Job Title: Third-Party Risk Management (TPRM) Lead
Location: Remote
Duration: 2+ Years
Department: Risk / Compliance / Information Security
Reports To: CISO / Head of Risk / Head of Compliance
Job Overview
We are seeking an experienced Third-Party Risk Management (TPRM) Lead to design, implement, and operationalize a comprehensive TPRM framework from the ground up. The successful candidate will be responsible for building a risk-based TPRM program that aligns with UAE regulatory requirements (CBUAE, UAE PDPL, DIFC-DPL) and integrates global best practices such as ISO 27036, NIST, and GDPR.
The ideal candidate should have prior experience implementing a full-fledged TPRM framework in a UAE-based bank, ensuring third-party due diligence, continuous monitoring, contractual risk management, and regulatory compliance.
Key Responsibilities
1. Develop & Implement the TPRM Framework
- Design and establish Third-Party Risk Management framework, policies, procedures, and governance structure.
- Align the framework with CBUAE outsourcing guidelines, UAE PDPL, DIFC-DPL, GDPR, and ISO 27001.
- Develop a risk-based third-party categorization model based on criticality, data access, and operational dependency.
- Create and maintain a Third-Party Risk Register, tracking vendor risks across multiple domains (cybersecurity, privacy, operational, financial, legal).
2. Vendor Risk Assessment & Onboarding
- Establish due diligence and risk assessment processes for onboarding new vendors.
- Define and implement TPRM assessment criteria for vendor security, data privacy, compliance, and operational resilience.
- Develop risk scoring models & tiered vendor classifications (critical, high, medium, low).
- Collaborate with Procurement, Compliance, and Legal teams to ensure all vendors undergo proper due diligence.
3. Contractual Risk & Compliance Management
- Define privacy and security requirements for vendor contracts, including Data Processing Agreements (DPAs), SLAs, and liability clauses.
- Ensure contractual adherence to UAE data privacy laws, outsourcing regulations, and cybersecurity standards.
- Develop third-party risk assessment checklists for ongoing vendor compliance.
4. Continuous Monitoring & Risk Remediation
- Implement a vendor risk monitoring framework, including periodic audits, security assessments, and compliance checks.
- Develop an incident response and escalation process for third-party security breaches and non-compliance issues.
- Define Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for tracking vendor risk performance.
- Establish a third-party risk dashboard for real-time tracking and reporting of vendor risks.
5. Regulatory & Audit Readiness
- Ensure the TPRM framework is audit-ready, addressing requirements from CBUAE, UAE Data Office, and DIFC regulators.
- Prepare third-party risk reports for executive management and regulatory bodies.
- Conduct regular TPRM awareness training for internal stakeholders, including IT, Legal, Procurement, and Compliance teams.
Key Qualifications & Experience
- 8+ years of experience in TPRM, Vendor Risk Assessment, or Information Security Risk in a UAE bank.
- Proven track record of implementing a full-fledged TPRM framework in a banking environment.
- Strong knowledge of CBUAE outsourcing regulations, UAE PDPL, DIFC-DPL, GDPR, ISO 27036, and NIST frameworks.
- Experience conducting vendor risk assessments, due diligence, and contract negotiations.
- Expertise in cybersecurity, data privacy, regulatory compliance, and operational risk.
- Familiarity with TPRM automation tools (e.g., Archer, OneTrust, BitSight or similar).
- Excellent stakeholder management to collaborate with Legal, Procurement, IT Security, and Risk teams.
- Strong communication and leadership skills to drive organization-wide TPRM adoption.
Preferred Certifications
✔ CISSP (Certified Information Systems Security Professional)
✔ CISM (Certified Information Security Manager)
✔ CISA (Certified Information Systems Auditor)
✔ CRISC (Certified in Risk and Information Systems Control)
✔ ISO 27001 Lead Implementer
✔ CCPA/GDPR Practitioner (Preferred for privacy regulations expertise)
