Third-Party Risk Manager

About The Position

Requirements

• Working knowledge of the regulatory landscape applicable to independent mortgage banks, including FHFA, CFPB, HUD, GLBA, state licensing authorities, GSE (Fannie Mae and Freddie Mac) seller/servicer requirements, and secondary market investor and warehouse lender expectations.
• Demonstrated ability to evaluate SOC 1 and SOC 2 reports, information security questionnaires, financial statements, insurance coverage, and business continuity documentation, and translate findings into clear and well-supported risk decisions.
• Experience administering a vendor management software platform such as VendorRisk.com, Venminder, ProcessUnity, Archer, or a comparable solution.
• Strong understanding of inherent risk, residual risk, risk mitigation strategies, and the role of compensating controls within an effective risk management framework.
• Excellent written and verbal communication skills, with the ability to brief executive leadership, prepare findings that withstand examiner and audit scrutiny, and explain risk decisions to non-technical business stakeholders.
• Strong project management and organizational skills, with the ability to manage recurring assessment schedules across a large vendor population while maintaining accuracy and timeliness.
• Solid working knowledge of Microsoft 365 applications, including Excel, Word, Outlook, Teams, and SharePoint, for reporting, documentation, file management, and collaboration.
• Demonstrated discretion and sound judgment when handling non-public personal information (NPI), confidential vendor information, contractual terms, and other sensitive business data.
• Minimum of five (5) years of experience in third-party risk management, vendor management, operational risk, compliance, or audit, with demonstrated day-to-day ownership of a formal risk management program.
• Minimum of five (5) years of experience within a regulated financial services environment; mortgage industry experience is strongly preferred.
• Minimum of five (5) years of management, team leadership, or program leadership experience with responsibility for driving program execution, stakeholder engagement, and risk oversight.

Responsibilities

• Determine the inherent risk tier (Tier 1, Tier 2, or Tier 3) for every third party prior to contracting or engagement, consistent with the criteria defined in TPRM02.
• Perform and document inherent risk assessments during onboarding, according to the policy reassessment schedule (annual for Tier 1 and bi-annual for Tier 2 vendors), and whenever a material change occurs in the vendor relationship.
• Administer the due diligence process, including the issuance and evaluation of vendor due diligence questionnaires (DDQs), SOC 1 and SOC 2 reports, financial statements, insurance certificates, business continuity and information security documentation, and licensing or regulatory standing.
• Maintain the authoritative third-party inventory, including assigned risk tier, services provided, data classification, system access, contract status, and all supporting documentation.
• Administer the Company’s vendor management software platform, including profile setup, document collection, workflow configuration, expiration tracking, contract repository management, and audit history maintenance.
• Monitor all vendors, contractors, and third-party counterparties against the FHFA Suspended Counterparty List (SCL) prior to engagement and on a recurring monthly basis; immediately escalate any matches to General Counsel and Compliance.
• Coordinate contract reviews with Legal to ensure all required clauses are included, including information security, confidentiality, audit rights, subcontracting, breach notification, business continuity, termination, and return or destruction of data provisions.
• Track and report vendor incidents, performance issues, breaches, and remediation activities; communicate findings to business owners and escalate material concerns to the Risk Management Committee.
• Maintain documentation of vendor reviews, due diligence activities, identified risks, and required remediation efforts; provide training to business owners on intake and approval workflows.
• Administer the vendor termination process, including coordination of the return of Company property and the return or destruction of Company data and information in accordance with legal and regulatory requirements.
• Document and route policy exceptions for approval by the Third-Party Risk Manager and, when required, the Risk Management Committee.
• Prepare periodic TPRM reporting and performance metrics for senior leadership, the Risk Management Committee, internal audit, external examiners, investors, and warehouse lenders.
• Support audits and regulatory examinations by producing vendor inventories, risk assessments, due diligence files, and program documentation upon request.
• Coordinate with the AI Governance Committee on due diligence and risk tiering activities related to third-party AI solutions and AI-enabled vendor features, consistent with RAIG01 Section 10.
• Lead the annual review of the Third-Party Risk Management Policy (TPRM02) and recommend revisions for approval.
• Perform other duties and responsibilities as assigned.

Benefits

• Above market salary
• HMO on Day 1 for principal and two dependents
• Government-mandated benefits
• Performance-based Incentives
• Quarterly Company Events
• 1,000 PHP De Minimis
• Equipment and software provided