The Third-Party Risk Analyst manages and mitigates risks associated with the company’s third-party relationships. This role involves assessing and monitoring third-party vendors, conducting in-depth risk assessments, and working collaboratively across departments to ensure vendors meet security, compliance, and operational standards. The ideal candidate will have a strong background in risk management, vendor assessments, and regulatory compliance, with the ability to develop and implement effective third-party risk management strategies.

Key Responsibilities

• Third-Party Assessments: Conduct comprehensive assessments of third-party vendors, focusing on cybersecurity, data privacy, compliance, financial stability, and operational resilience.
• Risk Analysis & Scoring: Evaluate vendor risk using quantitative and qualitative approaches, assign risk scores, and identify compensating controls to mitigate identified risks.
• Continuous Monitoring: Develop and implement processes for ongoing monitoring of third-party risks, keeping abreast of changes in vendor performance, industry regulations, and threat landscapes.
• Incident Management: Collaborate with relevant teams to manage vendor-related incidents, ensuring effective communication, remediation, and follow-up activities.
• Stakeholder Collaboration: Act as a point of contact for internal stakeholders (e.g., Information Security, Legal, Compliance, Procurement) to ensure vendor risks are identified, communicated, and mitigated appropriately.
• Documentation & Reporting: Prepare detailed risk assessment reports and dashboards for senior leadership, providing insights and recommendations for third-party risk reduction.
• Framework Development: Assist in developing and refining the third-party risk management framework, ensuring alignment with industry best practices (e.g., NIST, ISO, Shared Assessments).
• Regulatory Compliance: Ensure that third-party risk management activities comply with relevant regulations and industry standards, including GDPR, CCPA, PCI-DSS, and others, as applicable.
• Vendor Risk Awareness Training: Guide internal stakeholders on third-party risk management policies, procedures, and best practices.

Qualifications

• Bachelor’s degree in Information Security, Risk Management, Business, or a related field. Relevant certifications such as CTPRP, CTPRA, or TPCRA a plus.
• Minimum of 2+ years of experience in third-party risk management, vendor management, or a related field.
• Understanding of cybersecurity principles, data privacy laws, and regulatory requirements.

• Familiarity with third-party risk management tools and platforms (e.g., Black Kite, Vanta).
• Proficient in risk management frameworks (NIST, ISO 27001/27018, FAIR)
• AStrong analytical and problem-solving skills, with the ability to interpret complex risk data and make informed decisions.
• Excellent written and verbal communication skills, capable of articulating complex risk concepts to technical and non-technical audiences.
• Meticulous with an eye for identifying risks and gaps in vendor assessments.
• Ability to work cross-functionally with various departments, balancing diverse perspectives and objectives.

Additional Preferred Skills

• Hands-on experience with Cyber Risk Quantification (CRQ) to provide financial context to third-party risks.
• Knowledge of emerging technologies and their associated risks, especially in AI, and cloud computing