Role Description The Third Party Risk Management (TPRM) Lead is responsible for designing, implementing, and operating an enterprise-wide Third Party Risk Management framework. This role leads the transformation of the current vendor onboarding and oversight process into a structured, scalable, and risk-based TPRM program aligned with regulatory expectations and organizational risk appetite. The TPRM Lead partners cross-functionally with Information Security, Privacy, Legal, IT, and Business stakeholders to ensure third-party risks are appropriately identified, assessed, monitored, and mitigated throughout the vendor lifecycle. - Lead and administer the global Third Party/vendor review program, including risk rating of new vendors, managing the end-to-end onboarding process, and conducting annual reviews of existing material and high-risk vendors. - Implement formal Third Party Risk Management framework aligned with industry standards and best practices. - Establish procedures covering: - Vendor onboarding - Ongoing monitoring - Vendor offboarding - Organize and maintain centralized repositories for relevant Third-Party Risk and metrics documents. - Establish and maintain a centralized vendor inventory with risk classification and ownership tracking. - Review and redesign vendor onboarding workflows and intake questionnaires. - Ensure onboarding requirements align with: - Information Security requirements - Privacy and data protection requirements - Regulatory and compliance expectations - Develop and implement standardized vendor risk assessment questionnaires. - Define minimum evidence and documentation requirements, including certifications, control attestations, and security documentation. - Establish review, escalation, and approval workflows for vendor assessments. - Perform specialized reviews with Information Security and Privacy teams, including technical assessments and Data Protection Impact Assessment (DPIA) where required. - Design and implement a structured vendor monitoring and annual review program. - Track vendor risk posture over time and ensure timely reassessments and remediation follow-up. - Support customer due diligence processes and reduce repetitive inbound security questionnaires through centralized documentation. - Assess and integrate evolving regulatory requirements impacting third-party risk management, including EU AI Act considerations where applicable. - Ensure AI-related vendor risks are identified and addressed within the TPRM framework. - Monitor emerging regulatory, technology, and operational risks relevant to vendor management practices. - Lead remediation and reduction of existing vendor review and alerts using a risk-based prioritization approach. - Serve as the primary point of contact for third-party risk management matters across the organization. - Develop and maintain TPRM metrics, dashboards, and reporting capabilities. - Provide regular reporting and program updates for Risk & Compliance leadership. - Partner with Legal to ensure that Non-Disclosure Agreements (NDAs) are properly executed where required. - Serve as the primary point of contact for Third Party adverse media escalations (Perform Level 2 disposition). - Support internal audits, external audits/certifications (i.e. SOC2, ISO27001), customer due diligence, and certification activities. - Help identify and lead initiatives to ensure that compliance activities throughout the organization are effective and in compliance with SOC2 and ISO27001. - Assist with generating responses to Client Due Diligence requests. - Assist with the execution of compliance related activities such as our Business Continuity/Disaster Recovery exercises, risk matrix reviews, incident response tabletops, etc. - Perform analysis of software to ensure compliance with IP rights. - Support broader compliance activities as needed. Qualifications - 3–5 years of experience in Third Party Risk Management, Vendor Management, Information Security, Compliance, Risk, Audit, Privacy, or related operational function. - Experience supporting vendor onboarding, risk assessments, compliance reviews, privacy reviews, or governance processes. - Ability to coordinate cross-functional activities involving Information Security, Privacy, Legal, and Business stakeholders. - Experience reviewing vendor documentation such as SOC 2 reports, security questionnaires, certifications, privacy documentation, or compliance evidence is preferred. - Familiarity with privacy and data protection requirements impacting third-party risk management, including GDPR concepts, DPIAs, and data processing considerations. - Strong analytical and problem-solving skills with attention to detail. - Effective written and verbal communication skills, including the ability to communicate risk, privacy, and process requirements clearly to stakeholders. - Experience working with governance, risk, compliance, procurement, ticketing, or vendor management tools (e.g., JIRA) is preferred. - Ability to support process improvement initiatives and help implement scalable governance practices. - Relevant certifications such as CIPP/E, Security+, ISO 27001 Foundations, CISA, CRISC, or similar are a plus. Benefits - Minimum salary: 14,166 PLN gross/month - Comprehensive private medical healthcare - Remote work options subject to the type of position or project - The option to join a group private insurance plan (subject to a fee) - MyBenefit Cafeteria including Multisport - Annual discretionary bonus, subject to both company performance and individual contribution - Employee Assistance Program (EAP) - Access to goFLUENT language learning platform