Supplier Risk Management (SRM) Analyst - IBM CISO
Position: Supplier Risk Management (SRM) Analyst
Location: Must be able to work onsite in Raleigh, NC or Herndon, VA (Relocation assistance not provided) The Supplier Risk Management (SRM) Analyst is responsible for supporting the activities related to IBM's Third-Party Risk Management program, responsible for implementing and executing VRM (Vendor Risk Management) across IBM. The goal being to ensure business owners understand, engage the SRM process, and monitor their respective suppliers strategic fit, risk management controls, data security, potential changes, compliance with regulatory requirements, and alignment of priorities. The analyst must identify and communicate to business the associated risks of supplier provided processes and services in support of operations ranging from low-risk to critical suppliers.
• Support the TPRM Program to effectively manage supplier risk in accordance with internal policy and regulatory requirements, ensure strong oversight of all supplier risks and provide visibility of existing and emerging risks.
• Perform initial and periodic risk assessments, and other necessary reviews, to identify, measure and manage third party risks.
• Effectively utilize available evidence including SOC 2 Type 2 reports, ISO 27001 framework certifications, questionnaires, shared intelligence reports such as SIG, commercially available scorecards, etc. to perform risk assessments.
• Identify, categorize and evaluate "critical" and "Non-critical", using a "Risk-Based Standard", for potential or current service providers; delivering to the company leadership a risk-based ranking of business processes and services which are provided by an independent third party.
• Based upon risk classification, complete analysis of risk factors for IBM suppliers (including any subcontractors with access to IBM data) and ensure the respective business owners are monitoring, reviewing, and mitigating risk associated with service providers using risk factors identified in pertinent IBM standards; for example: Regulatory Compliance, Legal, Financial Stability, Reputation, Operational, Business Continuity/Disaster Recovery, and Information Security.
• Provide dedicated support, integrated with the IBM Procurement system, to the onboarding and oversight of all new and existing third-party supplier relationships.
• Develop, or assist in the enhancement of, the due diligence process to review the control effectiveness of each applicable risk, new and existing.
• Partner and coordinate closely with internal stakeholder areas (i.e. Business units, Corporate Information Security, Procurement, Internal Audit, Legal, etc.) to facilitate and assess third party relationships.
• Develop, or assist in the enhancement of, oversight activities for all new and existing third-party relationships.
• Maintain accountability for accuracy and completeness within the TPRM's system of record.
• Assist with regulatory, internal or other third-party audit requests.
• Prepare regular reporting on vendor risk exposure for all related TPRM activities, and prepare reports upon other request.
• Communicate to business units and cross-functional teams regarding significant third-party events and escalate to senior management, when applicable.
• Contribute within highly collaborative team discussions to support ongoing program enhancements while promoting a positive and energetic agile team culture.
• Complete risk analysis from on-site assessment data, with the assistance of the business and Internal Audit, for critical suppliers.
• Working with the appropriate business users and experts, ensure that for any identified risk that require mitigating action, including vendor disengagement/replacement, a plan is developed and executed.
• Maintain established relationships with the Business Unit and applicable stakeholders to ensure proper execution and compliance with TPRM standards, policies, and procedures.
• Act as a subject matter expert to assist the business in identifying and mitigating risks on their supplier relationships.
• Promote supplier risk awareness to IBM Business Units and stakeholders.
• Analytical and conceptual thinking - using logic and reason, creative and strategic
• Attention to detail, consistency, dependability.
• Ability to multi-task and prioritize competing deliverables.
• Communication skills - interpersonal, presentation, verbal clarity, and written
• Influencing and negotiation skills
• Problem solving
• Resource management
• Able to work independently
• Skilled in the use of workstation software, i.e. MS Office, web apps, etc.
Required Technical and Professional Expertise
• 10 years of experience in information security with at least 4-5 years of experience in 3rd party security assessment/ management
• Risk Analysis
• Information Security
• Third-party Service provider relationship management
• Knowledge of Cloud Service Providers
• Knowledge of SOC 2 Type 2, and commercially available SaaS risk ratings and scorecards.
• Demonstrated experience with controls-based information security frameworks (e.g., ISO 27001, NIST CSF, etc.)
• Experience with SIG and similar assessments
• Knowledge of Federal regulations applicable to third party risk
Preferred Tech and Prof Experience
• 12-15 years of experience in information security is preferred with at least 4-5 years of experience in 3rd party security assessment/ management
• Financial Analysis
• Outsourcing Management
• Certifications; CISA, CRISC, CISM, or CISSP certification preferred
IBM is committed to creating a diverse environment and is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. IBM is also committed to compliance with all fair employment practices regarding citizenship and immigration status.
Back to top