The Third Party Risk Management program at CNA coordinates and performs risk management assessments across cybersecurity business continuity compliance and general operational risk controls throughout the lifecycle of the Third Party relationship. There are two open positions available, which are responsible for executing Third Party Risk assessments to include Due Diligence Questionnaire reviews as well as control validations conducted remotely or onsite. As a senior resource in the Third Party Risk Management team this position is expected to complete more complex assessments and handle escalations requiring sensitivity and nuance.
Performs a combination of duties in accordance with departmental guidelines:
- Perform Third Party Risk assessments by evaluating Third Party questionnaire responses performing control review/validation and assessment documentation per established procedures and standards.
- In the course of executing assessments actively project manages all assessment deadlines by coordinating execution with both the external Third Party and internal business partners to include active status monitoring and follow up with stakeholders.
- Support Third Party onboarding ongoing monitoring and Third Party off-boarding answering any internal stakeholder questions related to ongoing assessments.
- Provide support to Third Parties completing Due Diligence Questionnaires by clarifying intent behind questions and expected supporting evidence.
- Perform periodic quality assurance and review of Third Party Risk assessments performed by other team members to ensure that all assessments meet established standards and expectations.
- Take the lead on any escalated or sensitive Third Party Risk assessments. Directly engage business leadership as needed to support escalated assessments.
- Actively solicit business partner engagement and buy-in by educating internal stakeholders on Third Party Risk management processes and benefits of the program.
- Provide guidance and training to other Third Party Risk Management assessors as required in the course of Third Party Risk Assessment execution.
- Execute program analytics to include but not limited to process adherence reporting program Key Performance Indicators Third Party Risk Key Risk Indicators and escalation reporting and management.
- Directly assist the AVP of Third Party Assurance in managing and implementing all identified program process and technology configuration process improvements in the Third Party Risk Management program roadmap.
Director or above
Skills Knowledge & Abilities
- Thorough knowledge of industry security standards to include but not limited to NIST ISO and COBIT.
- Domain expertise in information security and business resiliency to include infrastructure security access management cloud security and physical and environmental security controls.
- Ability to manage remote teams train and coach assessors on internal processes.
- Experience in program reporting metrics and analytics.
- Ability to work with both technical and non-technical internal business stakeholders.
- Effective verbal and written communication skills.
- Strong interpersonal skills with the ability to work with staff at all levels.
- Detail oriented with strong organizational skills and ability to manage multiple projects effectively.
- Proven thought leadership and ability to provide informal guidance to more junior team members.
- Strong knowledge of Microsoft Office Suite and other business-related software systems including processing systems and applications.
Education & Experience
- Bachelor's degree or equivalent
- Typically 5 – 7 years of experience in Supplier Risk or Third-Party Risk assessment
- CISSP CRISC or CISA highly preferred