Senior Manager, Third-Party Risk Management (TPRM)

Senior Manager, Third Party Risk Management (TPRM)

Hagerty is a company built by drivers for drivers. We put our members at the center of everything we do and are dedicated to making it easier and more enjoyable for enthusiasts to drive and celebrate the machines they love. We're proud to be the world's largest insurer of collectible and enthusiast vehicles and are home to the Hagerty Drivers Club, the world's largest car club. Our Marketplace business presents live and digital sales across the U.S. and Europe, we host a number of driving events and concours, and our award-winning automotive journalists produce the most popular car magazine globally, alongside internationally awarded videos. We're committed to Never Stop Driving. Ready to get in the driver's seat? Join us!

The Senior Manager, Third Party Risk Management (TPRM) Policy is a key leadership role embedded within Hagerty's Enterprise Procurement & TPRM function. This position is responsible for building and stewarding a robust third-party risk governance framework that protects Hagerty from vendor-related operational, financial, regulatory, and reputational exposure—while enabling the business to move at speed with the right partners.

Sitting within Enterprise Procurement, this role is uniquely positioned at the intersection of sourcing decisions and risk governance. The Senior Manager will own TPRM policy end-to-end, integrate risk discipline into the full vendor lifecycle, and serve as the connective tissue between Procurement, Enterprise Risk Management, Legal, IT/Security, and business stakeholders. The ideal candidate combines policy expertise with a practical, business-enabling mindset – someone who knows that good risk management doesn't slow deals down; it makes them better.

What You'll Do

Policy Ownership & Governance

• TPRM policy development: Own, author, and maintain Hagerty's enterprise wide Third Party Risk Management policy, standards, and procedures, ensuring alignment with regulatory requirements, industry frameworks (e.g., NIST CSF, ISO 27001, COBIT), and Hagerty's risk appetite.
• Policy lifecycle management: Lead scheduled and event-driven policy reviews, updating documentation in response to changes in regulation, business strategy, technology, or the vendor landscape.
• Framework integration: Align TPRM policy with adjacent governance frameworks including information security, business continuity, data privacy, and enterprise risk management—ensuring consistency without duplication.
• Regulatory compliance: Ensure TPRM policies meet applicable state and federal insurance regulations, NAIC model law requirements, and any contractual or audit-driven obligations.
• Exception management: Design and administer a formal policy exception process, documenting risk acceptance decisions with appropriate stakeholder sign-off.

Vendor Lifecycle Risk Integration

• Risk-tiered due diligence: Design and embed a risk tiering methodology into Hagerty's sourcing and onboarding process, ensuring the level of pre-contract due diligence is calibrated to the risk profile of each vendor.
• Onboarding & contracting: Partner with Enterprise Procurement and Legal to ensure vendor contracts include appropriate risk and compliance provisions—covering data protection, business continuity, audit rights, and termination for cause.
• Ongoing monitoring: Oversee a structured program of periodic reassessments, performance reviews, and continuous monitoring activities for active third parties, with heightened attention to critical and high-risk vendors.
• Offboarding controls: Establish standards for vendor offboarding that protect Hagerty's data, systems, and operational continuity at contract termination.
• Supplier relationship management program: Maintain a register of critical and high-risk third parties, coordinate enhanced oversight activities and reviews, and ensure concentration risks are visible to senior leadership.

Procurement Partnership & Business Enablement

• Embedded risk advisory: Function as the day-to-day risk advisor to the Enterprise Procurement team, providing guidance during sourcing events, RFP evaluation, negotiation, and contract execution.
• Risk-informed sourcing: Bring third party risk considerations into category strategies and sourcing decisions early—helping the business identify and mitigate risk before commitments are made.
• Business unit advisory: Serve as a trusted TPRM resource for business unit stakeholders who engage vendors directly, ensuring consistent application of policy across the organization and active participation in supplier business reviews.
• Training & enablement: Design and deliver TPRM training for Enterprise Procurement staff and business-facing teams, building risk literacy and practical policy compliance across all vendor-facing roles.

Reporting, Audit & Program Maturity

• Executive reporting: Develop and present TPRM program dashboards, key risk indicators (KRIs), and risk trend analysis to the VP of Enterprise Procurement, ERM leadership, and Risk Committee audiences as appropriate.
• Audit & regulatory examination support: Serve as Enterprise Procurement's primary point of contact for internal audit and external regulatory examiners on TPRM policy, controls, and evidence.
• Issue & remediation tracking: Identify, document, and drive resolution of risk findings and gaps across the third party portfolio, escalating as needed to senior stakeholders.
• Program maturity roadmap: Build and execute a multi-year TPRM maturity roadmap aligned to Hagerty's growth trajectory, digital transformation, and evolving risk environment.
• GRC tooling: Lead or support the evaluation and implementation of TPRM software and GRC platforms to automate assessments, centralize vendor data, and improve reporting efficiency.

This might describe you

• Proven, progressive experience in third party risk management, vendor management, procurement risk, compliance, or enterprise risk—including experience in a policy ownership or program leadership role.
• Demonstrated expertise in TPRM framework design and policy writing, including risk tiering, due diligence program management, and vendor lifecycle controls.
• Strong knowledge of applicable regulatory and compliance frameworks, including insurance industry regulations, NAIC guidelines, state privacy laws, and standards such as NIST CSF, SOC 2, and ISO 27001.
• Experience working directly within or alongside a Procurement or Strategic Sourcing function, with an understanding of sourcing processes, contract structures, and supplier relationship management.
• Proven ability to influence senior stakeholders and drive alignment across cross-functional teams without direct authority.
• Exceptional written and verbal communication skills, with a track record of producing high-quality policy documents and presenting risk topics clearly to executive audiences.

Over and above

• Prior experience in the insurance or financial services industry, with direct familiarity with NAIC model laws and state insurance department examination processes.
• Professional certifications such as CRISC, CTPRP, CISA, CISM, CPM, or equivalent risk or procurement credentials.
• Hands-on experience implementing or administering a GRC or TPRM platform (e.g., Archer, ServiceNow GRC, ProcessUnity, Venminder, Coupa Risk Assess).
• Experience supporting or leading regulatory examinations or internal audits related to vendor management or operational risk.
• Bachelor's degree in Risk Management, Business, Supply Chain, Finance, Information Systems, or a related field.

Other things to note

• This position is open to U.S. remote work. However, team members who reside within 20 miles of the Traverse City headquarters will follow a hybrid schedule, working from the office three days per week.
• Familiarity with public company requirements, including Sarbanes Oxley and key regulations, if applicable. For SOX compliant roles, responsible for designing, executing, and documenting internal controls where they have been identified as owners to prevent errors in financial reporting, processes, and business operations. Including attestation to the completeness, accuracy, and compliance of all financial reporting data, where applicable.

If you reside in the following jurisdictions: Illinois, Colorado, California, District of Columbia, Hawaii, Maryland, Minnesota, Nevada, New York, or Jersey City, New Jersey, Cincinnati or Toledo, Ohio, Rhode Island, Washington, British Columbia, Canada please email View email address on click.appcast.io for compensation, comprehensive benefits and the perks that set us apart.

At Hagerty, we share the road. We are an inclusive automotive community where all are welcomed, valued and belong regardless of race, gender, age, or car preference. We are united by our shared passion for driving, our commitment to preserve car culture for future generations and our desire to make a positive impact in the world.