Third Party Risk Management Associate

Job Title:                       Third Party Risk Management Associate

Reports To:                   VP of Sourcing OR Associate Director of Sourcing

FLSA Status:                Full Time - Salaried, Exempt

Location:                      Cincinnati, OH

Who is pep:

When smart business, a drive for success, and a family atmosphere combine, you get pep! At pep, we help deliver the strategy for brands worldwide– seamlessly managing all the details so that the brand can stay focused on their big picture. Through our expertise in marketing operations, we help execute our clients’ marketing campaigns more effectively than anyone else in the world. We know that sourcing is essential to brand success as well, so we’ve become experts in leveraging scale and spend to save our clients’ time and money. We’re not all talk- our results back us up too! To date, we’ve managed campaigns for over 750 brands, delivering an average of 21% savings on over $5 billion in marketing spend. Our success also pays it forward to our employees by allowing us to offer paid parental leave, work-life flexibility and remote working opportunities to name a few. Want to be a part of something original? Check out our growing team and join us! 

At pep we value our team and offer:

Summary of Position:  

The Third-Party Risk Management Associate position is responsible for providing thought leadership and developing and implementing the next generation of our Sourcing Division’s third-party cyber risk management program. The ideal candidate for this role will understand/rapidly learn pep’s business model and how supplier relationships support it. The person in this role will serve as a subject matter expert and have a mindset for change and growth to challenge the status quo.

Key Responsibilities and Attributes:

• Lead strategy and policy development, program execution, and ongoing management of pep’s Third-Party Cyber Risk Management program including initial risk assessment, due diligence, contract requirements, ongoing monitoring, and termination/off-boarding strategies
• Conduct third-party risk assessments and due diligence monitoring, develop training and communication, monitor and test the effectiveness of controls, manage risk treatment and remediation, and sustain and optimize applicable risk management programs
• Monitor, track and drive accountability for third-party performance and management of risk with supplier relationship owners
• Monitor supply chain threats and coordinate the sharing of threat intelligence and other informational and educational material related to supply chain risks
• Coordinate and communicate with external stakeholders on standards/best practices, regulations, and novel technologies
• Collaborate with cross-functional teams, including legal, procurement, IT, and business units, to gather necessary information to assess, consult and manage risk management processes
• Acts as a subject matter expert and consults with stakeholders to provide value-added insight to improve the risk visibility into business decisions related to third-parties
• Develop, enhance, and oversee the continuous improvement of pep’s third-party due diligence policies, procedures, and frameworks to improve the effectiveness and efficiency as business requirements and risk evolve
• Develop and manage a third-party artificial intelligence usage policy that reflects client requirements and adequately manages risk without stifling the value that artificial intelligence can bring to our business
• Maintain an intimate understanding of best-in-class TPRM practices through proactive research, benchmarking and continuous education
• Develop, enhance and lead pep’s third-party incident response policies and processes. Lead cross-functional teams through incident response procedures from start to finish.
• Support other projects as assigned that support pep’s overall cyber security well being

Knowledge/Skills Preferred:

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. 

A successful candidate will have the following skills:

• Preferred, but not required; Bachelor’s in Cybersecurity or Business Operations; or Minimum 5 years of experience in third-party risk management, vendor management, or equivalent experience
• CTPRP, CISSP, CISA, CRISC, or CISM certification is preferred

• Familiarity with risk assessment methodologies, frameworks, best practices, and the full breadth of cybersecurity domains, particularly as they pertain to third-party risk management
• Knowledge of relevant regulations, standards, and frameworks related to third-party risk management, such as the FFIEC Handbook, ISO 27001, NIST CSF, NIST SP 800-53, PCI-DSS, and other industry-specific regulations
• Knowledge of privacy laws and how they related to third-party risk management such as COPPA, CCPA, CPRA, Washington Health Data Act, Virginia Consumer Data Protection Act, the Colorado Privacy Act, etc.
• Experience conducting risk assessments of third-party vendors, suppliers, or partners, including evaluating compliance with policies, procedures, and regulatory requirements
• Strong organizational skills to monitor and track third-party risk issues, ensuring timely resolution and appropriate risk mitigation actions

• Ability to understand and align business drivers in relation to compliance considerations
• Strong negotiation, facilitation and consensus building skills; strategic and holistic thinking; able to present to senior contributors and management
• Driven to improve service and engagement models proactively

• Excellent written and verbal communication skills, with the ability to prepare clear and concise reports, summaries, and documentation related to risk assessments
• Detail-oriented mindset with the ability to analyze and interpret risk assessment findings and provide recommendations and remediation plans to mitigate identified risks

*pep provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, or genetics. In addition to federal law requirements, pep complies with applicable state and local laws governing nondiscrimination in employment in every location in which the company has facilities. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.

*pep expressly prohibits any form of workplace harassment based on race, color, religion, gender, sexual orientation, gender identity or expression, national origin, age, genetic information, disability, or veteran status. Improper interference with the ability of pep’s employees to perform their job duties may result in discipline up to and including discharge.