Third-Party Risk Sourcing Manager

About the Role:

We are looking for a Third-Party Risk Sourcing Manager to join our Strategic Sourcing team, reporting directly to the Executive Director, Strategic Sourcing. You will lead our daily third-party risk due diligence efforts, collaborating with departments like Technology, and Legal to address risks across a range of domains.

You will oversee sourcing enablement services, intake operations, policy implementation, and automation, to support tail-spend sourcing programs. You will focus on coaching and work allocation, with limited direct people leadership responsibilities. We operate under a hybrid remote/in-office policy, requiring three days per week in our New York City office and two days remote.

Responsibilities:

Third-Party Risk Management

• Perform initial reviews for low/medium-risk vendors. During these reviews, you will examine evidence to identify gaps and residual risk. This evidence includes SIG/SIG Lite, CAIQ, SOC 2 Type II, ISO 27001, PCI SAQ/AoC, DPAs, BC/DR, and VAPT summaries. Evaluate and escalate high-risk vendors to internal subject matter experts and coordinate mitigation actions and follow up.
• Lead time-bound risk review meetings and escalations with subject matter experts. You will maintain using risk guides, document decisions and risk acceptance, coordinate mitigations, and track remediation to closure.
• Manage Third-Party Risk Management (TPRM) inventory and assessment Service level agreements. You will support incident response and vendor issue management. Additionally, you will process metrics involving publishing dashboards that track cycle time, backlog age, assessments, and remediation closure, and delivering partner training.

Source Enablement

• Tail-spend sourcing: Increase delivery velocity with risk-appropriate approaches; apply guides, informal RFx, and negotiation strategies.
• Intake/help desk: Serve as the front door for sourcing requests; maintain Service level agreements, and measure requester satisfaction.
• Efficient Contracting: use standard templates and establish fallback positions to manage Legal escalations.
• Enablement and continuous improvement: Improve adoption of Sourcing templates, and guides; refine Sourcing intake workflows to apply risk-appropriate effort.
• AI-assisted workflows: Design and operationalize AI-assisted processes (with guardrails) for Sourcing tasks.
• Demonstrate support and understanding of our value of journalistic independence and a commitment to our mission to seek the truth and help people understand the world.

Basic Qualifications:

• 5+ years of experience in third-party risk management, vendor risk, IT risk, or adjacent governance roles, with hands-on due diligence and assessment experience.
• Proficiency in reviewing vendor security/privacy evidence.
• Familiarity with contractual terms in procurement, including limitation of liability, indemnities, confidentiality and Service Level Agreements.
• Knowledge of TPRM systems (e.g., ProcessUnity, Navex, Whistic) and intake-to-pay systems (preferably Zip).
• Understanding of external ratings from providers like BitSight, SecurityScorecard, and others.
• Familiarity with frameworks is important. These include the National Institute of Standards and Technology Cybersecurity Framework, ISO 27001/27701, SOC 2, and PCI DSS. Additionally, knowledge of privacy regulations is necessary, such as the General Data Protection Regulation and California Privacy Rights Act.
• Experience managing queues against Service level agreements and prioritizing trade-offs.
• Bachelor's degree or equivalent practical experience.

Preferred Qualifications:

• 5+ years of Experience in Financial Services, or other regulated sectors.
• CTPRP, CRISC, or relevant security/risk certificates.

#LI-Hybrid

REQ-019303

The New York Times Company is committed to being the world’s best source of independent, reliable and quality journalism. To do so, we embrace a diverse workforce that has a broad range of backgrounds and experiences across our ranks, at all levels of the organization. We encourage people from all  backgrounds to apply.

We are  an Equal Opportunity Employer and do not discriminate on the basis of an individual's sex, age, race, color, creed, national origin, alienage, religion, marital status, pregnancy, sexual orientation or affectional preference, gender identity and expression, disability, genetic trait or predisposition, carrier status, citizenship, veteran or military status and other personal characteristics protected by law. All applications will receive consideration for employment without regard to legally protected characteristics.  The U.S. Equal Employment Opportunity Commission (EEOC)’s Know Your Rights Poster is available here. 

The New York Times Company will provide reasonable accommodations as required by applicable federal, state, and/or local laws. Individuals seeking an accommodation for the application or interview process should email reasonable.accommodations@nytimes.com. Emails sent for unrelated issues, such as following up on an application, will not receive a response.

The Company encourages those with criminal histories to apply, and will consider their applications in a manner consistent with applicable "Fair Chance" laws, including but not limited to the NYC Fair Chance Act, the Los Angeles Fair Chance Initiative for Hiring Ordinance, the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance for Employers, and the California Fair Chance Act.

For information about The New York Times' privacy practices for job applicants click here.

Please beware of fraudulent job postings. Scammers may post fraudulent job opportunities, and they may even make fraudulent employment offers. This is done by bad actors to collect personal information and money from victims. All legitimate job opportunities from The New York Times will be accessible through The New York Times careers site. The New York Times will not ask job applicants for financial information or for payment, and will not refer you to a third party to do so. You should never send money to anyone who suggests they can provide employment with The New York Times.

If you see a fake or fraudulent job posting, or if you suspect you have received a fraudulent offer, you can report it to The New York Times at NYTapplicants@nytimes.com. You can also file a report with the Federal Trade Commission or your state attorney general.