Senior Manager, Third-Party Risk Management (TPRM)

About The Position

Requirements

• Proven, progressive experience in third party risk management, vendor management, procurement risk, compliance, or enterprise risk—including experience in a policy ownership or program leadership role.
• Demonstrated expertise in TPRM framework design and policy writing, including risk tiering, due diligence program management, and vendor lifecycle controls.
• Strong knowledge of applicable regulatory and compliance frameworks, including insurance industry regulations, NAIC guidelines, state privacy laws, and standards such as NIST CSF, SOC 2, and ISO 27001.
• Experience working directly within or alongside a Procurement or Strategic Sourcing function, with an understanding of sourcing processes, contract structures, and supplier relationship management.
• Proven ability to influence senior stakeholders and drive alignment across cross-functional teams without direct authority.
• Exceptional written and verbal communication skills, with a track record of producing high-quality policy documents and presenting risk topics clearly to executive audiences.
• Familiarity with public company requirements, including Sarbanes Oxley and key regulations, if applicable.
• For SOX compliant roles, responsible for designing, executing, and documenting internal controls where they have been identified as owners to prevent errors in financial reporting, processes, and business operations. Including attestation to the completeness, accuracy, and compliance of all financial reporting data, where applicable.

Nice To Haves

• Prior experience in the insurance or financial services industry, with direct familiarity with NAIC model laws and state insurance department examination processes.
• Professional certifications such as CRISC, CTPRP, CISA, CISM, CPM, or equivalent risk or procurement credentials.
• Hands-on experience implementing or administering a GRC or TPRM platform (e.g., Archer, ServiceNow GRC, ProcessUnity, Venminder, Coupa Risk Assess).
• Experience supporting or leading regulatory examinations or internal audits related to vendor management or operational risk.
• Bachelor's degree in Risk Management, Business, Supply Chain, Finance, Information Systems, or a related field.

Responsibilities

• Own, author, and maintain Hagerty's enterprise wide Third Party Risk Management policy, standards, and procedures, ensuring alignment with regulatory requirements, industry frameworks (e.g., NIST CSF, ISO 27001, COBIT), and Hagerty's risk appetite.
• Lead scheduled and event-driven policy reviews, updating documentation in response to changes in regulation, business strategy, technology, or the vendor landscape.
• Align TPRM policy with adjacent governance frameworks including information security, business continuity, data privacy, and enterprise risk management—ensuring consistency without duplication.
• Ensure TPRM policies meet applicable state and federal insurance regulations, NAIC model law requirements, and any contractual or audit-driven obligations.
• Design and administer a formal policy exception process, documenting risk acceptance decisions with appropriate stakeholder sign-off.
• Design and embed a risk tiering methodology into Hagerty's sourcing and onboarding process, ensuring the level of pre-contract due diligence is calibrated to the risk profile of each vendor.
• Partner with Enterprise Procurement and Legal to ensure vendor contracts include appropriate risk and compliance provisions—covering data protection, business continuity, audit rights, and termination for cause.
• Oversee a structured program of periodic reassessments, performance reviews, and continuous monitoring activities for active third parties, with heightened attention to critical and high-risk vendors.
• Establish standards for vendor offboarding that protect Hagerty's data, systems, and operational continuity at contract termination.
• Maintain a register of critical and high-risk third parties, coordinate enhanced oversight activities and reviews, and ensure concentration risks are visible to senior leadership.
• Function as the day-to-day risk advisor to the Enterprise Procurement team, providing guidance during sourcing events, RFP evaluation, negotiation, and contract execution.
• Bring third party risk considerations into category strategies and sourcing decisions early—helping the business identify and mitigate risk before commitments are made.
• Serve as a trusted TPRM resource for business unit stakeholders who engage vendors directly, ensuring consistent application of policy across the organization and active participation in supplier business reviews.
• Design and deliver TPRM training for Enterprise Procurement staff and business-facing teams, building risk literacy and practical policy compliance across all vendor-facing roles.
• Develop and present TPRM program dashboards, key risk indicators (KRIs), and risk trend analysis to the VP of Enterprise Procurement, ERM leadership, and Risk Committee audiences as appropriate.
• Serve as Enterprise Procurement's primary point of contact for internal audit and external regulatory examiners on TPRM policy, controls, and evidence.
• Identify, document, and drive resolution of risk findings and gaps across the third party portfolio, escalating as needed to senior stakeholders.
• Build and execute a multi-year TPRM maturity roadmap aligned to Hagerty's growth trajectory, digital transformation, and evolving risk environment.
• Lead or support the evaluation and implementation of TPRM software and GRC platforms to automate assessments, centralize vendor data, and improve reporting efficiency.

Benefits

• Comprehensive benefits
• Perks that set us apart