Job Title: Third-party risk analyst
Location: Fort Worth, TX (locals only)
Mode of Work: Hybrid
Yrs of experience: 3+
Any Visa
- Key Responsibilities:
- Conduct assessments of third-party vendors to identify and evaluate potential risks
- Review vendor contracts, service level agreements (SLAs), and other legal documents to ensure compliance with AA risk management policies and regulatory requirements
- Collaborate with various stakeholders to gather information and assess the overall risk exposure related to third-party relationships
- Facilitate discussion with third-party vendors to identify potential risk mitigation strategies and controls to address identified risks
- Monitor and track vendor performance, ensuring compliance with contractual obligations
- Provide guidance and recommendations to AA Business Units on selecting and managing third-party vendors
- Maintain documentation of risk assessments, due diligence reviews, and compliance activities
- Stay updated on industry trends, regulatory changes, and emerging risks related to third-party risk management
- Decision making (what decisions will this position be making):
○ Provide vendor risk assessment results to IT / Business owners to determine future vendor relationships.
○ Identify and escalate critical risks and issues to senior management.
○ Facilitate discussion with the vendor and business owner to identify strategies to mitigate risk.
○ Determine the appropriate level of ongoing monitoring required for each vendor relationship.
- Communication (who will this position communicate with and in what capacity):
○ Manager, Third Party Risk Management (TPRM)
■ Report to TPRM Manager and provide progress updates on day-to-day TPRM program operations and activities.
■ Attend regular meetings and reporting to facilitate the exchange of information, alignment of goals, and coordination of efforts between both roles.
○ Business Owner
■ Facilitate review of risk exposure with the business owner to communicate vendor risks
■ Provide risk exposure, mitigation strategies and other information to enable business decision making and business risk acceptance
○ Legal & Privacy
■ Collaborate to ensure third party compliance with relevant laws, regulations, and contractual obligations.
■ Collaborate with the Legal & Privacy teams to help align cybersecurity third party risk management practices with legal requirements and mitigate potential legal risks.
○ IT Vendor Management (ITVM)
■ Collaborate with the Legal & Privacy teams to help align cybersecurity third party risk management practices with IT vendor management policies, standards, and procedures.
○ Cybersecurity Product Teams
■ Engage with cybersecurity product teams to support identification, validation, and remediation of gaps and findings from third-party cybersecurity risk assessments.
■ Engage in effective communication and collaboration between the various cybersecurity product teams.
Minimum Qualifications- Education & Prior Job Experience
- Education (Degree and level of attainment):
○ Bachelor's degree in computer science, information systems, risk management, or a related field.
- Experience (Industry/function and years of experience):
○ Experience (1-3 years) in cyber risk management, vendor management, audit, compliance, information security, or a related field.
○ Familiarity with regulatory requirements and industry best practices related to third-party risk management.
○ Familiarity with vendor risk management principles and best practices, such as managing vendors through their lifecycle from onboarding to termination.
○ Experience in conducting vendor risk assessments in alignment with minimum standards and requirements to identify gaps in vendor controls and facilitate discussion with the vendor to identify potential risk mitigation strategies.
○ Knowledge of relevant cybersecurity frameworks (e.g., NIST CSF, ISO 27001) and regulations (e.g., TSA Cyber Amendment, HIPAA, GDPR).
- Preferred Qualifications:
○ Experience in contract negotiation and vendor management.
○ Familiarity with industry-specific regulations (e.g., TSA, FAA, PCI DSS) and their cybersecurity requirements.
○ Experience working in highly regulated industries such as finance, healthcare, or government.
- Knowledge, skills, and abilities:
○ Ability to work independently and collaborate effectively with cross-functional teams.
○ Strong analytical and problem-solving abilities.
○ Proficiency in conducting risk assessments, evaluating vendor contracts, and identifying potential risks.
○ Familiarity with conducting on-site assessments and evaluating vendors' controls and processes.
○ Knowledge of relevant cyber security standards (e.g., NIST CSF, NIST 800-161, etc.).
○ Knowledge of cybersecurity technologies, tools, and best practices.
○ Familiarity with cybersecurity risk assessment methodologies and frameworks.
○ Ability to stay updated with the latest cybersecurity trends, threats, and regulatory changes