The Third-Party Risk Analyst manages and mitigates risks associated with the company’s third-party relationships. This role involves assessing and monitoring third-party vendors, conducting in-depth risk assessments, and working collaboratively across departments to ensure vendors meet security, compliance, and operational standards. The ideal candidate will have a strong background in risk management, vendor assessments, and regulatory compliance, with the ability to develop and implement effective third-party risk management strategies.
Key Responsibilities
- Third-Party Assessments: Conduct comprehensive assessments of third-party vendors, focusing on cybersecurity, data privacy, compliance, financial stability, and operational resilience.
- Risk Analysis & Scoring: Evaluate vendor risk using quantitative and qualitative approaches, assign risk scores, and identify compensating controls to mitigate identified risks.
- Continuous Monitoring: Develop and implement processes for ongoing monitoring of third-party risks, keeping abreast of changes in vendor performance, industry regulations, and threat landscapes.
- Incident Management: Collaborate with relevant teams to manage vendor-related incidents, ensuring effective communication, remediation, and follow-up activities.
- Stakeholder Collaboration: Act as a point of contact for internal stakeholders (e.g., Information Security, Legal, Compliance, Procurement) to ensure vendor risks are identified, communicated, and mitigated appropriately.
- Documentation & Reporting: Prepare detailed risk assessment reports and dashboards for senior leadership, providing insights and recommendations for third-party risk reduction.
- Framework Development: Assist in developing and refining the third-party risk management framework, ensuring alignment with industry best practices (e.g., NIST, ISO, Shared Assessments).
- Regulatory Compliance: Ensure that third-party risk management activities comply with relevant regulations and industry standards, including GDPR, CCPA, PCI-DSS, and others, as applicable.
- Vendor Risk Awareness Training: Guide internal stakeholders on third-party risk management policies, procedures, and best practices.
Qualifications
- Bachelor’s degree in Information Security, Risk Management, Business, or a related field. Relevant certifications such as CTPRP, CTPRA, or TPCRA a plus.
- Minimum of 2+ years of experience in third-party risk management, vendor management, or a related field.
- Understanding of cybersecurity principles, data privacy laws, and regulatory requirements.
- Familiarity with third-party risk management tools and platforms (e.g., Black Kite, Vanta).
- Proficient in risk management frameworks (NIST, ISO 27001/27018, FAIR)
- AStrong analytical and problem-solving skills, with the ability to interpret complex risk data and make informed decisions.
- Excellent written and verbal communication skills, capable of articulating complex risk concepts to technical and non-technical audiences.
- Meticulous with an eye for identifying risks and gaps in vendor assessments.
- Ability to work cross-functionally with various departments, balancing diverse perspectives and objectives.
Additional Preferred Skills
- Hands-on experience with Cyber Risk Quantification (CRQ) to provide financial context to third-party risks.
- Knowledge of emerging technologies and their associated risks, especially in AI, and cloud computing
