Third Party Risk Management Associate

Job Title: Third Party Risk Management Associate

Reports To: VP of Sourcing OR Associate Director of Sourcing

FLSA Status:

Full Time - Salaried, Exempt

Location:

Cincinnati, OH

Who is pep:

When smart business, a drive for success, and a family atmosphere combine, you get pep! At pep, we help deliver the strategy for brands worldwide– seamlessly managing all the details so that the brand can stay focused on their big picture. Through our expertise in marketing operations, we help execute our clients’ marketing campaigns more effectively than anyone else in the world. We know that sourcing is essential to brand success as well, so we’ve become experts in leveraging scale and spend to save our clients’ time and money. We’re not all talk- our results back us up too! To date, we’ve managed campaigns for over 750 brands, delivering an average of 21% savings on over $5 billion in marketing spend. Our success also pays it forward to our employees by allowing us to offer paid parental leave, work-life flexibility and remote working opportunities to name a few. Want to be a part of something original? Check out our growing team and join us!

At pep we value our team and offer:
Generous Time Off
Robust Health and Wellness Plan
Family Support
Mentorship Program
401K Match
Role Autonomy
Certification Reimbursement and Ongoing Training
Enrichment Events and Employee Resource Groups

Summary of Position:

The

Third-Party Risk Management Associate

position isresponsible for providing thought leadership and developing and implementing the next generation of our Sourcing Division’s third-party cyber risk management program. The ideal candidate for this role will understand/rapidly learn pep’s business model and how supplier relationships support it. The person in this role will serve as a subject matter expert and have a mindset for change and growth to challenge the status quo.

Key Responsibilities and Attributes:

Lead strategy and policy development, program execution, and ongoing management of pep’s Third-Party Cyber Risk Management program including initial risk assessment, due diligence, contract requirements, ongoing monitoring, and termination/off-boarding strategies
Conduct third-party risk assessments and due diligence monitoring, develop training and communication, monitor and test the effectiveness of controls, manage risk treatment and remediation, and sustain and optimize applicable risk management programs
Monitor, track and drive accountability for third-party performance and management of risk with supplier relationship owners
Monitor supply chain threats and coordinate the sharing of threat intelligence and other informational and educational material related to supply chain risks
Coordinate and communicate with external stakeholders on standards/best practices, regulations, and novel technologies
Collaborate with cross-functional teams, including legal, procurement, IT, and business units, to gather necessary information to assess, consult and manage risk management processes
Acts as a subject matter expert and consults with stakeholders to provide value-added insight to improve the risk visibility into business decisions related to third-parties
Develop, enhance, and oversee the continuous improvement of pep’s third-party due diligence policies, procedures, and frameworks to improve the effectiveness and efficiency as business requirements and risk evolve
Develop and manage a third-party artificial intelligence usage policy that reflects client requirements and adequately manages risk without stifling the value that artificial intelligence can bring to our business
Maintain an intimate understanding of best-in-class TPRM practices through proactive research, benchmarking and continuous education
Develop, enhance and lead pep’s third-party incident response policies and processes. Lead cross-functional teams through incident response procedures from start to finish.
Support other projects as assigned that support pep’s overall cyber security well being
Knowledge/Skills Preferred:

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

A successful candidate will have the following skills:

Preferred, but not required; Bachelor’s in Cybersecurity or Business Operations; or Minimum 5 years of experience in third-party risk management, vendor management, or equivalent experience
CTPRP, CISSP, CISA, CRISC, or CISM certification is preferred
Familiarity with risk assessment methodologies, frameworks, best practices, and the full breadth of cybersecurity domains, particularly as they pertain to third-party risk management
Knowledge of relevant regulations, standards, and frameworks related to third-party risk management, such as the FFIEC Handbook, ISO 27001, NIST CSF, NIST SP 800-53, PCI-DSS, and other industry-specific regulations
Knowledge of privacy laws and how they related to third-party risk management such as COPPA, CCPA, CPRA, Washington Health Data Act, Virginia Consumer Data Protection Act, the Colorado Privacy Act, etc.
Experience conducting risk assessments of third-party vendors, suppliers, or partners, including evaluating compliance with policies, procedures, and regulatory requirements
Strong organizational skills to monitor and track third-party risk issues, ensuring timely resolution and appropriate risk mitigation actions
Ability to understand and align business drivers in relation to compliance considerations
Strong negotiation, facilitation and consensus building skills; strategic and holistic thinking; able to present to senior contributors and management
Driven to improve service and engagement models proactively
Excellent written and verbal communication skills, with the ability to prepare clear and concise reports, summaries, and documentation related to risk assessments
Detail-oriented mindset with the ability to analyze and interpret risk assessment findings and provide recommendations and remediation plans to mitigate identified risks

*pep provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, or genetics. In addition to federal law requirements, pep complies with applicable state and local laws governing nondiscrimination in employment in every location in which the company has facilities. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.

*pep expressly prohibits any form of workplace harassment based on race, color, religion, gender, sexual orientation, gender identity or expression, national origin, age, genetic information, disability, or veteran status. Improper interference with the ability of pep’s employees to perform their job duties may result in discipline up to and including discharge.