information security risk profiles for various vendor and business partner services using standardized questionnaires and industry best practices
• Assess third-party information security controls to ensure they meet or exceed our risk management requirements for the services to be provided
• Evaluate and identify security risks of third-party AI risk assessment solutions to provide guidance to internal stakeholders based on organizational policies and industry best practices
• Evaluate systemic, fourth-party, and vendor concentration risks to ensure resilience in the vendor ecosystem.
• You will focus on compliance and governance and must have knowledge in multi framework compliance to execute external audits and assessments for SOC1, SOC2, PCI DSS, ISO 27001, and NIST CSF frameworks
• Create and maintain third-party risk management policies, procedures, and standards
• Ensure regulatory adherence to compliance with applicable regulations, laws, and industry standards governing third-party relationships
• Maintain documentation management through comprehensive records of all assessments, communications, and risk documentation in our GRC platform
• Be involved in stakeholder engagement and communication by providing direction and guidance to stakeholders concerning risks associated with assessments findings and adherence to applicable procedures
• Respond to requests from external parties concerning our information risk management practices with appropriately scoped and accurate information
• Work closely with cross-functional partners like Legal, Procurement, IT, and business teams to identify control gaps and integrate risk requirements
• Report engagement status to management, project managers, and other business stakeholders as appropriate
• Help with process improvement & innovation by developing and implementing automation for evidence collection and risk assessment processes
• Maintain knowledge of current and emerging developments/trends in third-party risk management, assess impact, and collaborate with senior management to incorporate new trends
• Identify and implement process improvements that significantly improve quality across the team, department, and/or business unit
• Stay updated on emerging AI trends and technologies to support innovation within the organization
• Support risk mitigation & remediation through mitigation plans/solutions to eliminate, reduce, or mitigate identified risks
• Communicate risk mitigation solutions to both external parties and internal business stakeholders
• Oversee implementation of risk mitigation efforts and track progress to completion
• Establish ongoing monitoring processes for high-risk third-party relationships

What We’re Looking For:

• Overall, 2-3+ years of third-party risk management, vendor security assessments, and compliance experience
• Strong understanding of information security risk assessment methodologies and third-party risk management frameworks
• In-depth understanding of SOC frameworks, PCI DSS, ISO 27001, NIST, and relevant regulations
• Strong knowledge of cloud controls, environments, and emerging AI technologies
• Practical understanding of IT security compliance, risk management, access control, and security architecture
• Excellent analytical, diagnostic, critical thinking, and project management abilities
• Ability to clearly articulate technical concepts to both technical and non-technical stakeholders
• Proficiency in implementing automation for evidence collection and risk assessment processes

Preferred Qualifications:

• Bachelor's degree in Information Technology, Computer Science, Risk Management, or related field
• CISA, CISM, CISSP, CRISC, or other relevant security and risk management certifications, a plus
• Experience with risk management frameworks such as ISO 31000, COSO, or NIST
• Experience with Big 4 consulting firms or risk management consultancies
• Experience with GRC platforms, vendor risk management tools, and compliance software
• Proficiency in representing data graphically and creating executive-level risk reports
• Deep technical understanding of third-party risk management and its relationship to broader security frameworks
• Proven ability to lead complex vendor risk assessments from planning through execution
• Strong stakeholder engagement skills with both internal teams and external vendors
• Experience staying current with regulatory changes and emerging third-party risks
• Detail-oriented approach with ability to manage multiple vendor relationships and deadlines
• Track record of driving automation and process improvements in risk management programs
• Understanding of AI technologies and their associated risks in third-party relationships