Third Party Risk Management Director

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential. 

The Third Party Risk Management program at CNA coordinates and performs risk management assessments across cybersecurity, business continuity, compliance, and general operational risk controls throughout the lifecycle of the Third Party relationship. This position is responsible for managing and directing the day-to-day operations of CNA’s Third Party assessment pipeline including the supervision and management of CNA employees and external consultant resources.

JOB DESCRIPTION:

Essential Duties & Responsibilities

Performs a combination of duties in accordance with departmental guidelines:

• Manages those that perform Third Party Risk assessments for complex, sensitive, and escalated Third Party assessments, including those requiring on-site reviews.  In the course of executing these critical and sensitive assessments, evaluates Third Party questionnaire responses, perform control review/validation, and assess documentation per established procedures and standards.

• Perform periodic quality assurance and review of Third Party Risk assessments performed by all assessment team members to ensure that all assessments meet established standards and expectations. Coach, train, and hold those conducting the assessments accountable for following the established processes.

• Leads the team that actively solicits business partner engagement and buy-in by attending, and organizing where appropriate, periodic meetings with business partners to ensure Third Party Risk Management is appropriately meeting business needs.

• Review and submit program analytics to leadership covering process utilization metrics, program Key Performance Indicators, Third Party Risk Key Risk Indicators, and escalation reporting and management. 

• Develop and maintain interaction model with all relevant CNA Business and Risk Stakeholders. Ensure they are appropriately looped into TPRM processes and enabled to support TPRM through workflow, reporting, and analytics

• Provide oversight of day-to-day assessment operations by providing guidance and training to Third Party Risk Management consultant resources,  as required in the course of Third Party Risk Assessment execution.

• Ensure the team is managing assessment execution timelines by leveraging Key Performance Indicators and managing internal/external escalations as needed.

• Oversee Third Party Risk Management’s remediation action/issue management process to ensure timely closure of identified control gaps.

May perform additional duties as assigned.

Reporting Relationship

AVP or above

Skills, Knowledge & Abilities

• Program expertise in Third Party Risk Management best-practices including industry security, business continuity, and data privacy standards, risk assessment testing procedures, issue management processes, and inherent/residual risk calculations

• Ability to manage remote teams, train and coach assessors on internal processes.

• Compelling communicator; demonstrated verbal and written communication skills. 

• Detail oriented with strong organizational skills and ability to manage multiple projects effectively.

• Ability to communicate and simplify technical concepts for those not familiar with risk management concepts, particularly in the context of business stakeholder training.

• Strong interpersonal skills with the ability to work with staff at all levels.

• Proven thought leadership and ability to provide informal guidance to more junior team members.

• Strong knowledge of Microsoft Office Suite and other business-related software systems including processing systems and applications.

Education & Experience

• Bachelor’s degree or equivalent

• Typically at least ten years of experience in Supplier Risk or Third-Party Risk assessment

• Experience managing remote teams

• Experience developing and managing remediation action/incident management processes.

• Experience in developing remediation action/incident management specific reporting and analytics.

• CISSP, CRISC, or CISA highly preferred

In certain jurisdictions, CNA is legally required to include a reasonable estimate of the compensation for this role. In District of Columbia, California, Colorado, Connecticut, Illinois, Maryland, Massachusetts, New York and Washington, the national base pay range for this job level is $97,000 to $189,000 annually. Salary determinations are based on various factors, including but not limited to, relevant work experience, skills, certifications and location. CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals.  For a detailed look at CNA’s benefits, please visit cnabenefits.com.

CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact leaveadministration@cna.com.