Logo for Roche

Program Lead, Third Party Risk and Resilience Management

Role overview

Qualifications

  • Bachelor’s or Advanced degree in a technical or business discipline
  • 8 years in IT/RD environments
  • 5 years managing large-scale ODCs or captive centers
  • Strong compliance understanding to identify and mitigate risks

Responsibilities

  • Establish and maintain a governance framework for Offshore Development Centers (ODCs)
  • Ensure compliance with Roche Security standards and legal requirements
  • Conduct Security Risk Assessments (SRA) and Data Classification Reviews (DCR)
  • Lead ODC Security Incident Management with timely identification and escalation

Key facts

Other skills

  • Governance
  • Collaboration
  • Problem Solving
  • Communication
  • Leadership

About the company

Roche logo

Roche

Biotech: Biology + Technology

Roche is a global pioneer in pharmaceuticals and diagnostics focused on advancing science to improve people’s lives. The combined strengths of pharmaceuticals and diagnostics under one roof have made Roche the leader in personalised healthcare – a strategy that aims to fit the right treatment to each patient in the best way possible.Roche is the world’s largest biotech company, with truly differentiated medicines in oncology, immunology, infectious diseases, ophthalmology and diseases of the central nervous system. Roche is also the world leader in in vitro diagnostics and tissue-based cancer diagnostics, and a frontrunner in diabetes management.Founded in 1896, Roche continues to search for better ways to prevent, diagnose and treat diseases and make a sustainable contribution to society. The company also aims to improve patient access to medical innovations by working with all relevant stakeholders. Thirty medicines developed by Roche are included in the World Health Organization Model Lists of Essential Medicines, among them life-saving antibiotics, antimalarials and cancer medicines. Roche has been recognised as the Group Leader in sustainability within the Pharmaceuticals, Biotechnology & Life Sciences Industry ten years in a row by the Dow Jones Sustainability Indices (DJSI).For more information, please visit https://careers.roche.comRead our community guidelines here: https://www.roche.com/some-guidelines.htm#Roche #Biotechnology #Pharmaceuticals #Diagnostics #Healthcare #PersonalisedHealthcare #GreatPlaceToWork #Innovation

Company details

Company typeXLarge
IndustryBiotech: Biology + Technology
Company size10001

Your match analysis

See how your profile stacks up against this role.

We compared the job requirements to your profile to show where you're strong and where you fall short.

Job description

At Roche you can show up as yourself, embraced for the unique qualities you bring. Our culture encourages personal expression, open dialogue, and genuine connections,  where you are valued, accepted and respected for who you are, allowing you to thrive both personally and professionally. This is how we aim to prevent, stop and cure diseases and ensure everyone has access to healthcare today and for generations to come. Join Roche, where every voice matters.

The Position

 A healthier future. It’s what drives us to innovate. To continuously advance science and ensure everyone has access to the healthcare they need today and for generations to come. Creating a world where we all have more time with the people we love. That’s what makes us Roche.

The Program Lead for Third Party Risk and Resilience Management establishes and maintains a robust governance framework for all Offshore Development Centers (ODCs), bridging R&D innovation requirements with Global IT security, infrastructure, and compliance standards. This leader ensures ODCs function as strategic extensions of Roche's R&D engine while maintaining zero major IT compliance breaches, and guides vendors during ODC setup to ensure full compliance with Roche Security standards.

Compliance of all ODC setups and ongoing operations. Ensure alignment on scope, methodologies, processes at the nexus of R&D organization, Global procurement, and IT.  Elimination of governance gaps and friction points between R&D and IT.  Implementation of standardized, global ODC management framework across business units Security risks, incidents, and incident/change/problem management processes at ODC sites Strategic positioning of ODCs as value creators rather than cost centers

 

The Opportunity

  • Determine ODC necessity based on country risk and data sensitivity 

  • Initiate new ODC setups, coordinate vendor office space establishment, and guide vendors on Roche Security standards

  • Conduct Security Risk Assessment (SRA) and Data Classification Review (DCR) for all services and applications 

  • Identify services unsuitable for external business partners and escalate to product/service owners or DSM for remediation 

  • Create, review, and maintain ODC Manuals, Impact Assessments, and Security Control Tables 

  • Periodically review and update impact assessment documents to remove retired services 

  • Ensure compliance with legal requirements (GDPR, CCPA) and Roche security protocols 

  • Act as the owner for role-specific training curricula

  • Ensure training compliance for all external personnel by verifying mandatory security and role-specific requirements are met prior to system access.

  • Accountable for the systematic tracking and enforcement of training completion for vendor resources, leveraging the Roche Training Solution system

  • Approve all ODC changes including staff assignments, project onboarding, and service modifications 

  • Manage ServiceNow requests for infrastructure (NAS storage, VD/VDI creation/updates, application packaging) 

  • Identify VSA requirements and maintain vendor security/privacy capabilities throughout ODC lifecycle 

  • Ensure security audits completed prior to service commencement and conduct periodic audits 

  • Conduct assessments when major changes occur (new projects with higher security needs)

  • Track and remediate audit findings with vendors

  • Ensure mandatory notifications are formally integrated into processes (e.g., GSP) for all new vendor collaborations

  • Coordinate dedicated VDI planning with Citrix when default environments cannot support daily tasks 

  • Optimize virtual desktop and application virtualization to reduce VDI requirements 

