Senior Third Party Risk Associate

Job Description

Location: Chicago, Illinois

Business Unit: Rush Medical Center

Hospital: Rush University Medical Center

Department: Cybersecurity Operations

Work Type: Full Time (Total FTE between 0.9 and 1.0)

Shift: Shift 1

Work Schedule: 8 Hr (8:00:00 AM - 4:30:00 PM)

Rush offers exceptional rewards and benefits learn more at our Rush benefits page (https://www.rush.edu/rush-careers/employee-benefits).

Pay Range: $38.07 - $56.73 per hour

Rush salaries are determined by many factors including, but not limited to, education, job-related experience and skills, as well as internal equity and industry specific market data. The pay range for each role reflects Rush’s anticipated wage or salary reasonably expected to be offered for the position. Offers may vary depending on the circumstances of each case.

Summary

The Senior Third Party Risk Associate leads complex vendor risk assessments and supports the maturation of the organization’s Third Party Risk Management (TPRM) program. This role evaluates higher risk engagements, provides subject matter expertise on risk mitigation strategies, mentors junior analysts, and collaborates with cross functional teams to enhance governance, risk, and compliance (GRC) processes. The Senior Associate ensures that risk evaluation activities are executed consistently and effectively, while providing strategic insights to strengthen the overall risk posture of the organization.

Responsibilities

• Lead complex and high risk third party risk assessments by facilitating questionnaires and evaluating SOC 2 reports, certifications, data handling practices, and regulatory or contractual requirements.

• Provide guidance to business owners on identified risks and recommended remediation actions, managing escalations involving elevated vendor risks or unresolved control gaps.

• Review and validate the assessment work of junior analysts to ensure accuracy, consistency, and alignment with TPRM methodology.

• Collaborate with Procurement, Legal, Privacy, and Information Security GRC to integrate risk requirements throughout vendor selection, contracting, and ongoing oversight.

• Enhance TPRM questionnaires, scoring models, templates, and monitoring processes to improve program consistency and effectiveness.

• Configure, optimize, and maintain TPRM toolset to support program maturity and ensure assessment workflows, questionnaires, and automation remain effective.

• Create, update, and maintain TPRM procedure documents, guidance materials, and standardized operating processes to ensure consistency across the team.

• Produce and present monthly TPRM program metrics, highlighting key trends, vendor risk changes, and assessment throughput for leadership visibility.

• Lead or support program level initiatives such as audit requests, regulatory inquiries, and cross functional GRC projects that require senior level judgment and coordination.

Required Qualifications

• Bachelor’s Degree in Information Systems, Business, Cybersecurity, Risk Management, or a related field.

• 4–6 years of experience in Third Party Risk Management, Vendor Risk, GRC, Compliance, or Audit functions.

• Demonstrated ability to review and interpret SOC reports, certifications, security policies, and other third party assurance documentation.

• Strong understanding of risk management principles, regulatory considerations, and industry frameworks relevant to third party oversight (e.g., SOC 2, ISO 27001, NIST).

• Proven experience communicating complex risk issues to business stakeholders and providing clear recommendations.

• Ability to lead or validate assessment activities performed by other analysts while ensuring consistency with program methodology.

• Strong analytical, documentation, and problem solving skills with the ability to prioritize multiple concurrent assessments.

• Proficiency with Microsoft Office Suite and familiarity with GRC or TPRM tools and platforms.

Preferred Qualifications

• Certifications such as CTPRP (Shared Assessments) or the TPRA Certification (Third Party Risk Association) demonstrating advanced, specialized expertise in Third Party Risk Management.

• Broader governance or audit aligned certifications such as CISA (ISACA) or CISM (ISACA) to support cross functional collaboration and deeper risk understanding.

Rush is an equal opportunity employer. We evaluate qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics.

Position

Sr Third Party Risk Associate

Location

US:IL:Chicago