[Hiring] Third-Party Risk Lead Analyst @Builders FirstSource

Role Description

The Third-Party Risk Lead is responsible for leading the end-to-end technology third-party risk lifecycle for BFS. This role partners with Procurement, Legal, IT Architecture, Information Security, Privacy, and Business Owners to evaluate and manage risk for IT vendors and service providers.

• Establishes clear, risk-based decisioning (approve / approve with conditions / defer / reject).
• Defines governance expectations (tiering, control requirements, monitoring cadence, and remediation tracking).
• Drives outcomes through influence rather than direct authority.
• Leverages external security ratings and internal risk data to continuously monitor vendors.
• Ensures vendors are integrated and governed in a manner consistent with BFS security standards and target architecture.

Qualifications

• 5+ years of experience in third-party risk management, cybersecurity risk, or technology risk.
• Bachelor’s degree in Information Security, Information Systems, Risk Management, Business, or a related field (or equivalent practical experience).
• Proven ability to write clear, defensible risk assessments and executive-ready summaries.
• Strong organizational skills with the ability to manage multiple vendor workstreams and deadlines.
• Proficiency with common productivity and reporting tools (Excel, Word, PowerPoint, SharePoint; Power BI preferred).
• Hands-on experience with third-party risk tooling and/or external security ratings.
• Excellent communication and interpersonal skills.
• Ability to operate with ambiguity, take initiative, and drive program outcomes in a fast-paced environment.
• Strong analytical and critical thinking skills.
• Experience performing vendor due diligence and documenting gaps.
• Working knowledge of incident management and third-party incident/breach response expectations.
• Hands-on experience creating or operating risk tiering models and assessment methodologies.
• Strong understanding of the full third-party lifecycle.
• Experience aligning vendor risk requirements to frameworks/standards.
• Experience implementing or optimizing third-party risk workflows in platforms.
• Experience in audit, compliance, or a related control function; relevant certifications are a plus.

Requirements

• Leads architecture development for small projects and supports architectural efforts for medium to large projects.
• Owns and continuously improves the IT Third-Party Risk Management (TPRM) program.
• Partners with Business Owners and Procurement to confirm the business use case and intended modules/functional scope.
• Leads vendor due diligence using questionnaires and evidence.
• Partners with Legal and Procurement to define and negotiate security, privacy, and technology contract requirements.
• Coordinates technical and architecture compatibility reviews with IT and Security Architecture.
• Documents findings in a consistent risk format and tracks remediation actions to completion.
• Maintains vendor risk inventory, risk registers, and dashboards/KRIs.
• Executes ongoing continuous monitoring activities and conducts periodic reassessments.
• Defines and maintains TPRM policies, standards, and procedures.
• Facilitates cross-functional reviews and decision meetings.
• Develops and maintains TPRM playbooks, questionnaire templates, and executive-ready communications.

Benefits

• Medical, dental, vision, and disability insurance plans.
• 401(k) retirement savings plan.
• PTO (including paid sick time).
• 8 paid holidays per year (for salaried and hourly team members).
• Annual bonus eligibility subject to company success and other terms.