  • Manage port opening for DIA, RDI, VDIs, and coordinate VDI creation 

  • Collaborate with Network, Perimeter, and Citrix teams on connectivity and URL whitelisting 

  • Ensure Business Partner Organization (BPO) approvals for applications, systems, URLs, RDP/SSH access 

  • Populate and verify application inventories, URLs, and RDP/SSH server lists for Smart Web and virtual environments 

  • Add users to ODC groups and implement access restrictions or policies as required 

  • Lead ODC Security Incident Management with timely identification, escalation, and resolution 

  • Promptly escalate security incidents to Roche IT Security Governance 

  • Maintain incident, change, and problem management processes across all ODC operations 

  • Participate in security audits and ensure all identified gaps are promptly closed 

  • Regular evaluation of ODC setups for necessary updates 

  • Document audit findings and track remediation to completion

  • Ensure execution of Business Continuity Plans and maintain disaster recovery readiness

  • Coordinate vendor selection, onboarding, and performance monitoring of strategic offshore partners 

  • Work with vendor ODC managers and PICs on service/project onboarding and offboarding 

  • Review periodic ODC compliance reports and resolve conflicts/issues related to readiness 

  • Manage ODC user onboarding, offboarding, travel requests, and work-from-home (teleworking) approvals 

  • Collaborate with vendors and delivery teams on project details and application access requirements 

  • Oversee ODC decommissioning with proper data handling, access revocation, and infrastructure cleanup 

  • Provide guidance on virtual desktop, application, and network challenges 

  • Participate in technical discussions on Citrix, network infrastructure (WAN, firewalls, clients), security, risk, and governance 

  • Coordinate across Vendor ODC managers, Roche IT Security, Network, Perimeter, Citrix, and application teams 

  • Address ad-hoc requests and ODC challenges with quality and compliance focus 

  • Translate complex technical requirements; articulate constraints and propose viable alternatives 

Who You Are:   

  •  You have a Bachelor’s or Advanced degree in a technical or business discipline (Computer Science, Information Security, or related field) 

  • You have  8 years in IT/R&D environments

  • You have  5 years managing large-scale ODCs or captive centers

  • You have experience with Roche (or other large organization within a highly regulated industry) IT Security standards and compliance frameworks 

  • You have strong compliance understanding to identify and mitigate risks; knowledge of GDPR, CCPA, and data privacy standards 

  • You have experience with regulatory frameworks (GxP, ISO 27001) and audit requirements

  • You have experience with risk assessment methodologies and vendor security evaluation

  • You have a background in connectivity / network infrastructure: IT networks, cabling, switches, routers, WAN, firewalls 

  • You have experience with virtual environments: VDI, Citrix platforms, and application virtualization

  • You have IT operations knowledge: thin/thick clients, servers, and technical documentation ServiceNow and IT Service Management tools

  • You are familiar with cloud infrastructure (AWS/Azure), DevOps and enterprise security frameworks

  • You hare experience with ISMS & ITSM implementation and best practices 

  • You have incident management and problem resolution experience

  • You have a deep understanding of Software Development Lifecycle (SDLC) and R&D workflows 

  • You have an outsourcing engagement models and service delivery operations 

  • Pharmaceutical industry standards and R&D innovation processes ( (or other large organization within a highly regulated industry)

Preferred Qualifications: 

  •  You have a professional security or risk management credentials—such as CISSP, CISM, CRISC, or equivalent 

Relocation benefits are not available for this posting  

The expected salary range for this position based on the primary location of Tucson, AZ is 106,400-197,600.  Actual pay will be determined based on experience, qualifications, geographic location, and other job-related factors permitted by law.  A discretionary annual bonus may be available based on individual and Company performance.  

This position also qualifies for the benefits detailed at the link provided below.

Benefits

 

 

Who we are

A healthier future drives us to innovate. Together, more than 100’000 employees across the globe are dedicated to advance science, ensuring everyone has access to healthcare today and for generations to come. Our efforts result in more than 26 million people treated with our medicines and over 30 billion tests conducted using our Diagnostics products. We empower each other to explore new possibilities, foster creativity, and keep our ambitions high, so we can deliver life-changing healthcare solutions that make a global impact.


Let’s build a healthier future, together.

Roche is an equal opportunity employer. It is our policy and practice to employ, promote, and otherwise treat any and all employees and applicants on the basis of merit, qualifications, and competence. The company's policy prohibits unlawful discrimination, including but not limited to, discrimination on the basis of Protected Veteran status, individuals with disabilities status, and consistent with all federal, state, or local laws.

If you have a disability and need an accommodation in relation to the online application process, please contact us by completing this form Accommodations for Applicants.

Apply once. Then go straight to the hiring manager.

After you apply, unlock the direct contact details of the people who actually make the call. A quick follow-up makes you 5x more likely to land an interview.

MR

Marcus Rivera

Chief Revenue Officer

m.rivera@company.com
linkedin.com/in/marcusrivera
Unlocked after you apply
·

Risk Manager Related jobs

Other jobs at Roche

Premium

Reach out to the hiring manager directly.

Gain access to the contact details of the hiring managers who actually decide, and reach out to network with them directly. That, plus more when you upgrade:

  • Full match report with fit score and gaps
  • Career diagnostics on how recruiters read you
  • Curated company matches and warm intros
  • 48h early access to new roles

Cancel anytime.