The Third Party Risk Management (TPRM) Lead is responsible for designing, implementing, and operating enterprise-wide Third Party Risk Management framework. This role leads the transformation of the current vendor onboarding and oversight process into a structured, scalable, and risk-based TPRM program aligned with regulatory expectations and organizational risk appetite.

The TPRM Lead partners cross-functionally with Information Security, Privacy, Legal, IT, and Business stakeholders to ensure third-party risks are appropriately identified, assessed, monitored, and mitigated throughout the vendor lifecycle.

Key Responsibilities:

• Lead and administer the global Third Party/vendor review program, including risk rating of new vendors, managing the end-to-end onboarding process, and conducting annual reviews of existing material and high-risk vendors.
• Implement formal Third Party Risk Management framework aligned with industry standards and best practices.
• Establish procedures covering: Vendor onboarding, Ongoing monitoring, Vendor offboarding
• Organize and maintain centralized repositories for relevant Third-Party Risk and metrics documents.
• Establish and maintain a centralized vendor inventory with risk classification and ownership tracking.
• Review and redesign vendor onboarding workflows and intake questionnaires.
• Ensure onboarding requirements align with: Information Security requirements, Privacy and data protection requirements, Regulatory and compliance expectations.
• Develop and implement standardized vendor risk assessment questionnaires.
• Define minimum evidence and documentation requirements, including certifications, control attestations, and security documentation.
• Establish review, escalation, and approval workflows for vendor assessments.
• Perform specialized reviews with Information Security and Privacy teams, including technical assessments and Data Protection Impact Assessment (DPIA) where required.
• Design and implement a structured vendor monitoring and annual review program.
• Track vendor risk posture over time and ensure timely reassessments and remediation follow-up.
• Support customer due diligence processes and reduce repetitive inbound security questionnaires through centralized documentation.
• Assess and integrate evolving regulatory requirements impacting third-party risk management, including EU AI Act considerations where applicable.
• Ensure AI-related vendor risks are identified and addressed within the TPRM framework.
• Monitor emerging regulatory, technology, and operational risks relevant to vendor management practices.
• Lead remediation and reduction of existing vendor review and alerts using a risk-based prioritization approach.
• Serve as the primary point of contact for third-party risk management matters across the organization.
• Develop and maintain TPRM metrics, dashboards, and reporting capabilities.
• Provide regular reporting and program updates for Risk & Compliance leadership.
• Partner with Legal to ensure that Non-Disclosure Agreements (NDAs) are properly executed where required.
• Serve as the primary point of contact for Third Party adverse media escalations (Perform Level 2 disposition).
• Support internal audits, external audits/certifications (i.e. SOC2, ISO27001) customer due diligence, and certification activities.
• Help identify and lead initiatives to ensure that compliance activities throughout the organization are effective and in compliance with SOC2 and ISO27001.
• Assist with generating responses to Client Due Diligence requests.
• Assist with the execution of compliance related activities such as our Business Continuity/Disaster Recovery exercises, risk matrix reviews, incident response tabletops, etc.
• Perform analysis of software to ensure compliance with IP rights.
• Support broader compliance activities as needed.

Required Qualifications & Skills:

• 3–5 years of experience in Third Party Risk Management, Vendor Management, Information Security, Compliance, Risk, Audit, Privacy, or related operational function.
• Experience supporting vendor onboarding, risk assessments, compliance reviews, privacy reviews, or governance processes.
• Ability to coordinate cross-functional activities involving Information Security, Privacy, Legal, and Business stakeholders.
• Experience reviewing vendor documentation such as SOC 2 reports, security questionnaires, certifications, privacy documentation, or compliance evidence is preferred.
• Familiarity with privacy and data protection requirements impacting third-party risk management, including GDPR concepts, DPIAs, and data processing considerations.
• Strong analytical and problem-solving skills with attention to detail.
• Effective written and verbal communication skills, including the ability to communicate risk, privacy, and process requirements clearly to stakeholders.
• Experience working with governance, risk, compliance, procurement, ticketing, or vendor management tools (e.g., JIRA) is preferred.
• Ability to support process improvement initiatives and help implement scalable governance practices.
• Relevant certifications such as CIPP/E, Security+, ISO 27001 Foundations, CISA, CRISC, or similar are a plus.

Minimum salary: 14,166 PLN gross/month