Third-Party Risk Management Program Officer

Third-Party Risk Management Program Officer

Heritage Bank has an exciting opportunity to join our organization!

We are seeking a Third-Party Risk Management Program Officer to join our Risk and Compliance team. The third-party risk management program officer is responsible for the design, execution, and continuous improvement of the bank's third-party risk management program across the full vendor lifecycle, from onboarding through offboarding. Operating within the Second Line of Defense (2LoD), this role provides governance and oversight to ensure operational alignment of the bank's TPRM processes across Information Security, Legal, Procurement, Business Units, and Internal Audit.

This position is accountable for ensuring third-party risks, including cybersecurity, operational, compliance, reputational, and concentration risks, are appropriately identified, assessed, and monitored in alignment with regulatory expectations.

The geographical location for this position is Tacoma, WA, Seattle, WA, Spokane, WA, or Portland, OR.

Base Salary Range: $100,884.00 - $126,105.00 - $151,326.00 annual

The Role at a Glance:

• Leads and manages the Third-Party Risk Management (TPRM) Program, including development and continuous refinement of TPRM policies and procedures, risk tiering and segmentation models, risk rating methodologies, and vendor lifecycle control checkpoints.
• Ensures alignment of the TPRM program with enterprise risk management (ERM), information security, compliance, and legal frameworks.
• Oversees execution of inherent risk assessments, due diligence reviews, and control assessments across all third-party risk domains (cybersecurity, privacy, operational resilience, etc.).
• Ensures appropriate engagement of cross-functional subject matter experts (e.g., Information Security, Legal, Compliance) and that roles and responsibilities are clearly defined within established processes.
• Defines and maintains program tools, templates, escalation protocols, and residual risk acceptance processes.
• Integrates and aligns TPRM program with related programs (e.g., Vendor Management, procurement, Business Continuity Planning, Information Security Risk Assessments, Cloud Governance, AI/Model Risk).
• Establishes and tracks key risk indicators (KRIs).
• Provides executive-level reporting on third-party risk posture, program maturity, and systemic exposures (e.g., concentration risk, critical service dependency).
• Monitors and escalates open risk issues, overdue assessments, and policy exceptions.
• Serves as the primary contact for regulatory exams and internal/external audits related to third-party risk.
• Performs continuous monitoring of Critical and High risk third parties.
• Maintains audit-ready documentation, evidence of program execution, and continuous improvement roadmap.
• Monitors regulatory changes (e.g., OCC Bulletins, FFIEC updates, DORA, NYDFS, etc.) and updates program controls to align with evolving requirements.

Core Skills and Qualifications:

• Bachelor's degree in Business, Risk Management, Information Security or related field preferred.
• 5+ years of recent experience in a vendor risk management, third-party oversight, or enterprise risk program role within a financial services environment required.
• Proven experience leading the development, implementation, and ongoing management of an enterprise-scale third-party risk management program required.
• Professional certifications as Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), or equivalent preferred.
• Equivalent combination of education, training, certifications, and/or relevant work experience may be considered.
• Provide an exceptional level of service for internal and external customers, with the ability to build and maintain positive, professional relationships, to successfully interact with and influence all levels of management and functional and cross-functional areas across the organization.
• Highly effective listening, verbal, written, and telephone etiquette business communication skills, including effective questioning strategies, negotiation and presentation skills to communicate security-related concepts in a variety of settings, to a broad range of technical and non-technical staff. Ability to read, write, speak, and understand English well.
• Risk based mindset and strong analytical and critical thinking skills, with the ability to independently assess risk decisions and constructively challenge assumptions and conclusions.
• Thorough knowledge and understanding of regulatory frameworks (e.g. FFIEC, GLBA, PCI-DSS, SOX, FFIEC, HIPAA etc.) and of NIST CSF, ISO 27001, COBIT, COSO and vendor risk management frameworks.
• Strong knowledge of information security assessment and auditing practices, including the ability to evaluate technical and business controls using established frameworks and methodologies, and to effectively interpret results from security tools and subject matter expert assessments.
• Thorough knowledge and understanding of related statutory banking compliance regulations issued by the FDIC, FinCEN, and Federal Reserve Board, with strong knowledge of privacy laws, such as GLBA and SOX.
• Strong project management, planning, organizational, time management, and follow-up skills, demonstrating a strong sense of urgency and ability to execute quickly, timely and efficiently; independently ensuring that priorities are set and commitments and deadlines are met with minimal direction and oversight.
• Unquestionable integrity in handling sensitive and confidential information required.
• Proficient and advanced use and understanding of MS Office products (Word, Excel, Outlook), with the ability to adapt to and learn new technologies quickly.
• Proficient use and understanding of third-party risk management software (ex. UpGuard, Tandem, Gartner, etc.).

Work Environment/Conditions:

• Climate controlled office environment.
• Work involves being able to concentrate on the matter at hand, under sometimes distracting work conditions, and frequent employee and customer contacts and interruptions during the day.

Physical Demands/Effort:

• Work may involve the constant use of computer screens, reading of reports, and sitting throughout the day.
• Ability to operate a computer keyboard, multi-line telephone, photocopier, scanner and facsimile which often requires dexterity of hands and fingers with repetitive wrist and hand motion.
• Typically sitting at a desk or table; intermittently standing, stooping, bending at the waist, walking, climbing, kneeling or crouching to file materials.
• Occasional lifting up to 20 lbs. (files, boxes, etc.).

At Heritage Bank, we work hard, but we also know how important it is to take time off to stay healthy, relax, and spend time doing what makes your heart happy!

As part of our team, you'll enjoy a total rewards package, which includes base salary based on the role, experience, and skill set, along with an exceptional benefits package (medical, dental, vision, life insurance, 401(k), community volunteer time), and generous time off policy. Full-time team members receive a minimum of 10 paid vacation days annually* and eight hours of paid sick leave per month*, while also enjoying 11 paid holidays each calendar year, and an annual float day. *pro-rated from start date and/or hours worked.

Heritage Bank is an Equal Opportunity Employer

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran status, disability, or any other basis protected by applicable law.