Manager, IT Third-Party Risk

Profoundly Improve People’s lives by Revolutionizing the Delivery of RNA Therapeutics

At Avidity Biosciences, we are passionate about the impact of every employee in realizing our vision of improving people’s lives by delivering a new class of RNA therapeutics. Avidity is revolutionizing the field of RNA with its proprietary AOCs, which are designed to combine the specificity of monoclonal antibodies with the precision of oligonucleotide therapies to address targets and diseases previously unreachable with existing RNA therapies. If you are a committed, solution-oriented thinker, join us in making a difference and become part of our growing culture that is integrated, collaborative, agile and focused on the needs of patients.

Avidity Biosciences, Inc.'s mission is to profoundly improve people's lives by delivering a new class of RNA therapeutics - Antibody Oligonucleotide Conjugates (AOCs). Utilizing its proprietary AOC platform, Avidity demonstrated the first-ever successful targeted delivery of RNA into muscle and is leading the field with clinical development programs for three rare muscle diseases: myotonic dystrophy type 1 (DM1), Duchenne muscular dystrophy (DMD) and facioscapulohumeral muscular dystrophy (FSHD). Avidity is broadening the reach of AOCs with its advancing and expanding pipeline, including programs in cardiology and immunology through internal discovery efforts and key partnerships. Avidity is headquartered inSan Diego, CA.For more information about our AOC platform, clinical development pipeline, and people, please visit www.aviditybiosciences.comand engage with us on LinkedInand X.

The Opportunity

The Associate Director, IT Third-Party Risk is a strategic leadership role responsible for architecting and advancing Avidity’s third-party risk management (TPRM) and Governance, Risk, and Compliance (GRC) programs. This role is instrumental in designing and operationalizing scalable frameworks that ensure vendors, suppliers, and partners comply with Avidity’s security, privacy, regulatory, and operational risk requirements. As the organization evolves, this leader may also take on additional IT sub-functions aligned to risk and resilience.

This position requires a forward-thinking, technically adept leader who excels at cross-functional collaboration across IT, procurement, compliance, legal, security, and the business. The ideal candidate brings a depth of experience in vendor risk governance, regulatory alignment, risk analytics, and GRC tooling, along with a strong ability to translate risk insights into strategic business decisions.

In addition to owning third-party risk, this role will lead the implementation and optimization of GRC tools (e.g., OneTrust), and oversee privacy-related initiatives such as policy updates, DSAR processing, and cookie consent management. The Associate Director will champion automation and innovation in the TPRM lifecycle, ensuring enterprise-wide risk visibility and operational resilience.

What You Will Contribute

• Define, lead and continuously evolve the third-party risk management (TPRM) strategy, ensuring alignment with industry standards and regulatory requirements.
• Design and scale risk governance frameworks that align with regulatory, security, and business needs.
• Work closely with procurement, legal, compliance, and IT teams to integrate risk-based decision-making into vendor selection and management.
• Ensure third-party compliance with NIST Cybersecurity Framework (CSF), ISO 27001, FDA, HIPAA, GxP, and other relevant industry standards.
• Monitor vendor performance, security posture, and compliance with contractual obligations, ensuring continuous risk oversight.
• Develop and maintain a third-party risk register, tracking identified risks, mitigation plans, and remediation progress.
• Manage the third-party risk assessment lifecycle, including initial due diligence, ongoing monitoring, and vendor exit strategies.
• Oversee risk scoring methodologies and implement automation to streamline vendor risk evaluation processes.
• Direct the configuration, integration, and use of GRC platforms (e.g., OneTrust) to support real-time risk management and compliance oversight.
• Drive privacy-related compliance processes, including DSAR fulfillment, privacy policy governance, and cookie consent tracking.
• Serve as the escalation point and lead coordinator for third-party security incident response and containment.
• Deliver risk dashboards and briefings to senior leadership, providing clear visibility into trends, emerging threats, and program effectiveness.
• Influence commercial and operational strategies by contextualizing vendor risk in terms of business continuity and readiness.
• Build a roadmap for continuous improvement, leveraging risk analytics, automation, and threat intelligence to proactively reduce exposure.

What We Seek

• Bachelor’s degree in Information Security, Risk Management, Business, or a related field (or equivalent experience). Advanced degree is desirable, but not required.
• 6+ yearsmanaging a team, process or program in third-party risk management, vendor risk assessment, or IT security risk management.
• Demonstrated success in building or scaling TPRM/GRC programs within regulated environments.
• Advanced knowledge of regulatory and industry standards including FDA, HIPAA, GxP, NIST, and ISO.
• Hands-on experience with enterprise-grade GRC and vendor risk management platforms (e.g., Archer, OneTrust, ServiceNow VRM).
• Strategic mindset with the ability to synthesize risk into executive-ready narratives and influence key decision-makers.
• Strong communication and negotiation skills to drive alignment across legal, IT, procurement, and external partners.
• Track record of leading incident response and business continuity planning involving third-party risks.
• Familiarity with privacy-related compliance and tooling, including DSAR handling and consent management.
• Experience in biotech, pharmaceuticals, or highly regulated industries strongly preferred.

Preferred Certifications or Equivalent Experience

• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Third Party Risk Professional (CTPRP)
• Certified Information Systems Security Professional (CISSP)
• ISO 27001 Lead Auditor or equivalent experience
• Certified in Risk and Information Systems Control (CRISC) (Preferred for risk management expertise)

• The base salary range for this role is $185,250 – $204,750. The final compensation will be commensurate with such factors as relevant experience, skillset, internal equity and market factors.
• Avidity offers competitive compensation and benefits which includes the opportunity for annual and spot bonuses, stock options and RSUs, as well as a 401(k) with an employer match. In addition, the comprehensive wellness program includes coverage for medical, dental, vision, and LTD, and four weeks of time off.
• A commitment to learning and development which includes a variety of programming internally developed by and for Avidity employees, opportunities for job-specific training offered by industry, and an education reimbursement program.