Global Director, Third-Party Risk Management

Global Director Third-Party Risk Management

The Global Director of Third-Party Risk Management (TPRM) is responsible for establishing leading and maturing Grant Thorntons enterprise-wide Third-Party Risk Management program. This leader oversees the design implementation governance and continuous improvement of the firms global TPRM framework lifecycle processes risk assessments due diligence standards monitoring practices reporting and enabling technologies.

This role provides firm-wide leadership to ensure effective management of risks associated with third-party relationships including information security privacy operational resilience geopolitical compliance ESG financial reputational technology and fourth-party risks. The Director serves as the central point of coordination for third-party risk across global platform firms service lines and internal client services (ICS) functions.

The Director partners closely with procurement legal information security privacy technology ESG business continuity and compliance teams to ensure consistency alignment to regulatory expectations and risk-based oversight at scale. The role also drives global stakeholder engagement training communication and adoption of the TPRM operating model ensuring strong participation and accountability across the enterprise.

Key Responsibilities

1. Program Leadership & Governance

• Lead maintain and continuously evolve the enterprise-wide TPRM Framework ensuring alignment with regulatory requirements industry standards and Grant Thornton business objectives.
• Establish program governance steering routines documentation standards and lifecycle oversight across global service lines and internal support units.
• Translate firm-wide risk appetite and strategic priorities into actionable TPRM policies procedures thresholds and risk-based methodologies.
• Oversee global compliance with the TPRM Policy supporting audits regulatory inquiries QC-1000 / ISQM-1 assessments and internal assurance activities.

2. Global Risk Assessment & Due Diligence Oversight

• Oversee the design maintenance and continual refinement of the Inherent Risk Assessment (IRA) residual risk methodologies scoring models and risk domain applicability logic.
• Ensure high-quality standardized due diligence processes across all risk domains including information security privacy operational resilience compliance geopolitical ESG financial fourth-party reputational and technology risk areas.
• Ensure due diligence questionnaires (DDQs) evidence requirements and domain-specific assessments remain current risk-aligned and regulator-ready.
• Oversee the residual risk evaluation process risk escalation pathways and formal risk acceptance workflows.

3. Global TPRM Lifecycle Management

• Ensure the TPRM lifecycle is operationalized consistently across all global regions: planning risk identification risk assessments due diligence contract negotiation support ongoing monitoring and renewal/termination.
• Partner with procurement IT vendor management and legal to ensure seamless integration of TPRM requirements into sourcing contracting and vendor management processes.
• Support contract negotiation by ensuring required risk-based terms SLAs privacy/security obligations and geopolitical restrictions are incorporated into agreements.
• Oversee the design and effectiveness of contingency planning requirements for critical third parties.

4. Technology Ownership & Data Governance

• Serve as the business owner of the firms TPRM technology (e.g. OneTrust) driving design enhancements configurations workflows dashboards and integrations.
• Establish and maintain the inventory of third-party services risk assessments metrics and reporting within the TPRM technology system.
• Ensure the system of record supports consistent execution documentation auditability and enterprise-level analytics.

5. Monitoring Reporting & Metrics

• Lead the development and delivery of enterprise reporting on inherent/residual risk concentration risk domain results issues and remediation SLA performance monitoring completion and geopolitical exposures.
• Provide actionable insights and trend analysis to executive leadership and board-level committees.
• Drive remediation oversight and ensure issues are resolved within required timeframes.

6. Stakeholder Engagement & Global Enablement

• Provide training communication and change management support for all stakeholders including domain owners service lines support functions and procurement teams.
• Partner with global platform firms to harmonize TPRM practices and support cross-border vendor oversight.
• Serve as a strategic advisor to senior leadership on emerging risks regulatory expectations and transformation opportunities.

7. Continuous Improvement & Future Maturity

• Identify and implement program enhancements aligned to the TPRM Frameworks long-term maturity roadmap (e.g. risk appetite metrics key risk indicators additional domains expanded control testing independent validation).
• Evaluate changing regulatory landscapes including privacy laws DOJ guidance OFAC sanctions technology/cyber regulations QC-1000/ISQM-1 ESG standards and global data sovereignty requirements.
• Drive innovation in automation AI-enabled risk analysis peer benchmarking and advanced monitoring tools.

Qualifications

• 10 years of experience in Third-Party Risk Management enterprise risk supplier risk procurement risk information security risk compliance privacy or related disciplines.
• Deep understanding of TPRM frameworks risk domains TPRM technology platforms and regulatory expectations for outsourcing and vendor oversight.
• Experience implementing and maturing risk assessment methodologies DDQs dashboards and end-to-end lifecycle processes.
• Strong experience partnering with information security privacy legal procurement business continuity and senior leadership teams.
• Demonstrated ability to manage global stakeholders and drive enterprise-scale adoption of complex risk programs.
• Excellent leadership communication presentation and stakeholder-management skills.
• Fluency in English both spoken and written.
• Strong analytical and problem-solving abilities with demonstrated experience interpreting risk data and producing executive-level insights.

Preferred

• Prior experience in professional services or a regulated industry environment.
• Certification(s) such as: CISM CRISC CISA CISSP CIPP PMP or similar.
• Experience with OneTrust or comparable TPRM platforms.
• Experience supporting QC-1000 ISQM-1 SOX SOC ISO 27001 NIST CSF or similar frameworks.

Personal Attributes

• Strategic thinker with a practical approach to implementing risk-based solutions.
• Skilled at influencing without authority across varied seniority levels and global regions.
• Highly collaborative proactive detail-oriented and solutions-focused.
• Strong judgment diplomacy and decisiveness in high-impact risk discussions.