Third Party Risk Manager

Job DescriptionIdeas | People | Trust

We’re BDO. An accountancy and business advisory firm, providing the advice and solutions entrepreneurial organisations need to navigate today’s changing world.

We work with the companies that are Britain’s economic engine – ambitious, entrepreneurially-spirited and high‑growth businesses that fuel the economy – and directly advise the owners and management teams leading them.

We’ll broaden your horizons

The Quality and Risk Management Team (QRM) provides leadership, guidance, and tools to help partners and staff manage quality and risk matters. The team is comprised of an Advisory and Compliance Team, a Chief Information Security Office Team, an Economic Crime Team, a Legal Team including a Commercial & Contracts Team, the Independence and Ethics Team and the Regulatory Supervisory Team, plus the Quality Monitoring Team. The team works closely with the firm’s Technical Standards Group and the firm’s leadership.

We’ll help you succeed

Leading organisations trust us because of the quality of our advice. That quality grows from a thorough understanding of their business, and that understanding comes from working closely with them and building long-lasting relationships.

You’ll be someone who is both comfortable working proactively and managing your own tasks, as well as confident collaborating with others and communicating regularly with senior managers, directors, and BDO’s partners to help businesses effectively. You’ll be encouraged to identify and draw attention to opportunities for enhancing our delivery and providing additional services to organisations we work with.

Role Purpose

The Third Party Risk Manager is responsible for implementation of the BDO third party security framework. This includes assessing the information security risks of our 3rd parties, by evaluating the 3rd parties' security controls and ensuring supplier and supply chain information security risks to BDO and BDO client services are identified, assessed and managed.

This role reports to the Information Security Manager.

Principal Accountabilities

• Leads in the execution and continuous improvement of the information security supply chain framework, which includes ensuring that security controls are implemented within the supply chain lifecycle at BDO
• Co-ordinates the BDO supplier and supply chain information security due supplier risk assessment framework and due diligence procedure and delivery of service to stakeholders
• Supports risk-based planning for supplier information security due diligence and risk assessment activities
• Partners with procurement, contract management and other key stakeholders to ensure the end-to-end third-party processes consider information security
• Coordinates the gathering of vendor risk assessment data and prepares risk assessments for vendors as needed, to be published and communicated to stakeholders
• Understands and applies relevant regulatory and legal compliance requirements
• Assesses vendor risks against BDO contractual requirements and controls
• Assess third party vendor regulatory compliance
• Conduct due diligence and assessments of third-party security controls and posture
• Coordinates the identification and ranking of vendor risks
• Coordinates the classification and tiering of vendors by risks and risk impacts
• Communicates identified risk requirements to internal stakeholders
• Builds communication and escalation plans around vendor risk management activities
• Ensures that vendor remediation actions, mitigation and contingency plans are identified and communicated to business owners
• Tracks identified risks and risk events through the supplier lifecycle
• Maintain required activity and risk metrics and other data
• Report on activities related to third party supplier assurance as required
• Collate, analyse, and track evidence provided and gathered via direct and indirect external sources to understand information security supply chain risk
• Supports review and continual improvement of information security supplier due diligence and risk assessment procedures
• Together with legal, develop and maintain a set of security contractual clauses and service level agreements

Knowledge and Experience

• Demonstrable experience with supplier and supply chain due diligence frameworks, procedures, data gathering and information security risk and controls assessment
• Experience of supplier information security risk management at all stages of the supplier lifecycle from procurement, contracting, on-boarding, contract management and off-boarding
• Experience with business service, system and data architectures
• Experience of information security audit and assurance
• Familiarity with formal information security frameworks and certifications such as SOC 2, ISO27001, CE+, CIS top 20, OWASP
• Experience with contract review of information security schedules and terms
• Excellent verbal, written and interpersonal communication skills. Listens and communicates technical subjects to both technical and nontechnical audiences, flexes style to suit the needs of the audience.
• Excellent stakeholder engagement and management experience and skills with the ability to understand complex business structures and services and to advise senior stakeholders on information security risks, mitigations and management strategies
• Self-motivated with keen attention to detail
• Have a relevant industry certification such as CISSP, CISM, CRISC or equivalent

NB: The above list of job duties is not exclusive or exhaustive and the post holder will be required to undertake such tasks as may reasonably be expected within the scope and grading of the post. Job descriptions should be regularly reviewed to ensure they are an accurate representation of the post.

You’ll be able to be yourself; we’ll recognise and value you for who you are and celebrate and reward your contributions to our business. We’re committed to agile working, and we offer everyone the opportunity to work in ways that suit them, their teams, and the task at hand.

At BDO, we’ll help you achieve your personal goals and career ambitions, and we have programmes, resources, and frameworks that provide clarity and structure around career development.

We’re in it together

Mutual support and respect is one of BDO’s core values and we’re proud of our distinctive, people-centred culture. From informal success conversations to formal mentoring and coaching, we’ll support you at every stage in your career, whatever your personal and professional needs.

Our agile working framework helps us stay connected, bringing teams together where and when it counts so they can share ideas and help one another. At BDO, you’ll always have access to the people and resources you need to do your best work.

We know that collaboration is the key to creating value and satisfying experiences at work, so we’ve invested in state-of-the-art collaboration spaces in our offices. BDO’s people represent a wealth of knowledge and expertise, and we’ll encourage you to build your network, work alongside others, and share your skills and experiences. With a range of multidisciplinary events and dedicated resources, you’ll never stop learning at BDO.

We’re looking forward to the future

At BDO, we help entrepreneurial businesses to succeed, fuelling the UK economy.

Our success is powered by our people, which is why we’re always finding new ways to invest in you. Across the UK thousands of unique minds continue to come together to help companies we work with to achieve their ambitions.

We’ve got a clear purpose, and we’re confident in our future, because we’re adapting and evolving to build on our strengths, ensuring we continue to find the right combination of global reach, integrity and expertise. We shape the future together with openness and clarity, because we believe in empowering people to think creatively about how we can do things better.