The Role
Own and operate the third-party risk management program including vendor onboarding, risk tiering, due diligence, monitoring, reassessments, contract coordination, incident tracking, vendor termination, reporting for leadership and regulators, administering the vendor management platform, and supporting audits and regulatory examinations.
Summary Generated by Built In
This role owns the day-to-day operation of the Company’s third-party risk management (TPRM)
program. The Third-Party Risk Manager administers vendor onboarding, risk tiering, due
diligence, periodic reassessment, ongoing monitoring, and termination across the full vendor
lifecycle in accordance with the Third-Party Risk Management Policy (TPRM02).
This position is the primary point of contact for business owners engaging new vendors, for
vendors responding to due diligence requests, and for internal partners — Legal, Compliance,
Information Security, and Finance — who depend on accurate vendor risk information. The role
administers the Company’s vendor management software platform, maintains the authoritative
vendor inventory, and produces reporting consumed by the Risk Management Committee and
senior leadership.
The Third-Party Risk Manager works under the oversight of the Chief Information Officer and
operates within the regulatory expectations of FHFA, CFPB, HUD, state financial regulators,
GSEs, and secondary market investors.
program. The Third-Party Risk Manager administers vendor onboarding, risk tiering, due
diligence, periodic reassessment, ongoing monitoring, and termination across the full vendor
lifecycle in accordance with the Third-Party Risk Management Policy (TPRM02).
This position is the primary point of contact for business owners engaging new vendors, for
vendors responding to due diligence requests, and for internal partners — Legal, Compliance,
Information Security, and Finance — who depend on accurate vendor risk information. The role
administers the Company’s vendor management software platform, maintains the authoritative
vendor inventory, and produces reporting consumed by the Risk Management Committee and
senior leadership.
The Third-Party Risk Manager works under the oversight of the Chief Information Officer and
operates within the regulatory expectations of FHFA, CFPB, HUD, state financial regulators,
GSEs, and secondary market investors.
Key Responsibilities
- Determine the inherent risk tier (Tier 1, Tier 2, or Tier 3) for every third party prior to contracting or engagement, consistent with the criteria defined in TPRM02.
- Perform and document inherent risk assessments during onboarding, according to the policy reassessment schedule (annual for Tier 1 and bi-annual for Tier 2 vendors), and whenever a material change occurs in the vendor relationship.
- Administer the due diligence process, including the issuance and evaluation of vendor due diligence questionnaires (DDQs), SOC 1 and SOC 2 reports, financial statements, insurance certificates, business continuity and information security documentation, and licensing or regulatory standing.
- Maintain the authoritative third-party inventory, including assigned risk tier, services provided, data classification, system access, contract status, and all supporting documentation.
- Administer the Company’s vendor management software platform, including profile setup, document collection, workflow configuration, expiration tracking, contract repository management, and audit history maintenance.
- Monitor all vendors, contractors, and third-party counterparties against the FHFA Suspended Counterparty List (SCL) prior to engagement and on a recurring monthly basis; immediately escalate any matches to General Counsel and Compliance.
- Coordinate contract reviews with Legal to ensure all required clauses are included, including information security, confidentiality, audit rights, subcontracting, breach notification, business continuity, termination, and return or destruction of data provisions.
- Track and report vendor incidents, performance issues, breaches, and remediation activities; communicate findings to business owners and escalate material concerns to the Risk Management Committee.
- Maintain documentation of vendor reviews, due diligence activities, identified risks, and required remediation efforts; provide training to business owners on intake and approval workflows.
- Administer the vendor termination process, including coordination of the return of Company property and the return or destruction of Company data and information in accordance with legal and regulatory requirements.
- Document and route policy exceptions for approval by the Third-Party Risk Manager and, when required, the Risk Management Committee.
- Prepare periodic TPRM reporting and performance metrics for senior leadership, the Risk Management Committee, internal audit, external examiners, investors, and warehouse lenders.
- Support audits and regulatory examinations by producing vendor inventories, risk assessments, due diligence files, and program documentation upon request.
