Develop, manage, and continuously improve the organization’s Third-Party Risk Management (TPRM) program and platform, including policies, procedures, risk methodologies, and performance metrics.
Lead risk assessments and due diligence processes for new and existing third-party vendors, including IT, business services, SaaS providers, and critical suppliers.
Build criteria and processes to evaluate AI-based vendor technologies to identify risk exposure.
Evaluate vendor security practices, policies, and controls using industry frameworks (e.g., NIST CSF).
Partner with Procurement, Legal, Compliance, IT, and business stakeholders to integrate risk assessments into the vendor lifecycle—from onboarding through termination and to review contracts, Business Associate Agreements (BAAs), and data-sharing agreements.
Maintain a current and accurate vendor risk inventory and drive the development and execution of corrective action plans for vendors with risks or compliance gaps.
Oversee the implementation of continuous monitoring controls and ensure timely reassessments of vendor risks.
Collaborate with Internal Audit and Compliance teams to support external audits, regulatory requests, and risk reporting.
Prepare executive-level reporting on third-party risk exposure and program effectiveness for GRC leadership and Board-level stakeholders.
Stay current on emerging regulatory changes, industry standards (e.g., NIST, ISO, HIPAA, HITRUST), and best practices in third-party risk management, providing cybersecurity expertise and support for all IT Audit (SOX, PCI, HIPAA); Security Compliance (Vendor Security Assessments and Security Risk Analysis (SRA)); and Data Compliance (Data Classification and Automated / Continuous) audits.

Requirements

Four year degree in any business/ technical area or equivalent experience is preferred
Certification Preferred - CISSP, CRISC, CTPRP, CTPRA or HCISPP
5+ years of experience in third-party/vendor risk management, preferably within highly regulated industries such as healthcare, finance, or technology.
Strong understanding of GRC frameworks, risk assessment methodologies, and regulatory requirements (e.g., HIPAA, GDPR, SOC 2, NIST CSF).
Proven ability to communicate complex risk concepts clearly to both technical and non-technical stakeholders.
Experience managing risk assessment platforms or GRC tools (e.g., Archer, ServiceNow, OneTrust, Prevalent or Safe Security).
Excellent analytical, organizational, and interpersonal skills.
Certifications such CISSP, CRISC, CTPRP, CTPRA or HCISPP

Benefits

Medical, dental, vision, disability, AD&D and life insurance
Manager Time Off – 20 days per year
Discretionary 401k match
10 paid holidays per year
Health savings accounts, healthcare & dependent flexible spending accounts
Employee Assistance program, Employee discount program
Voluntary benefits include pet insurance, legal insurance, accident and critical illness insurance, long term care, elder & childcare, auto & home insurance.
For Colorado employees, paid leave in accordance with Colorado’s Healthy Families and Workplaces Act is available.

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

third-party risk managementrisk assessmentsdue diligencevendor security assessmentsrisk methodologiesperformance metricscontinuous monitoring controlsdata classificationsecurity risk analysisregulatory compliance

Soft Skills

analytical skillsorganizational skillsinterpersonal skillscommunication skills

Certifications

CISSPCRISCCTPRPCTPRAHCISPP