Senior Vendor Risk Management Specialist - Hybrid - Sacramento, CA

TITLE: SENIOR VENDOR RISK MANAGEMENT SPECIALST
STATUS: EXEMPT
REPORT TO: MANAGER – VENDOR RISK MANAGEMENT 
DEPARTMENT: RISK MANAGEMENT
JOB CODE: 11381

Pay scale: $98,600.00 - $118,000.00 Annually

GENERAL DESCRIPTION:

The Senior Vendor Risk Management Specialist is responsible for utilizing the Credit Union’s risk management framework to identify, assess, measure, monitor and help mitigate the financial, reputational, regulatory, and operational risks (among others) throughout the lifecycle of Golden 1’s third-party relationships.

This individual will work to identify, assess, and create mitigation plans for third-party risks through the execution of the Vendor Risk Management Program specifically in the areas of vendor due diligence, risk assessment, and ongoing monitoring. Works with various internal stakeholders, including business owners, technology, information security, finance, compliance and legal to identify and assess third-party risks and implement controls and processes as well as monitor ongoing risks and mitigation efforts.

The Senior Vendor Risk Management Specialist will provide a broad range of third-party risk analysis, reporting and/or support to various key stakeholders, including business owners, internal subject matter experts (SMEs) and vendor partners. This role must be a champion of our overall enterprise risk management approach and acts as a subject matter expert in providing guidance/advice on third-party risk related matters.

Assists in the development and deployment of various third-party risk management tools, practices, and policies used to analyze and report third-party risks, and to manage risks in alignment with an enterprise risk management framework. Provides key inputs into the company's risk management or other committees that oversee third-party management processes and ensures alignment with organizational objectives.

TASKS, DUTIES, FUNCTIONS:

1. Support all Vendor Risk Management (VRM) activities to proactively identify, evaluate, and mitigate risks. Serve as a subject matter expert for vendor risk management.
2. Develop and direct third-party risk assessment and ongoing performance monitoring practices and procedures, as well as an annual review prioritization process. Supports internal stakeholders in third-party risk identification, assessment, and reporting.
3. Provide third-party/vendor risk management advisory services, education and training to leaders and business units across the organization. Independently facilitate or lead stakeholder meetings and management briefings on relevant issues, risks, or trends, associated with enterprise-level third-party risks.
4. Tactfully yet assertively challenge assumptions and perspectives on third-party risk throughout the organization. Recommend improvements to policies, procedures, and practices to reduce costs, improve internal controls and/or drive efficiencies.
5. Contribute to risk committee materials, including creating and updating third-party risk management reports and presentations on the evaluation of program effectiveness, level and direction of third-party risks, key and emerging risks, and status of previously identified risk and control issues.
6. Analyze vendor profile information to determine the tier/risk level classification of the vendor. Work with business owners and/or other key stakeholders to ensure correct classification of vendor. Coordinate the completion of vendor questionnaires and the fulfilment of the due diligence request list with the business owner, ensuring completion of all vendor onboarding steps.
7. Provide initial and ongoing comprehensive assessments of the third party’s risk through review of due diligence, key stakeholder/SME evaluation of due diligence, risk assessment, and audited reports of controls. Schedule and conduct Vendor Risk Assessment meetings with business owners and key stakeholders, as needed, and ensure appropriate signoffs are received.          
8. Partner with assigned business units to ensure assessments are completed accurately and timely, including the identification of risk concerns and the recommendation of control enhancements, and that due diligence and ongoing monitoring requirements are fulfilled. Interact with business unit personnel to train and guide the completion of risk assessments, due diligence, and ongoing monitoring to support their compliance with third party risk management policies.
9. Ensure vendor relationships are accurately risk rated and documented in the vendor management system. Collaborate with business owners to ensure appropriate vendor monitoring documentation is obtained, reviewed, and analyzed on a timely basis. Identify risk-related issues needing escalation to management.
10. Proactively work to improve the quality of vendor/third-party risk data, including ensuring vendor/vendor services inventory is complete. Validate and monitor gaps identified during the risk assessments process, due diligence, and ongoing monitoring to support adherence to third party risk management policies. Identify risk-related issues needing escalation to management.
11. Ensure vendor/third-party issues and concerns (e.g., oversight deficiencies, program concerns, and risk-related issues) are reported and escalated, as appropriate. Provide concise written updates to management on progress, problem situations and recommend solutions.
12. Develop and maintain strong, collaborative working relationships with key stakeholders across business and corporate areas (e.g., Legal, Compliance, Information Security, Information Technology, etc.) on vendor processes and as needed to accomplish credit union strategic goals.
13. Contribute to and make recommendations for the development of business processes, procedures, and delivery strategies for managing vendor/third-party risk.
14. Complete research, analysis and make recommendations on workflows and system enhancements, striving for process efficiencies and improved functionality within the vendor management software.
15. Maintain an ever-growing knowledge of third-party/vendor risk management and industry trends, best practices and techniques that can be practically applied at Golden 1. Partners with external agencies and peer companies to coordinate information exchange and leverage best practices for third-party/vendor management.
16. Perform other duties as required, such as lead and/or contribute to special projects and initiatives that support the Vendor Risk Management Program and/or key focus areas of the organization.
17. Maintain a thorough understanding of state and federal laws and regulations related to credit union compliance including bank secrecy and anti-money laundering laws appropriate to the position.

