Risk Manager

Third-Party Risk Management

• Lead the assessment, onboarding, and ongoing monitoring of third-party vendors and outsourced service providers.
• Maintain and enhance the organisation’s third-party risk management framework, aligning with industry standards (e.g. ISO 27001) and relevant regulatory requirements (e.g. DORA).
• Identify, document, and track third-party risks within the information security risk register, and report key risk indicators (KRIs) and metrics as part of regular management reporting.
• Act as the primary point of contact and subject matter expert for third-party security matters, providing guidance and training to internal teams on best practices.
• Support incident management processes, including responding to and investigating third-party-related security incidents or breaches, collaborating with internal and external stakeholders as required.

Security Assessments & Audit

• Partner with vendor management and procurement teams to support security due diligence during vendor selection, as well as periodic reassessments post-onboarding.
• Conduct on-site and remote security assessments and audits across a geographically distributed vendor base, ensuring compliance with applicable regulations and standards.
• Evaluate vendor responses to security questionnaires and audit findings, and work with internal stakeholders to assess, prioritise, and track remediation actions.
• Configure and manage third-party monitoring tools to proactively identify risks and issues.
• Collaborate with technical teams and external security providers to conduct security testing of third-party services where required.

Governance, Risk & Compliance (GRC)

• Work closely with Legal, Compliance, and vendor management teams to ensure appropriate security requirements are embedded within contracts.
• Support broader GRC activities within the information security function, including cross-training and providing backup where needed.
• Contribute to risk and control assessments related to third-party and information security controls, including coordinating vendor input for activities such as penetration testing and physical security reviews.
• Ensure compliance with regulatory requirements related to third-party risk, including supporting the reporting and resolution of vendor-related security incidents.
• Assist with compliance-related requests, including coordination of data access or regulatory obligations.

Role Requirements

• Approximately 5+ years’ experience in third-party risk management, supplier assurance, or information security.
• Strong experience operating in a regulated environment (ideally financial services or similar), with exposure to high security and compliance standards.
• Solid understanding of both technical security controls and governance, risk, and compliance frameworks.
• Proven experience planning and delivering third-party assessments and audits, including managing remediation activities through to completion.
• Experience working closely with vendor management, procurement, or supplier governance functions.
• Strong understanding of regulatory frameworks relating to third-party risk (e.g. DORA).
• Ability to work independently, take initiative, and proactively identify risks and improvements.
• Strong stakeholder management skills, with the ability to influence and collaborate across internal teams and external partners.
• Excellent communication skills, with the ability to clearly explain risks and advocate for appropriate security controls.
• Experience representing information security in governance forums, vendor reviews, or senior stakeholder meetings.
• High attention to detail, with the ability to manage competing priorities in a fast-paced environment.
• Professional certifications in information security (e.g. ISC2, ISACA) or equivalent experience are desirable.
• Strong English language skills; additional languages are a plus.
• Willingness to travel occasionally for on-site assessments and audits.