Third-Party Risk Management Program Officer

Heritage Bank has an exciting opportunity to join our organization! We are seeking Third-Party Risk Management Program Officer to join our Risk and Compliance team. The third-party risk management program officer is responsible for the design, execution, and continuous improvement of the bank's third-party risk management program across the full vendor lifecycle, from onboarding through offboarding. Operating within the Second Line of Defense (2

LoD), this role provides governance and oversight to ensure operational alignment of the bank's TPRM processes across Information Security, Legal, Procurement, Business Units, and Internal Audit. This position is accountable for ensuring third-party risks, including cybersecurity, operational, compliance, reputational, and concentration risks, are appropriately identified, assessed, and monitored in alignment with regulatory expectations. The geographical location for this position is Tacoma, WA, Seattle, WA, Spokane, WA, or Portland, OR.

Base Salary Range: $ - $ - $ annual

The Role at a Glance:
Leads and manages the Third-Party Risk Management (TPRM) Program, including development and continuous refinement of TPRM policies and procedures, risk tiering and segmentation models, risk rating methodologies, and vendor lifecycle control checkpoints. Ensures alignment of the TPRM program with enterprise risk management (ERM), information security, compliance, and legal frameworks. Oversees execution of inherent risk assessments, due diligence reviews, and control assessments across all third-party risk domains (cybersecurity, privacy, operational resilience, etc.).

Ensures appropriate engagement of cross-functional subject matter experts (e.g., Information Security, Legal, Compliance) and that roles and responsibilities are clearly defined within established processes. Defines and maintains program tools, templates, escalation protocols, and residual risk acceptance processes. Integrates and aligns TPRM program with related programs (e.g., Vendor Management, procurement, Business Continuity Planning, Information Security Risk Assessments, Cloud Governance, AI/Model Risk).

Establishes and tracks key risk indicators (KRIs). Provides executive-level reporting on third-party risk posture, program maturity, and systemic exposures (e.g., concentration risk, critical service dependency). Monitors and escalates open risk issues, overdue assessments, and policy exceptions. Serves as the primary contact for regulatory exams and internal/external audits related to third-party risk. Performs continuous monitoring of Critical and High risk third parties.

Maintains audit-ready documentation, evidence of program execution, and continuous improvement roadmap. Monitors regulatory changes (e.g., OCC Bulletins, FFIEC updates, DORA, NYDFS, etc.) and updates program controls to align with evolving requirements. Core Skills and

Qualifications:

Bachelor’s degree in Business, Risk Management, Information Security or related field preferred. 5+ years of recent experience in a vendor risk management, third-party oversight, or enterprise risk program role within a financial services environment required. Proven experience leading the development, implementation, and ongoing management of an enterprise-scale third-party risk management program required. Professional certifications as Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), or equivalent preferred.

Equivalent combination of education, training, certifications, and/or relevant work experience may be considered. Provide an exceptional level of service for internal and external customers, with the ability to build and maintain positive, professional relationships, to successfully interact with and influence all levels of management and functional and cross-functional areas across the organization. Highly effective listening, verbal, written, and telephone etiquette business communication skills, including effective questioning strategies, negotiation and presentation skills to communicate security-related concepts in a variety of settings, to a broad range of technical and non-technical staff.

Ability to read, write, speak, and understand English well. Strategic in approach to program design, problem solving, and decision-making, with demonstrated ability to quickly focus on key issues and make decisions under pressure of time constraints. Risk based mindset and strong analytical and critical thinking skills, with the ability to independently assess risk decisions and constructively challenge assumptions and conclusions.

Thorough knowledge and understanding of regulatory frameworks (e.g. FFIEC, GLBA, PCI-DSS, SOX, FFIEC, HIPAA etc.) and of NIST CSF, ISO 27001, COBIT, COSO and vendor risk management frameworks. Strong knowledge of information security assessment and auditing practices, including the ability to evaluate technical and business controls using established frameworks and…