- Coordinate with the AI Governance Committee on due diligence and risk tiering activities related to third-party AI solutions and AI-enabled vendor features, consistent with RAIG01 Section 10.
- Lead the annual review of the Third-Party Risk Management Policy (TPRM02) and recommend revisions for approval.
- Perform other duties and responsibilities as assigned.
Skills, Knowledge and Expertise
- Working knowledge of the regulatory landscape applicable to independent mortgage banks, including FHFA, CFPB, HUD, GLBA, state licensing authorities, GSE (Fannie Mae and Freddie Mac) seller/servicer requirements, and secondary market investor and warehouse lender expectations.
- Demonstrated ability to evaluate SOC 1 and SOC 2 reports, information security questionnaires, financial statements, insurance coverage, and business continuity documentation, and translate findings into clear and well-supported risk decisions.
- Experience administering a vendor management software platform such as VendorRisk.com, Venminder, ProcessUnity, Archer, or a comparable solution.
- Strong understanding of inherent risk, residual risk, risk mitigation strategies, and the role of compensating controls within an effective risk management framework.
- Excellent written and verbal communication skills, with the ability to brief executive leadership, prepare findings that withstand examiner and audit scrutiny, and explain risk decisions to non-technical business stakeholders.
- Strong project management and organizational skills, with the ability to manage recurring assessment schedules across a large vendor population while maintaining accuracy and timeliness.
- Solid working knowledge of Microsoft 365 applications, including Excel, Word, Outlook, Teams, and SharePoint, for reporting, documentation, file management, and collaboration.
- Demonstrated discretion and sound judgment when handling non-public personal information (NPI), confidential vendor information, contractual terms, and other sensitive business data.
Experience Requirements:
- Minimum of five (5) years of experience in third-party risk management, vendor management, operational risk, compliance, or audit, with demonstrated day-to-day ownership of a formal risk management program.
- Minimum of five (5) years of experience within a regulated financial services environment; mortgage industry experience is strongly preferred.
- Minimum of five (5) years of management, team leadership, or program leadership experience with responsibility for driving program execution, stakeholder engagement, and risk oversight.
Benefits
- Above market salary
- HMO on Day 1 for principal and two dependents
- Government-mandated benefits
- Performance-based Incentives
- Quarterly Company Events
- 1,000 PHP De Minimis
- Equipment and software provided
About
NightOwl Consulting was born from the desire for more! As prior clients of a BPO, we found ourselves struggling with support, understanding of our business industry, and the treatment of our global family… from this, NightOwl Consulting was born. Our mission is to connect companies with world-class talent with the overall vision to build a global family that aspires to reach its highest potential.
Skills Required
- Minimum five (5) years experience in third-party risk management, vendor management, operational risk, compliance, or audit with day-to-day ownership of a formal risk management program
- Minimum five (5) years experience within a regulated financial services environment
- Mortgage industry experience
- Minimum five (5) years of management, team leadership, or program leadership experience
- Working knowledge of applicable regulators (FHFA, CFPB, HUD, GLBA, state licensing, GSE requirements, secondary market expectations)
- Ability to evaluate SOC 1 and SOC 2 reports, information security questionnaires, financial statements, insurance coverage, and business continuity documentation
- Experience administering a vendor management software platform (VendorRisk.com, Venminder, ProcessUnity, Archer, or comparable)
- Strong understanding of inherent risk, residual risk, risk mitigation, and compensating controls
- Excellent written and verbal communication, including briefing executive leadership and preparing findings for examiners and auditors
- Strong project management and organizational skills to manage recurring assessment schedules across large vendor populations
- Solid working knowledge of Microsoft 365 applications (Excel, Word, Outlook, Teams, SharePoint)
- Demonstrated discretion and sound judgment handling non-public personal information (NPI) and other sensitive data
Am I A Good Fit?
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.
Success! Refresh the page to see how your skills align with this role.
The Company
What We Do
NightOwl Consulting helps businesses and people realize new possibilities by connecting companies with world-class talent and building a global family that aspires to reach its highest potential.