PHYSICAL SKILLS, ABILITIES, AND EXERTION UTILIZED IN THE PERFORMANCE OF THESE TASKS:

1. Outstanding oral, written, and presentation skills required.
2. Strong interpersonal (people) and diplomacy skills required. Must have the ability to guide, negotiate, influence, and interact with various staff, and levels of management, including senior leadership.
3. Excellent prioritization skills, to effectively conduct and manage multiple priorities and meet tight deadlines required.
4. Must possess sufficient manual dexterity to skillfully operate an on-line computer terminal and other standard office equipment, such as financial calculators, personal computer, facsimile machine, and telephone.

ORGANIZATIONAL CONTACTS & RELATIONSHIPS:

1. INTERNAL: All levels of staff and management, including senior and executive-level leadership.

EXTERNAL: Vendor key contacts and account managers, industry associates and others as needed.

QUALIFICATIONS:

1. EDUCATION: Bachelor’s degree preferred or the equivalent combination of education and experience.
2. EXPERIENCE: Minimum of five (5) years or more relevant experience in vendor/third-party risk management, audit, compliance, or risk management in a financial institution required. Experience designing and implementing third-party/vendor risk management programs or processes is preferred.
3. KNOWLEDGE/SKILLS:  

• Demonstrated/strong knowledge of third-party/vendor lifecycle management programs, practices and processes inclusive of risk management methodologies for identification, analysis, mitigation/control, communication, monitoring, reporting and escalation.
• Strong knowledge of current regulations and compliance requirements as it relates to third-party relationships.
• Advanced understanding of various risks associated with third parties such as: information security/cyber risk, privacy risk, operational risk, physical security risk, business resilience risk, financial risk, reputational risk, regulatory risk, compliance risk. 

• Strong analytical, problem-solving and workflow analysis skills, including demonstrated ability to quickly synthesize information from various sources, identifying key points and issues.
• Demonstrated ability to apply judgment around risk management and control frameworks and industry best practices and make sound risk/reward decisions using a balance of data, logic, and intuition to inform critical business strategies and processes.
• Excellent interpersonal and customer service skills; ability to negotiate, influence, and build collaborative, cross-organization relationships, even in difficult situations.
• Must have strong communication (verbal, written and presentation) skills, including ability to convey complex situations and relationships concisely to management and executive level audiences.
• Strong organizational skills, with a high degree of initiative and ability to self-start and self-prioritize assignments and make timely and effective decisions.
• Strong process facilitation, process management and improvement skills; ability to independently and effectively handle multiple priorities and deliver high quality results within tight deadlines.
• Ability to negotiate, influence, and build collaborative, cross-organization relationships, even in difficult situations. Demonstrated ability to think critically and facilitate change through collaborative effort.
• Solid work ethic and able to work effectively both independently and in a team.
• High ethical standards and discretion in handling highly confidential information.
• Highly proficient in Microsoft Office (Word, Excel, Visio, Outlook, PowerPoint). Knowledge of vendor management software.

PHYSICAL REQUIREMENTS:

1. 1. Prolonged sitting throughout the workday with occasional mobility required.
   2. Corrected vision within the normal range.
   3. Hearing within normal range.  A device to enhance hearing will be provided if needed.
   4. Ability to lift 15 lbs. as may be required. 
   5. Occasional movements throughout the department daily to interact with staff, accomplish tasks, etc.
   6. Unusually long or inconsistent hours may be required to accomplish tasks.
   7. Travel may be needed to accomplish tasks. Overnight travel is sometimes necessary. Occasional weekend and evening schedules required.

LICENSES/CERTIFICATIONS:

• Relevant vendor/third-party risk management certifications or credentials beneficial (e.g., CRVPM 1,2,3, and/or 4).

THIS JOB DESCRIPTION IN NO WAY STATES OR IMPLIES THAT THESE ARE THE ONLY DUTIES TO BE PERFORMED BY THIS EMPLOYEE.  HE OR SHE WILL BE REQUIRED TO FOLLOW OTHER INSTRUCTIONS AND TO PERFORM OTHER DUTIES REQUESTED BY HIS OR HER SUPERVISOR THAT ARE WITHIN HIS / HER KNOWLEDGE, SKILL AND ABILITY AS WELL AS HIS / HER MENTAL AND PHYSICAL ABILITIES.

REV. 4/12/2023