What you'd actually do

Aggregate and analyze third-party risk signals to deliver actionable insights focused on data protection, cybersecurity, and resilience.

Govern standards for third-party risk decision artifacts (e.g., risk statements, residual risk framing, materiality thresholds, issue taxonomy, and escalation expectations).

Review and challenge onboarding, assessment, and monitoring outputs to ensure completeness, consistency, and defensibility of conclusions and remediation expectations.

Perform thematic analysis across the third-party portfolio to identify emerging risks, root-cause patterns, and concentration hot spots, and escalate material themes through governance forums.

Advise on business cases for new or expanded third-party engagements, including reuse opportunities, risk trade-offs, and control uplift levers (standardization and contractual terms).

Skills

Required

Expertise in control management in financial services, focused on compliance and operational risk mitigation.
Third-party risk experience across the vendor lifecycle (onboarding, assessment, control validation, monitoring, issue management, and exit).
Ability to synthesize assessment outputs into executive-ready insights (themes, emerging risks, residual risk framing, and recommendations).
Cybersecurity and technology risk fluency, including ability to assess vendor security posture using common artifacts (e.g., SOC 2, ISO 27001, SIG/CAIQ).
Working knowledge of cloud/SaaS control domains, such as IAM, encryption, logging/monitoring, vulnerability management, incident response, SDLC controls, and dependency/concentration risk.
Ability to translate technical risk into clear business impacts, trade-offs, residual risk statements, and recommended mitigations for senior stakeholders.
Strong data literacy, including defining and tracking KRIs/KPIs and performing structured analysis from models/diagrams to insights.

Nice to have

Experience building portfolio insights and governance routines, including taxonomy design, MI standards, thresholds, trend analytics, and issue classification.
Experience using automation or advanced analytics (including AI/ML approaches) to improve monitoring and insights generation.
Operational resilience expertise, including service mapping concepts, recovery expectations, dependency analysis, and vendor failure-mode impact narratives.
Strong executive presence and influencing skills to align stakeholders, challenge decisions appropriately, and drive remediation prioritization.
Business and market context awareness to align third-party risk decisions with client, regulatory, and operational expectations.
Mentoring/coaching capability to build team discipline in risk thinking, documentation quality, and continuous improvement.

Join a controls team where your judgment and communication skills directly influence how we adopt and manage third parties safely. You’ll work with partners across technology, procurement, legal, compliance, and operational risk to turn complex security and resilience findings into clear, business-ready decisions. If you enjoy connecting technical detail to real-world outcomes—and constructively challenging when needed—this role gives you a wide platform for impact.

As a Third Party Risk & Controls Insights Lead in CIB Controls, you own the insights agenda across the third-party lifecycle—onboarding, change, ongoing monitoring, and exit—so leaders have consistent, defensible, decision-grade risk conclusions. You synthesize and challenge third-party assessment outputs (with a focus on data, cybersecurity, and resilience), translate technical evidence into clear narratives and recommendations, and strengthen the quality and consistency of risk decision artifacts. You’ll partner closely with business control managers and cross-functional stakeholders to improve risk visibility, align control expectations, and support responsible vendor adoption.

Job Responsibilities

Aggregate and analyze third-party risk signals to deliver actionable insights focused on data protection, cybersecurity, and resilience.
Govern standards for third-party risk decision artifacts (e.g., risk statements, residual risk framing, materiality thresholds, issue taxonomy, and escalation expectations).
Review and challenge onboarding, assessment, and monitoring outputs to ensure completeness, consistency, and defensibility of conclusions and remediation expectations.
Perform thematic analysis across the third-party portfolio to identify emerging risks, root-cause patterns, and concentration hot spots, and escalate material themes through governance forums.
Advise on business cases for new or expanded third-party engagements, including reuse opportunities, risk trade-offs, and control uplift levers (standardization and contractual terms).
Evaluate cloud and SaaS architectures to identify material control gaps (e.g., IAM, encryption/key management, logging/monitoring, segmentation, data residency, dependency chains, concentration risk).
Define and maintain an insights framework including taxonomy mapping, KRI/KPI definitions, thresholds, trends, and executive dashboards.
Produce executive-ready governance materials summarizing themes, exceptions, systemic issues, decision requests, and residual risk positions for senior stakeholders.
Partner across controls, technology, procurement, legal, compliance, operational risk, and business teams to maintain a single, consistent narrative on third-party risk posture and priorities.

Required Qualifications, Capabilities, and Skills

Expertise in control management in financial services, focused on compliance and operational risk mitigation.
Third-party risk experience across the vendor lifecycle (onboarding, assessment, control validation, monitoring, issue management, and exit).
Ability to synthesize assessment outputs into executive-ready insights (themes, emerging risks, residual risk framing, and recommendations).
Cybersecurity and technology risk fluency, including ability to assess vendor security posture using common artifacts (e.g., SOC 2, ISO 27001, SIG/CAIQ).
Working knowledge of cloud/SaaS control domains, such as IAM, encryption, logging/monitoring, vulnerability management, incident response, SDLC controls, and dependency/concentration risk.
Ability to translate technical risk into clear business impacts, trade-offs, residual risk statements, and recommended mitigations for senior stakeholders.
Strong data literacy, including defining and tracking KRIs/KPIs and performing structured analysis from models/diagrams to insights.

Preferred Qualifications, Capabilities, and Skills

Experience building portfolio insights and governance routines, including taxonomy design, MI standards, thresholds, trend analytics, and issue classification.
Experience using automation or advanced analytics (including AI/ML approaches) to improve monitoring and insights generation.
Operational resilience expertise, including service mapping concepts, recovery expectations, dependency analysis, and vendor failure-mode impact narratives.
Strong executive presence and influencing skills to align stakeholders, challenge decisions appropriately, and drive remediation prioritization.
Business and market context awareness to align third-party risk decisions with client, regulatory, and operational expectations.
Mentoring/coaching capability to build team discipline in risk thinking, documentation quality, and continuous improvement.