Duration: 3 months to start
Job Description:
We are seeking a senior level Third Party Risk Management consultant with strong experience designing and building enterprise vendor risk programs, ideally within a healthcare or highly regulated environment. This person should have hands on experience creating risk tiering models, assessment methodologies, governance reporting, and integrating TPRM into procurement and contract processes. We are not looking for an operational analyst or technical support resource, but a strategic program lead who can design, mature, and operationalize a comprehensive TPRM framework and engage confidently with executive stakeholders.
Required:
- 8 plus years of experience in Information Security, Risk Management, or GRC
- Proven experience building or significantly maturing a Third-Party Risk Management program
- Strong understanding of the full third-party risk lifecycle
- Experience developing vendor risk tiering and inherent versus residual risk scoring models
- Experience designing assessment methodologies and validating security controls
- Knowledge of continuous vendor monitoring practices
- Familiarity with healthcare regulatory requirements such as HIPAA
- Experience aligning programs to frameworks such as NIST CSF, NIST 800 53, PCI, ISO 27001, TX RAMP
- Experience implementing or optimizing workflows in GRC platforms such as ServiceNow, AuditBoard, or Archer
Preferred:
- CISSP, CISM, CRISC, or similar certification
- Experience in healthcare or academic medical center environments
- Experience with risk quantification methodologies
- Experience assessing AI vendors
- Experience conducting cloud and SaaS vendor risk assessments
- Experience governing mission critical vendors
- Experience working with state regulated institutions such as Texas DIR or TX RAMP
- Deep hands-on experience with enterprise GRC platforms
The organization is seeking an experienced Third-Party Risk Management (TPRM) Consultant to design, enhance, and operationalize a comprehensive third-party risk management framework across academic, research, and clinical environments.
This role requires hands-on experience building or maturing TPRM programs, including process development, risk tiering models, assessment methodologies, workflow automation, and governance reporting. The consultant will work closely with Information Security, Procurement, Legal, Compliance, and Health System stakeholders to strengthen vendor risk oversight and institutional resilience.
Key Responsibilities:
- Design and formalize a scalable Third-Party Risk Management program.
- Develop or refine:
- Vendor risk tiering methodology
- Inherent and residual risk scoring models
- Assessment playbooks and control validation standards
- Issue tracking and remediation workflows
- Align TPRM processes with applicable frameworks (e.g., NIST CSF, NIST 800-53, HIPAA, PCI, TX-RAMP, ISO 27001)
- Develop standardized assessment questionnaires and evidence review processes.
- Establish governance and reporting mechanisms (dashboards, executive metrics)
- Design process flow to integrate TPRM into procurement and contract lifecycle processes.
- Analyze the current vendor list and tier vendors based on the criteria.
- Execute few sample assessments for critical tier vendors.
- Define continuous monitoring strategy and vendor reassessment cadence.
- Support development of vendor security requirements and minimum control expectations.
- Provide executive-ready documentation and maturity improvement roadmap.
- 8+ years of experience in Information Security, Risk Management, or GRC
- Demonstrated experience building or significantly maturing a TPRM program.
- Experience in healthcare, academic medical center, or regulated environments strongly preferred.
- Deep understanding of:
- Third-party risk lifecycle management
- Inherent vs residual risk methodologies
- Security control validation
- Vendor continuous monitoring
- Experience implementing or optimizing process flows in GRC platforms (ServiceNow, Audit Board, Archer, etc.)
- Strong understanding of regulatory requirements affecting healthcare organizations.
- Ability to engage executive stakeholders and translate risk into business terms.
- Excellent documentation and program design skills.
- CISSP, CISM, CRISC, or similar certification
- Experience with:
- Risk quantification methodologies
- AI vendor risk oversight
- Cloud/SaaS vendor assessments
- Mission-critical vendor governance
- Experience working with state-regulated institutions (e.g., Texas DIR, TX-RAMP)
- Experience with GRC Platforms (Audit Board, Service Now, Archer etc.)
