Third-Party Risk Analyst

Third-Party Risk Analyst

Location: Richfield, MN
Experience: 5+ yrs
Skills: Archer GRC, Risk assessment frameworks (PCI DSS, NIST CSF, ISO 27000), Vendor risk management platforms, Compliance monitoring tools, Documentation and reporting software, Business continuity assessment tools, Security vulnerability scanners, Communication and collaboration platforms
Duration: 6+ Months

Job Description:

About department:

• The Third-Party Risk Management team evaluates the overall risk posture of all our Goods Not for Resale (GNFR) vendors. This includes assessing responses to our vendor risk questionnaires and comparing them against the expectations outlined in our Vendor Privacy and Security Policy (contract addendum).
• While Information Security remains a primary focus, our reviews also encompass other critical risk domains such as business continuity and disaster recovery (BCDR), financial stability, ethics and legal compliance, labor and environmental practices, and brand/reputational risk. We leverage both internal and external subject matter experts to support our assessments and address any concerns that arise.
• When we identify gaps between contractual obligations and vendor performance particularly in non-Information Security areas we document these as findings. These findings require remediation by the vendor and must be communicated effectively to business owners, Procurement, and the vendors themselves. As such, analysts must be adept at tailoring communications for diverse audiences.
• Our team collaborates closely with Information Security, other Enterprise Risk and Compliance (ERC) teams, Procurement, Legal, and business stakeholders to ensure a comprehensive and aligned approach to third-party risk management.

Project Description: This initiative is designed to support the Third-Party Risk Management team by conducting comprehensive risk assessments of both new and existing Goods Not For Resale (GNFR) vendors. The primary objective is to evaluate vendor risk profiles and ensure alignment with our organizational standards and policies

Skills Overview:

What are the top five skills and number of years of experience required to perform this job?

• 2 years of experience performing risk assessments or audits
• Minimum 2+ years of experience in the TPRM risk category Information Security
• Familiarity with the Payment Card Industry Data Security Standard (PCI DSS), NIST Cyber Security Framework (CSF), and ISO 27000 series
• Strong interpersonal and communication skills with the ability to develop productive working relationships with technical and non-technical teams
• Ability to work in a fast-paced environment within a team

What are some preferred/nice to have skills the manager is looking for?

• CISSP, Security+, Network+, or SSCP certification
• Experience in the TPRM risk categories Business Resiliency, Finance, Ethics/Compliance, or Insurance.
• Experience with Archer GRC tool.
• Ability to work with a start-up mentality inside of a large organization to provide security recommendations with the business strategy and goals in mind.

Interview Process Overview:

For full-time employee interviews, we typically involve two separate teams to evaluate candidates, focusing on behavioral questions and a walkthrough of their professional experience. In this case, however, the interview will be conducted by a single panel. Our goal remains the same: to assess both how well the candidate fits within the team culture and how closely their experience aligns with the responsibilities of the role. We encourage candidates to use the STAR method when answering behavioral questions to ensure responses are structured and insightful.