[Hiring] Third Party Risk Management Lead @Sungrow USA Corporation

Role Description

Sungrow Americas is seeking a Third Party Risk Management (TPRM) Lead to establish and operate a scalable program for managing vendor, supplier, and third-party risk across the organization. This role is responsible for ensuring that third-party relationships are assessed, governed, and continuously monitored in alignment with regulatory expectations and customer requirements. In parallel, this role will support the development of business continuity and resilience capabilities, including Business Impact Analysis (BIA) and foundational BCDR program elements. This is a program leadership role requiring strong execution, cross-functional influence, and the ability to operate in a regulated, critical infrastructure environment.

Key Responsibilities

• Third Party Risk Management (Program Ownership)
  • Build and operate the TPRM program lifecycle, including:
    • Vendor intake and risk tiering
    • Security assessments and due diligence
    • Ongoing monitoring and reassessment
  • Define and enforce minimum security requirements for vendors and suppliers
  • Partner with legal and procurement to embed security and risk clauses into contracts
  • Establish processes for exception management and risk acceptance
• Risk Assessment & Due Diligence
  • Lead execution of third-party security reviews, including:
    • Questionnaires and evidence validation
    • Review of SOC 2, ISO certifications, and supporting artifacts
    • Identify and communicate material risks and required mitigations
    • Ensure alignment to frameworks (NIST, ISO 27001, SOC 2, NERC CIP where applicable)
• Continuous Monitoring & Issue Management
  • Implement ongoing monitoring capabilities for vendor risk posture
  • Track and drive remediation of identified third-party risks
  • Maintain visibility into fourth-party and supply chain dependencies where relevant
• Business Continuity & Resilience (BCDR/BIA Support)
  • Support development of Business Impact Analysis (BIA) across critical functions
  • Partner with business and IT stakeholders to define:
    • Critical processes
    • Recovery time objectives (RTO) / recovery point objectives (RPO)
  • Contribute to the development of BCDR plans and testing frameworks
  • Ensure third-party dependencies are integrated into continuity planning
• Governance, Reporting & Audit Readiness
  • Develop and track TPRM KPIs and risk metrics
  • Provide executive-level reporting on third-party risk posture
  • Maintain documentation and evidence to support:
    • Audits
    • Customer security reviews
    • Regulatory inquiries
  • Ensure program is defensible and repeatable
• Cross-Functional Collaboration
  • Partner with:
    • Procurement (vendor onboarding)
    • Legal (contractual protections)
    • IT and engineering (technical validation)
  • Act as the central point of coordination for third-party risk decisions

Qualifications

• 7–10+ years of experience in third-party risk management, GRC, or vendor risk programs
• Proven experience building or leading a TPRM program in a regulated or enterprise environment
• Strong understanding of:
  • Vendor risk assessment methodologies
  • Security frameworks (NIST, ISO 27001, SOC 2)
• Experience reviewing:
  • Security documentation (policies, controls, audit reports)
  • Third-party attestations (SOC 2, ISO certifications)
• Working knowledge of business continuity and resilience concepts (BIA, BCDR)
• Ability to drive cross-functional alignment and accountability

Preferred

• Experience in energy, industrial, or critical infrastructure sectors
• Familiarity with NERC CIP requirements
• Experience implementing or operating TPRM platforms/tools
• Certifications such as CRISC, CISM, CISSP, or CTPRP

Competencies

• Program Builder: Can stand up and mature TPRM from structure to scale
• Risk Translator: Converts vendor risk into business and contractual impact
• Governance-Oriented: Ensures decisions are documented and defensible
• Cross-Functional Operator: Effective with procurement, legal, IT, and engineering
• Pragmatic Enforcer: Balances risk reduction with business enablement

Strategic Fit

• Establishes control over external risk exposure
• Strengthens customer trust and regulatory alignment
• Enables defensible procurement and vendor onboarding decisions
• Builds foundation for enterprise resilience and continuity planning

Travel

• Up to 10%

Work Location and Status

• Remote
• No visa sponsorship

Sungrow is an equal opportunity employer. Due to strong interest in this position, Sungrow will only contact candidates who best meet the requirements. Thank you for your interest in Sungrow.