Job Description :
This job works collaboratively to ensure enterprise-wide third party risk management objectives, compliance requirements and departmental metrics are achieved including, but not limited to, execution of supplier risk assessments, conducting third party contract reviews, planning and executing both on-site and remote vendor audits, maintaining enterprise supplier risk profiles in the RSA Archer Vendor Management solution, review and analysis of third party assurance reports (e.g., SOC 1, SOC 2, HITRUST), identification of third party risk and control gaps, and development, monitoring and validation of remediation plans related to supplier sites, systems, software, processes, and procedures. Collaborates cross-functionally with other members of the business, procurement, privacy, legal, information security and other risk and compliance departments to conduct comprehensive internal and external supplier risk assessments in order to support the identification, evaluation, mitigation, and treatment of third party risks and the validation of third party processes and controls.
- Assist with scheduling, delivery, and follow-ups with internal and external supplier contacts to ensure risk questionnaires and other risk assessments are completed timely in order to ensure third party compliance requirements are met across the Enterprise. Receives training and mentoring on multi-faceted supplier relationships, platform customer dependencies, and the review and interpretation of less-complex contract agreements.
- Assist with the completion of third party risk assessment activities according to the Enterprise Technology and Supplier Risk Management policy in order to identify, assess, prioritize, evaluate and address third party business resiliency and continuity, compliance, financial, information security, privacy, and other areas of risk. Prepares work papers, reporting templates and other management reporting deliverables. Prepare all work paper and supporting documentation evidence according to audit quality standards in a consistent manner.
- Follows project plans and third party audit programs to support third party risk identification, mitigation and third party risk treatment processes in coordination with business owners and other stakeholders within task-based budgets. Assists with preparing materials and communicating assessment results during collaborative sessions with Information Security, Privacy, Procurement, Audit, Compliance, and other teams across the enterprise to align third party risk management objectives, third party risk management practices and procedures.
- Follow departmental desk-level procedures, third party risk assessment methodology, assessment procedures, questionnaires, training, etc. and assists with documenting activities which demonstrate and support compliance with departmental metrics, performance of internal control activities, awareness of contractual obligations, regulatory requirements, and assistance with responding to customer inquiries / audits.
- Assist with distributing and gathering inherent risk assessment results to/from business owners and assists with documentation of the stratification of supplier engagement risks. Assists with the development of third party assurance plans (e.g., on-site audit, contract review, financials assessment, purchasing data analysis) to address relevant risk areas and to ensure proper controls are implemented. Gathers, organizes, researches and assists with review and interpretation of information about and provided by third parties (including, but not limited to SOC 1/SSAE16, SOC 2, and HITRUST reports) and assists with supplier research and performing qualitative and quantitative impact assessments based on physical, technical, and administrative safeguards as well as company-specific contractual requirements; assists with conducting additional information gathering and risk assessments with suppliers as-needed; documents and assists with reporting results.
- Assist with documentation and validation of complex data flow/ information sharing activities with suppliers, third party platform customer integration, and information safeguards into simplified and high-level terminology and/or process/data flows. Assist with building and maintaining enterprise supplier risk management reporting dashboards in RSA Archer Vendor Management applications in order to keep information complete, accurate, and current. Prepares and assists with the delivery of supplier risk assurance reports to management.
- Interface with business areas, technical staff, project teams, and third parties to execute cross-functional third party risk assurance projects and to communicate findings and remediation plans. Assist with consultation and supporting activities throughout supplier due diligence processes, assists with the evaluation of third party risks relative to new or existing programs and initiatives that support the enterprise’s strategic direction, core operations, etc.
- Adhere to working relationships with a Enterprise companies to support the management of third party risks across multiple departments (e.g., Government Compliance, Information Security, Procurement, Integrity & Compliance, etc.)
- Adhere to working relationships with all Highmark Health companies to support the management of third party risks across multiple departments (e.g., Government Compliance, Information Security, Procurement, Integrity & Compliance, etc.).
- Assist with providing input and consultation on third party risk and assurance reporting and other terms and conditions in supplier contracts. Assist with consultations with other areas (e.g., Procurement, Privacy, Information Security, Legal) throughout the contract lifecycle along with internal business and contract administration partners. Assist in contract reviews and providing timely feedback on contract terms and conditions as-needed.
- Other duties as assigned or requested.
Master’s Degree – Management Information Systems
- 0-2 years’ experience with Supplier Risk Management or Audit and Compliance or Information Security and Privacy experience
- 0-2 years’ experience in thrid party assurance (SOC 1/SSAE16, SOC 2, HITRUST)
- 0-2 years experience in healthcare, audit or advisory services, or compliance-oriented industry is preferred
- 0-2 years’ experience in information security, legal, privacy, and/or procurement
KNOWLEDGE, SKILLS & ABILITIES
- Understanding of information security and privacy safeguards including HITRUST CSF, information value in the context of third party risk management, and risk-based decision-making (i.e., risk analysis, mitigation, resolution, acceptance, etc.)
- Ability to perform in an effective, cohesive and collaborative manner within a team environment, and ability to build strong and supportive relationships
- Analytical skills
- Excellent interpersonal skills and ability to influence at all levels within and outside of the organization
- Ability to demonstrate initiative, personal drive, tenacity and resilience, while performing responsibilities with integrity and courage. Demonstrate a passion for continuous improvement
- Demonstrate customer service orientation
- Basic verbal and written communication skills
- Ability to learn and build business acumen
Highmark Health and its affiliates prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, national origin, sexual orientation/gender identity or any other category protected by applicable federal, state or local law. Highmark Health and its affiliates take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, national origin, sexual orientation/gender identity, protected veteran status or disability.
EEO is The Law
Equal Opportunity Employer Minorities/Women/ProtectedVeterans/Disabled/Sexual Orientation/Gender Identity (http://www1.eeoc.gov/employers/upload/eeoc_self_print_poster.pdf)
We endeavor to make this site accessible to any and all users. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact number below.
For accommodation requests, please contact HR Services Online at HRServices@highmarkhealth.org