Third Party Risk Manager at BDO UK

Role Purpose

The Third Party Risk Manager is responsible for implementation of the BDO third party security framework. This includes assessing the information security risks of our 3rd parties, by evaluating the 3rd parties' security controls and ensuring supplier and supply chain information security risks to BDO and BDO client services are identified, assessed and managed.

This role reports to the Information Security Manager.

Principal Accountabilities

• Leads in the execution and continuous improvement of the information security supply chain framework, which includes ensuring that security controls are implemented within the supply chain lifecycle at BDO
• Co-ordinates the BDO supplier and supply chain information security due supplier risk assessment framework anddue diligence procedure and delivery of service to stakeholders
• Supports risk-based planning for supplier information security due diligence and risk assessment activities 
• Partners with procurement, contract management and other key stakeholders to ensure the end-to-end third-party processes consider information security 
• Coordinates the gathering of vendor risk assessment data and prepares risk assessments forvendors as needed, to be published and communicated to stakeholders
• Understands and applies relevant regulatory and legal compliance requirements
• Assesses vendor risks against BDO contractual requirements and controls 
• Assess third party vendor regulatory compliance
• Conduct due diligence and assessments of third-party security controls and posture
• Coordinates the identification and ranking of vendor risks
• Coordinates the classification and tiering of vendors by risks and risk impacts
• Communicates identified risk requirements to internal stakeholders
• Builds communication and escalation plans around vendor risk management activities 
• Ensures that vendor remediation actions, mitigation and contingency plans are identified and communicated to business owners
• Tracks identified risks and risk events through the supplier lifecycle
• Maintain required activity and risk metrics and other data 
• Report on activities related to third party supplier assurance as required
• Collate, analyse, and track evidence provided and gathered via direct and indirect external sources to understand information security supply chain risk
• Supports review and continual improvement of information security supplier due diligence and risk assessment procedures
• Together with legal, develop and maintain a set of security contractual clauses and service level agreements

Knowledge and Experience

• Demonstrable experience with supplier and supply chain due diligenceframeworks, procedures, data gathering and information security risk and controls assessment
• Experience of supplier information security risk management at all stages of the supplier lifecycle from procurement, contracting, on-boarding, contract management and off-boarding
• Experience with business service, system and data architectures 
• Experience of information security audit and assurance 
• Familiarity with formal information security frameworks and certifications such as SOC 2, ISO27001, CE+, CIS top 20, OWASP
• Experience with contract review of information security schedules and terms 
• Excellent verbal, written and interpersonal communication skills. Listens and communicates technical subjects to both technical and nontechnical audiences, flexes style to suit the needs of the audience.
• Excellent stakeholder engagement and management experience and skills with the ability to understand complex business structures and services and to advise senior stakeholders on information security risks, mitigations and management strategies
• Self-motivated with keen attention to detail
• Have a relevant industry certification such as CISSP, CISM, CRISC or equivalent