We are seeking an experienced Sr. Manager Third party Cyber Risk Management to lead our Third-party Cybersecurity risk and governance efforts for India/Philippines market of R1 RCM.

The Senior Manager Third-Party Cyber Risk Management is responsible for leading and executing the organizations cybersecurity oversight of vendors, suppliers, partners, and other external entities.

This role ensures that all third-party relationships align with enterprise security policies, regulatory obligations, and risk tolerance levels.

The individual will own the third-party risk management (TPRM) lifecycle from onboarding and due diligence to continuous monitoring and remediation and will serve as the subject matter expert on vendor security governance.

Key Duties & Responsibilities :

Program Leadership & Governance :

- Design, implement, and mature the Third-Party Cyber Risk Management Program aligned with frameworks such as NIST CSF, ISO 27001, HIPAA, CIS Controls, and SOC2.

- Develop and maintain policies, standards, and procedures governing vendor security due diligence, onboarding, monitoring, and offboarding.

- Establish and iterate security exhibit for contracts, enforce compliance and iterate wherever needed.

- Lead governance committees or working groups to discuss vendor risk posture, key issues, and remediation progress with business, procurement, and legal teams.

- Define and track Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for vendor risk and present them to leadership and risk committees.

Vendor Risk Assessment & Due Diligence :

- Oversee end-to-end third-party risk assessments including questionnaires, evidence review, and validation of security controls.

- Evaluate vendors against recognized security frameworks (e.g., SOC 2, ISO 27001, PCI DSS, NIST CSF, HIPAA/HITRUST).

- Manage inherent and residual risk scoring models to prioritize vendors based on business impact and data sensitivity.

- Perform or oversee onsite or virtual vendor audits for high-risk vendors and ensure timely closure of identified gaps.

- Work closely with Procurement and Legal to integrate cybersecurity clauses and right-to-audit provisions in vendor contracts.

Continuous monitoring and remediation :

- Implement and manage continuous monitoring tools and processes (e.g., SecurityScorecard, Recorded Future) to detect vendor security posture changes.

- Ensure that remediation plans are documented, tracked, and closed within defined SLAs.

- Coordinate periodic reassessments of critical and high-risk vendors to verify ongoing compliance.

- Manage escalation processes for non-compliant or high-risk vendors, including executive reporting and remediation oversight.

- Perform internal audits against client security requirements to proactively prepare and improve organizational security posture.

Collaboration and stakeholder management :

- Partner with Business Units, Procurement, Legal, Privacy, and IT Security teams to ensure security risk is addressed in all third-party engagements.

- Collaborate with Legal, Compliance to support external audits and regulatory reviews involving third-party risk.

- Provide subject matter expertise during M&A due diligence, supplier transitions, or strategic partnerships.

- Deliver training and awareness to business and procurement teams on vendor security best practices.

Reporting and metrics :

- Maintain a vendor risk register and ensure accurate documentation of risk decisions, exceptions, and compensating controls.

- Prepare executive dashboards and periodic reports summarizing vendor risk trends, findings, and remediation status.

- Support board-level reporting on supply chain and vendor cyber risks.

Experience, Skills & Knowledge :

- 7 to 10 years of total experience in information security, risk, or compliance roles.

- At least 5+ years of direct experience in third-party or vendor cyber risk management.

- Strong understanding of supply chain security, cloud vendor assessments, data privacy, and regulatory compliance (HIPAA, PCI DSS, GDPR, etc.

- Experience using GRC and vendor risk management platforms (e.g., Archer, Auditboard, or similar).

- Proven track record of leading remediation governance and cross-functional collaboration across business, IT, and legal teamsProven experience managing third-party cybersecurity risk and audit programs at scale.

- Excellent communication skills, with ability to interface with clients, vendors, operational, legal, and IT leadership.

Key Competencies :

- Certified Information Security Manager (CISM).

- Certified Information Systems Auditor (CISA).

- Certified in Risk and Information Systems Control (CRISC).

- HITRUST CCSFP or ISO 27001 Lead Implementer.