Third Party Risk & Assurance Specialist

Third Party Risk & Assurance Specialist London 3 month contract Excellent day rate

We are seeking a specialist in third party risk and assurance, with experience across various types of technology service providers. This is a multi-faceted role supporting both a Technology Transformation Programme as well as maintaining oversight over current operational technology and applications.

This role will suit someone who has managed vendors previously, or someone with equivalent practical experience in providing technology and security assurance for clients, who is looking to grow into a GRC role and potentially beyond third party risk.

1. Third party governance and risk management framework

• Support the development and implementation of third party policies and governance controls with other functions, e.g. Finance, Legal, Procurement, Security, Architecture, Risk;
• Develop technology service and operational risk considerations for supplier tier classification definitions;
• Review existing technology supplier due diligence and work with SME functions to streamline the process;
• Create and maintain a risk taxonomy and reference library to support third party risk identification and assessment for technology;
• Ensure all Technology and Application change involving third parties follow policies, standards and governance procedures, and support various stage gate assessments including business case and design reviews, operational readiness and service transition, data management and governance, migration and decommissioning/vendor exits.

2. Procurement due diligence and supplier risk assessments

• Work with multiple functions to understand business use cases, and work with Procurement to plan for timely third party due diligence and risk assessments to inform decision making;
• Review and support relevant architecture and integration plans, including internal operational process change;
• Triage level of inherent risk for prospective third party relationships, managing various teams to agree on final tier classification;
• Work with Procurement to manage the due diligence process, including time expectations around reviews and responses from both SME teams and third parties, and mapping received third party documentation to requirements for review;
• Coordinate and ensure that Data Protection rules and requirements are met during due diligence by both and third parties, and support the management of any privacy violations;
• Evaluate how third parties will meet their compliance obligations and how they will affect compliance posture, including reviews of third parties policies, penetration test and post-incident reports, and independent audit reports;
• Produce and act as editor for due diligence risk reports, capturing trends and KRIs for management review.

3. Third party onboarding, contracts and renewals

• Provide SME support in contractual negotiations and renewals managed by Procurement;
• Support IT Risk and Controls Manager and Operational Resilience Manager to create and document new controls or adapt existing ones as necessary;
• Support operational readiness and service transition risk assessments for onboarded third party.

4. Ongoing third party risk management and monitoring

• Understand business and technology service third party dependencies, and work with various teams and our Operational Resilience Manager to conduct business impact and vulnerability assessments of the supply chain, as well developing exit plans for critical third parties;
• Work with IT Risk and Controls Manager and Operational Resilience Manager to develop and implement asset management and control assurance strategies; this will involve maintaining a third party outsourcing risk register as well as supporting IT disaster recovery and business continuity planning across the technology and application estate involving third party supply chains;
• Run a programme of regular supplier control assurance, tracking and managing the progress of any agreed action plans to completion; conduct and manage rights-to-audit as necessary;
• Support the implementation of the internal risk framework which includes Risk Control Self-Assessments, as well as overseeing and tracking third party issues, policy exceptions and non-compliances and associated risks;
• Oversee risk events and incident management involving third parties with the Operational Resilience Manager, including quality assurance for post-incident reviews;
• Support the management of any third party exit and any required decommissioning actions.

5. Reporting & documentation

• Work with multiple teams to prepare and present regular reports on third party governance, management, performance and risk;
• Maintain accurate documentation for Technology Services Governance processes, project updates and client interactions for audit readiness and knowledge transfer.

6. Management & development

• Closely work with Technology Service teams to promote learning and understanding throughout the business, including the creation, contribution to and maintenance of relevant compliance and awareness training;
• Proactively research state-of-the art technology and third party risk and assurance techniques to improve the technology services as well as enhancing your own knowledge;
• Support the learning and development of your fellow Technology Services Governance team managers and analysts.