Third-Party Risk Management Program Officer

About The Position

Requirements

• Bachelor’s degree in Business, Risk Management, Information Security or related field preferred.
• 5+ years of recent experience in a vendor risk management, third-party oversight, or enterprise risk program role within a financial services environment required.
• Proven experience leading the development, implementation, and ongoing management of an enterprise-scale third-party risk management program required.
• Equivalent combination of education, training, certifications, and/or relevant work experience may be considered.
• Provide an exceptional level of service for internal and external customers, with the ability to build and maintain positive, professional relationships, to successfully interact with and influence all levels of management and functional and cross-functional areas across the organization.
• Highly effective listening, verbal, written, and telephone etiquette business communication skills, including effective questioning strategies, negotiation and presentation skills to communicate security-related concepts in a variety of settings, to a broad range of technical and non-technical staff. Ability to read, write, speak, and understand English well.
• Strategic in approach to program design, problem solving, and decision-making, with demonstrated ability to quickly focus on key issues and make decisions under pressure of time constraints.
• Risk based mindset and strong analytical and critical thinking skills, with the ability to independently assess risk decisions and constructively challenge assumptions and conclusions.
• Thorough knowledge and understanding of regulatory frameworks (e.g. FFIEC, GLBA, PCI-DSS, SOX, FFIEC, HIPAA etc.) and of NIST CSF, ISO 27001, COBIT, COSO and vendor risk management frameworks.
• Strong knowledge of information security assessment and auditing practices, including the ability to evaluate technical and business controls using established frameworks and methodologies, and to effectively interpret results from security tools and subject matter expert assessments.
• Thorough knowledge and understanding of related statutory banking compliance regulations issued by the FDIC, FinCEN, and Federal Reserve Board, with strong knowledge of privacy laws, such as GLBA and SOX.
• Strong project management, planning, organizational, time management, and follow-up skills, demonstrating a strong sense of urgency and ability to execute quickly, timely and efficiently; independently ensuring that priorities are set and commitments and deadlines are met with minimal direction and oversight.
• Unquestionable integrity in handling sensitive and confidential information required.
• Proficient and advanced use and understanding of MS Office products (Word, Excel, Outlook), with the ability to adapt to and learn new technologies quickly.
• Proficient use and understanding of third-party risk management software (ex. UpGuard, Tandem, Gartner, etc.).

Nice To Haves

• Professional certifications as Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), or equivalent preferred.

Responsibilities

• Leads and manages the Third-Party Risk Management (TPRM) Program, including development and continuous refinement of TPRM policies and procedures, risk tiering and segmentation models, risk rating methodologies, and vendor lifecycle control checkpoints.
• Ensures alignment of the TPRM program with enterprise risk management (ERM), information security, compliance, and legal frameworks.
• Oversees execution of inherent risk assessments, due diligence reviews, and control assessments across all third-party risk domains (cybersecurity, privacy, operational resilience, etc.).
• Ensures appropriate engagement of cross-functional subject matter experts (e.g., Information Security, Legal, Compliance) and that roles and responsibilities are clearly defined within established processes.
• Defines and maintains program tools, templates, escalation protocols, and residual risk acceptance processes.
• Integrates and aligns TPRM program with related programs (e.g., Vendor Management, procurement, Business Continuity Planning, Information Security Risk Assessments, Cloud Governance, AI/Model Risk).
• Establishes and tracks key risk indicators (KRIs).
• Provides executive-level reporting on third-party risk posture, program maturity, and systemic exposures (e.g., concentration risk, critical service dependency).
• Monitors and escalates open risk issues, overdue assessments, and policy exceptions.
• Serves as the primary contact for regulatory exams and internal/external audits related to third-party risk.
• Performs continuous monitoring of Critical and High risk third parties.
• Maintains audit-ready documentation, evidence of program execution, and continuous improvement roadmap.
• Monitors regulatory changes (e.g., OCC Bulletins, FFIEC updates, DORA, NYDFS, etc.) and updates program controls to align with evolving requirements.

Benefits

• medical
• dental
• vision
• life insurance
• 401(k)
• community volunteer time
• generous time off policy
• 10 paid vacation days annually
• eight hours of paid sick leave per month
• 11 paid holidays each calendar year
• annual float day