Third-Party Risk Sourcing Manager

About the Role:

We are looking for a Third-Party Risk Sourcing Manager to join our Strategic Sourcing team, reporting directly to the Executive Director, Strategic Sourcing. You will lead our daily third-party risk due diligence efforts, collaborating with departments like Technology, and Legal to address risks across a range of domains.

You will oversee sourcing enablement services, intake operations, policy implementation, and automation, to support tail-spend sourcing programs. You will focus on coaching and work allocation, with limited direct people leadership responsibilities. We operate under a hybrid remote/in-office policy, requiring three days per week in our New York City office and two days remote.

Responsibilities:

Third-Party Risk Management

• Perform initial reviews for low/medium-risk vendors. During these reviews, you will examine evidence to identify gaps and residual risk. This evidence includes SIG/SIG Lite, CAIQ, SOC 2 Type II, ISO 27001, PCI SAQ/AoC, DPAs, BC/DR, and VAPT summaries. Evaluate and escalate high-risk vendors to internal subject matter experts and coordinate mitigation actions and follow up.
• Lead time-bound risk review meetings and escalations with subject matter experts. You will maintain using risk guides, document decisions and risk acceptance, coordinate mitigations, and track remediation to closure.
• Manage Third-Party Risk Management (TPRM) inventory and assessment Service level agreements. You will support incident response and vendor issue management. Additionally, you will process metrics involving publishing dashboards that track cycle time, backlog age, assessments, and remediation closure, and delivering partner training.

Source Enablement

• Tail-spend sourcing: Increase delivery velocity with risk-appropriate approaches; apply guides, informal RFx, and negotiation strategies.
• Intake/help desk: Serve as the front door for sourcing requests; maintain Service level agreements, and measure requester satisfaction.
• Efficient Contracting: use standard templates and establish fallback positions to manage Legal escalations.
• Enablement and continuous improvement: Improve adoption of Sourcing templates, and guides; refine Sourcing intake workflows to apply risk-appropriate effort.
• AI-assisted workflows: Design and operationalize AI-assisted processes (with guardrails) for Sourcing tasks.
• Demonstrate support and understanding of our value of journalistic independence and a commitment to our mission to seek the truth and help people understand the world.

Basic Qualifications:

• 5+ years of experience in third-party risk management, vendor risk, IT risk, or adjacent governance roles, with hands-on due diligence and assessment experience.
• Proficiency in reviewing vendor security/privacy evidence.
• Familiarity with contractual terms in procurement, including limitation of liability, indemnities, confidentiality and Service Level Agreements.
• Knowledge of TPRM systems (e.g., ProcessUnity, Navex, Whistic) and intake-to-pay systems (preferably Zip).
• Understanding of external ratings from providers like BitSight, SecurityScorecard, and others.
• Familiarity with frameworks is important. These include the National Institute of Standards and Technology Cybersecurity Framework, ISO 27001/27701, SOC 2, and PCI DSS. Additionally, knowledge of privacy regulations is necessary, such as the General Data Protection Regulation and California Privacy Rights Act.
• Experience managing queues against Service level agreements and prioritizing trade-offs.
• Bachelor's degree or equivalent practical experience.

Preferred Qualifications:

• 5+ years of Experience in Financial Services, or other regulated sectors.
• CTPRP, CRISC, or relevant security/risk certificates.

#LI-Hybrid

REQ-019303