Third-Party Risk Sourcing Manager

About The Position

Requirements

• 5+ years of experience in third-party risk management, vendor risk, IT risk, or adjacent governance roles, with hands-on due diligence and assessment experience.
• Proficiency in reviewing vendor security/privacy evidence.
• Familiarity with contractual terms in procurement, including limitation of liability, indemnities, confidentiality and Service Level Agreements.
• Knowledge of TPRM systems (e.g., ProcessUnity, Navex, Whistic) and intake-to-pay systems (preferably Zip).
• Understanding of external ratings from providers like BitSight, SecurityScorecard, and others.
• Familiarity with frameworks is important. These include the National Institute of Standards and Technology Cybersecurity Framework, ISO 27001/27701, SOC 2, and PCI DSS. Additionally, knowledge of privacy regulations is necessary, such as the General Data Protection Regulation and California Privacy Rights Act.
• Experience managing queues against Service level agreements and prioritizing trade-offs.
• Bachelor's degree or equivalent practical experience.

Nice To Haves

• 5+ years of Experience in Financial Services, or other regulated sectors.
• CTPRP, CRISC, or relevant security/risk certificates.

Responsibilities

• Perform initial reviews for low/medium-risk vendors. During these reviews, you will examine evidence to identify gaps and residual risk. This evidence includes SIG/SIG Lite, CAIQ, SOC 2 Type II, ISO 27001, PCI SAQ/AoC, DPAs, BC/DR, and VAPT summaries. Evaluate and escalate high-risk vendors to internal subject matter experts and coordinate mitigation actions and follow up.
• Lead time-bound risk review meetings and escalations with subject matter experts. You will maintain using risk guides, document decisions and risk acceptance, coordinate mitigations, and track remediation to closure.
• Manage Third-Party Risk Management (TPRM) inventory and assessment Service level agreements. You will support incident response and vendor issue management. Additionally, you will process metrics involving publishing dashboards that track cycle time, backlog age, assessments, and remediation closure, and delivering partner training.
• Tail-spend sourcing: Increase delivery velocity with risk-appropriate approaches; apply guides, informal RFx, and negotiation strategies.
• Intake/help desk: Serve as the front door for sourcing requests; maintain Service level agreements, and measure requester satisfaction.
• Efficient Contracting: use standard templates and establish fallback positions to manage Legal escalations.
• Enablement and continuous improvement: Improve adoption of Sourcing templates, and guides; refine Sourcing intake workflows to apply risk-appropriate effort.
• AI-assisted workflows: Design and operationalize AI-assisted processes (with guardrails) for Sourcing tasks.
• Demonstrate support and understanding of our value of journalistic independence and a commitment to our mission to seek the truth and help people understand the world.