Associate, Grc

**Description**

Alvarez & Marsal (A&M) is seeking a TPVRM GRC Analyst who will play a critical role in managing and enhancing our third-party risk management program. This position will align to the team responsibilities of assessing, monitoring, and mitigating risks associated with third-party vendors, ensuring compliance with regulatory requirements and internal security policies.

Key Responsibilities:
Third-Party Risk Management:

- Laise with business and external stakeholders to perform comprehensive due diligence risk assessments of third-party vendors and identify risk, whilst maintaining monitoring activities of existing vendors.
- Contribute to process improvements and development of vendor risk assessment frameworks and questionnaires
Vendor Assessment & Monitoring:

- Perform due diligence on new and existing vendors, including reviewing SOC reports, certifications, and security controls.
- Monitor vendor performance and compliance through periodic assessments and audits.
- Maintain vendor risk register and track remediation efforts.
Client Security Questionnaires:

- Manage and complete client security questionnaires and assessments to demonstrate the organization’s security posture.
- Collaborate with internal teams (Privacy, Legal, IT) to gather accurate and comprehensive responses.
- Ensure timely delivery of client responses with service level agreements
- Support and contribute to continuous maintenance of question and response database (Responsive)
Governance & Compliance:

- Ensure third-party vendor activities comply with internal security policies and regulatory requirements.
- Support adherence to A&M Global Security Office policies, procedures, and standards.
- Provide guidance and support to internal stakeholders on third-party risk-related issues.
Client and Vendor Contract Reviews:

- Evaluate security terms in contracts with third parties, suppliers, and business teams to mitigate risks associated with client and vendor engagements.
- Work with legal, privacy and business teams to ensure that contractual obligations align with the organisation’s security policies and compliance requirements.
Risk Reporting & Communication:

- Communicate identified risks and remediation strategies to both technical and non-technical stakeholders.
- Participate and execute governance activities including metrics gathering and reporting, and the performance of recurring internal assessment activities

Qualifications:
Education & Experience:

- Bachelor’s degree in information security, Risk Management, Business, or related field.
- Industry recognized certification in security (e.g., CRISC (Certified in Risk and Information Systems Control), CTPRP (Certified Third-Party Risk Professional), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager)
- 3+ years of experience in GRC, third-party risk management, or information security.
- Experience in conducting vendor risk assessments and audits.
- Experience in managing and completing client security questionnaires.

Technical Skills:

- Good understanding of security frameworks such as ISO 27001, NIST, etc.
- Familiarity with third-party risk management tools and platforms (OneTrust, OnSpring, Responsive, BitSight etc.)
- Knowledge of regulatory requirements
Soft Skills:

- Excellent analytical, problem-solving, and decision-making skills.
- Strong communication and interpersonal skills.
- Ability to work collaboratively with cross-functional teams.
- Detail-oriented with the ability to manage multiple tasks simultaneously.