Third-Party Risk Sourcing Manager

5+ years of experience in third-party risk management, vendor risk, IT risk, or adjacent governance roles, with hands-on due diligence and assessment experience.

Proficiency in reviewing vendor security/privacy evidence.

Familiarity with contractual terms in procurement, including limitation of liability, indemnities, confidentiality and Service Level Agreements.

Knowledge of TPRM systems (e.g., ProcessUnity, Navex, Whistic) and intake-to-pay systems (preferably Zip).

Understanding of external ratings from providers like BitSight, SecurityScorecard, and others.

Familiarity with frameworks is important. These include the National Institute of Standards and Technology Cybersecurity Framework, ISO 27001/27701, SOC 2, and PCI DSS. Additionally, knowledge of privacy regulations is necessary, such as the General Data Protection Regulation and California Privacy Rights Act.

We are looking for a Third-Party Risk Sourcing Manager to join our Strategic Sourcing team, reporting directly to the Executive Director, Strategic Sourcing. You will lead our daily third-party risk due diligence efforts, collaborating with departments like Technology, and Legal to address risks across a range of domains.

You will oversee sourcing enablement services, intake operations, policy implementation, and automation, to support tail-spend sourcing programs. You will focus on coaching and work allocation, with limited direct people leadership responsibilities. We operate under a hybrid remote/in-office policy, requiring three days per week in our New York City office and two days remote.

Third-Party Risk Management

Perform initial reviews for low/medium-risk vendors. During these reviews, you will examine evidence to identify gaps and residual risk. This evidence includes SIG/SIG Lite, CAIQ, SOC 2 Type II, ISO 27001, PCI SAQ/AoC, DPAs, BC/DR, and VAPT summaries. Evaluate and escalate high-risk vendors to internal subject matter experts and coordinate mitigation actions and follow up.

Lead time-bound risk review meetings and escalations with subject matter experts. You will maintain using risk guides, document decisions and risk acceptance, coordinate mitigations, and track remediation to closure.