Third-Party Risk Management Program Officer

Third-Party Risk Management Program Officer

Heritage Bank is seeking a Third-Party Risk Management Program Officer to join the Risk and Compliance team. The officer will design, execute, and continuously improve the bank’s third‑party risk management program across the full vendor lifecycle, from onboarding through offboarding.

The role operates within the Second Line of Defense (2

LoD) and provides governance and oversight to ensure operational alignment of the bank’s third‑party risk management processes across Information Security, Legal, Procurement, Business Units, and Internal Audit.

Key responsibilities include ensuring third‑party risks—cybersecurity, operational, compliance, reputational, and concentration risks—are appropriately identified, assessed, and monitored in alignment with regulatory expectations.

Geographic locations:

• Tacoma, WA
• Seattle, WA
• Spokane, WA
• Portland, OR

Base Salary Range: $ - $ - $ annual

• Leads and manages the Third-Party Risk Management (TPRM) Program, including development and continuous refinement of policies, procedures, risk tiering, segmentation models, risk rating methodologies, and vendor lifecycle control checkpoints.
• Ensures alignment of the TPRM program with enterprise risk management (ERM), information security, compliance, and legal frameworks.
• Oversees execution of inherent risk assessments, due diligence reviews, and control assessments across all third‑party risk domains (cybersecurity, privacy, operational resilience, etc.).
• Ensures appropriate engagement of cross‑functional subject matter experts and that roles and responsibilities are clearly defined within established processes.
• Defines and maintains program tools, templates, escalation protocols, and residual risk acceptance processes.
• Integrates and aligns TPRM program with related programs (Vendor Management, procurement, Business Continuity Planning, Information Security Risk Assessments, Cloud Governance, AI/Model Risk).
• Establishes and tracks key risk indicators (KRIs).
• Provides executive‑level reporting on third‑party risk posture, program maturity, and systemic exposures (e.g., concentration risk, critical service dependency).
• Monitors and escalates open risk issues, overdue assessments, and policy exceptions.
• Serves as the primary contact for regulatory exams and internal/external audits related to third‑party risk.
• Performs continuous monitoring of Critical and High risk third parties.
• Maintains audit‑ready documentation, evidence of program execution, and continuous improvement roadmap.
• Monitors regulatory changes (OCC Bulletins, FFIEC updates, DORA, NYDFS, etc.) and updates program controls to align with evolving requirements.

• Bachelor’s degree in Business, Risk Management, Information Security or related field preferred.
• 5+ years of recent experience in vendor risk management, third‑party oversight, or enterprise risk program role within a financial services environment required.
• Proven experience leading the development, implementation, and ongoing management of an enterprise‑scale third‑party risk management program.
• Professional certifications such as CISA, CRISC, or equivalent preferred.
• Equivalent combination of education, training, certifications, and/or relevant work experience may be considered.
• Exceptional service orientation for internal and external customers, with ability to build and maintain positive, professional relationships across all levels of management and functional areas.
• Highly effective listening, verbal, written, and telephone etiquette with strong questioning, negotiation, and presentation skills.
• Strategic approach to program design, problem solving, and decision‑making with ability to focus on key issues under time pressure.
• Risk‑based mindset with strong analytical and critical thinking skills; ability to independently assess risk decisions and challenge assumptions.
• Comprehensive knowledge of regulatory frameworks (FFIEC, GLBA, PCI‑DSS, SOX, HIPAA, etc.) and standards (NIST CSF, ISO 27001, COBIT, COSO, vendor risk management frameworks).
• Strong knowledge of information security assessment, auditing practices, and ability to…