Program Lead, Third Party Risk and Resilience Management

At Roche you can show up as yourself, embraced for the unique qualities you bring. Our culture encourages personal expression, open dialogue, and genuine connections, where you are valued, accepted and respected for who you are, allowing you to thrive both personally and professionally. This is how we aim to prevent, stop and cure diseases and ensure everyone has access to healthcare today and for generations to come.

Join Roche, where every voice matters.

The Position

A healthier future. It's what drives us to innovate. To continuously advance science and ensure everyone has access to the healthcare they need today and for generations to come. Creating a world where we all have more time with the people we love. That's what makes us Roche.

The Program Lead for Third Party Risk and Resilience Management establishes and maintains a robust governance framework for all Offshore Development Centers (ODCs), bridging R&D innovation requirements with Global IT security, infrastructure, and compliance standards. This leader ensures ODCs function as strategic extensions of Roche's R&D engine while maintaining zero major IT compliance breaches, and guides vendors during ODC setup to ensure full compliance with Roche Security standards.

Compliance of all ODC setups and ongoing operations. Ensure alignment on scope, methodologies, processes at the nexus of R&D organization, Global procurement, and IT. Elimination of governance gaps and friction points between R&D and IT. Implementation of standardized, global ODC management framework across business units Security risks, incidents, and incident/change/problem management processes at ODC sites Strategic positioning of ODCs as value creators rather than cost centers

The Opportunity

* Determine ODC necessity based on country risk and data sensitivity

* Initiate new ODC setups, coordinate vendor office space establishment, and guide vendors on Roche Security standards

* Conduct Security Risk Assessment (SRA) and Data Classification Review (DCR) for all services and applications

* Identify services unsuitable for external business partners and escalate to product/service owners or DSM for remediation

* Create, review, and maintain ODC Manuals, Impact Assessments, and Security Control Tables

* Periodically review and update impact assessment documents to remove retired services

* Ensure compliance with legal requirements (GDPR, CCPA) and Roche security protocols

* Act as the owner for role-specific training curricula

* Ensure training compliance for all external personnel by verifying mandatory security and role-specific requirements are met prior to system access.

* Accountable for the systematic tracking and enforcement of training completion for vendor resources, leveraging the Roche Training Solution system

* Approve all ODC changes including staff assignments, project onboarding, and service modifications

* Manage Service Now requests for infrastructure (NAS storage, VD/VDI creation/updates, application packaging)

* Identify VSA requirements and maintain vendor security/privacy capabilities throughout ODC lifecycle

* Ensure security audits completed prior to service commencement and conduct periodic audits

* Conduct assessments when major changes occur (new projects with higher security needs)

* Track and remediate audit findings with vendors

* Ensure mandatory notifications are formally integrated into processes (e.g., GSP) for all new vendor collaborations

* Coordinate dedicated VDI planning with Citrix when default environments cannot support daily tasks

* Optimize virtual desktop and application virtualization to reduce VDI requirements

* Manage port opening for DIA, RDI, VDIs, and coordinate VDI creation

* Collaborate with Network, Perimeter, and Citrix teams on connectivity and URL whitelisting

* Ensure Business Partner Organization (BPO) approvals for applications, systems, URLs, RDP/SSH access

* Populate and verify application inventories, URLs, and RDP/SSH server lists for Smart Web and virtual environments

* Add users to ODC groups and implement access restrictions or policies as required

* Lead ODC Security Incident Management with timely identification, escalation, and…