For over 20 years, Smartsheet has helped people and teams achieve–well, anything. From seamless work management to smart, scalable solutions, we’ve always worked with flow. We’re building tools that empower teams to automate the manual, uncover insights, and scale smarter. But more than that, we’re creating space– space to think big, take action, and unlock the kind of work that truly matters. Because when challenge meets purpose, and passion turns into progress, that’s magic at work, and it’s what we show up for everyday.
Smartsheet is seeking a dedicated, experienced Third Party Risk Management (TPRM) Senior Analyst to join our Risk team. This is a high-visibility, cross-functional role that requires sustained focus and ownership; you will be a primary point of contact for vendor risk across the organization, interfacing regularly with cross-functional teams (Legal, Procurement, Privacy, and Information Security) as well as system owners.
This role is a meaningful commitment. You will own a portfolio of vendor assessments and help drive program maturity. We are looking for someone who brings deep focus and genuine investment to this work, the kind of professional who sees TPRM not as a checkbox function but as a critical enabler of trust for a global SaaS platform.
You will report to the Third Party Risk Integration Manager located in the US. This role is eligible for remote work within Costa Rica. You must reside in Costa Rica.
You Will
- Lead end-to-end Third Party Risk Assessments for new and existing vendors, including vendor tiering, scoping, questionnaire management, and findings documentation.
- Own the ongoing monitoring and tracking of vendor risk across Smartsheet's third-party portfolio, ensuring timely follow-up on remediation activities and risk acceptance decisions.
- Evaluate vendor security documentation including SOC 2 reports, penetration testing results, ISO certifications, and other control attestations — and translate findings into clear, actionable risk summaries for stakeholders.
- Drive process improvement initiatives within the TPRM program, identifying opportunities to scale and mature the program through better tooling, automation, and workflow design.
- Collaborate cross-functionally with Legal, Procurement, Information Security, Privacy, and business stakeholders to ensure vendor risk considerations are embedded in sourcing and renewal decisions.
- Leverage AI tools (including Claude and Microsoft Copilot) to increase efficiency in vendor reviews and documentation — while applying sound judgment to review, validate, and take accountability for AI-generated outputs.
- Contribute to broader risk program activities including risk reporting, policy review, and program documentation as part of a lean, high-performing Risk team.
- Support the development of TPRM metrics and reporting to provide leadership with meaningful visibility into the organization's third-party risk exposure.
- Other job duties as assigned
You have
- 5+ years of experience in third party risk management, vendor risk, GRC, information security, audit, or compliance — with direct experience conducting vendor or third-party risk assessments.
- Practical knowledge of one or more risk or regulatory frameworks such as NIST, ISO 27001, COSO, COBIT, AICPA SOC/TSP, PCI DSS, or similar.
- Familiarity with vendor security questionnaire frameworks, including SIG (Shared Assessments) and/or CSA CAIQ.
- Demonstrated ability to review and interpret SOC 2 reports, penetration testing summaries, and other vendor security attestations.
- Experience working in cross-functional environments involving Legal, Procurement, and/or Engineering stakeholders.
- Strong written and verbal communication skills in English, with the ability to translate technical risk findings into clear business language.
- Effective critical thinking and judgment — able to assess risk materiality, prioritize competing demands, and escalate appropriately.
- Comfort working with and evaluating AI-generated content, with a clear understanding of the need to verify outputs before relying on them in risk decisions.
- Adaptability to evolving regulatory requirements and a genuine interest in staying current on the third-party risk landscape.
Nice to have
- Experience with vendor risk management platforms such as AuditBoard, Archer, OneTrust, ServiceNow GRC, Vanta, or Coupa.
- Background in SaaS, cloud, or technology company environments.
- Familiarity with AI-assisted workflows in a GRC or compliance context.
- Experience supporting or contributing to audit processes (e.g., SOC 2, ISO 27001, BARR).
- Relevant certifications such as CISA, CRISC, CTPRP, or equivalent.
- Experience with operational risk across multiple business units, legal entities, or jurisdictions.
Teleworking options from any registered location in Costa Rica (role specific)
Get to Know Us:
At Smartsheet, your ideas are heard, your potential is supported, and your contributions have real impact. You’ll have the freedom to explore, push boundaries, and grow beyond your role. We welcome diverse perspectives and nontraditional paths—because we know that impact comes from individuals who care deeply and challenge thoughtfully. When you’re doing work that stretches you, excites you, and connects you to something bigger, that’s magic at work. Let’s build what’s next, together.
Equal Opportunity Employer:
Smartsheet is an Equal Opportunity (EEO) employer committed to fostering an inclusive environment with the best employees. It is our policy to provide equal employment opportunities to all qualified applicants in accordance with applicable laws in the US, UK, Australia, Germany, Costa Rica, Japan, Bulgaria, and India. All qualified applicants will receive consideration without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.
If there are preparations we can make to help ensure you have a comfortable and positive interview experience, please let us know.
#LI-Remote