Senior Consultant, Third Party Risk Management (TPRM)

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential. 

The Senior Consultant, Third Party Risk Management (TPRM) is the front door for new third party engagements. This role co-leads the intake and review of net new vendors, serves as the liaison and “shepherd” across Business Leadership, Procurement, Legal, InfoSec and other stakeholders to create a seamless experience. The role is central to maintaining CNA’s standards for vendor onboarding and risk control throughout the lifecycle.

JOB DESCRIPTION:

Core Responsibilities

• Manage the intake and reviews for all net‑new vendors entering the organization; validate scope, data flows, service criticality, and inherent risk indicators at the point of request.
• Operate the intake workflow across Workday Strategic Sourcing (WSS) and ProcessUnity (PU); ensure requests are properly classified and routed.
• Collaborate with Procurement to align intake with sourcing milestones (RFP/RFI, contract negotiation)
• Produce Reporting metrics on intake volumes, SLA adherence, inherent risk distribution, and critical third party supplier activities.
• Apply a pragmatic triage model (e.g., exempt items; existing supplier/same scope; existing supplier/new scope; new supplier/new scope) to focus effort on where risk is highest and eliminate unnecessary reviews.

• Function as the liaison across Procurement, Legal, InfoSec/Tech Risk, Privacy, Business/Operational Resiliency, and Finance to orchestrate TPRM activities within the contracting process, ensuring a seamless and efficient stakeholder experience.

• Co-lead end‑to‑end risk assessments for high‑impact/new vendors: scoping, risk tiering (IRQ), due‑diligence review (DDQ), and control validation (remote or on‑site), with audit‑ready documentation.
• Coordinate reviews with SMEs (InfoSec, Compliance, Resiliency, Finance); synthesize control gaps and propose remediation, acceptance, or compensating controls in line with the TPRM policy.

• Provide coaching to business owners, managed service providers and vendors on completing questionnaires, evidence expectations, and timelines; handle escalations and sensitive assessments with discretion.
• Lead incremental workflow improvements in WSS/PU and support roadmap initiatives (e.g, Intake Optimization, IRQ refresh, scaled issue management, and risk‑intelligence integrations).

Qualifications

• 5-7+ years of experience in third-party/vendor risk, technology risk, or related fields with direct ownership of new vendor onboarding and ‑due diligence‑ assessments.
• Proven ability to operate at pace in a procurement‑driven environment, triaging high volumes and prioritizing new supplier/new scope engagements.
• Demonstrated experience coordinating across InfoSec, Legal, Privacy, Resiliency, Finance, and business stakeholders, translating policy expectations into practical contract terms and controls.
• Excellent written and verbal communication; executive‑caliber reporting and stakeholder management for high‑visibility vendors.

Things that set you apart…

• Certifications: CTPRP/CTPRA, CISA, CRISC, CISSP, or similar.
• Experience with risk‑intelligence platforms (e.g., Supply Wisdom, Black Kite) and AI‑assisted control/evidence evaluation capabilities.
• Background in insurance/financial services vendor governance or regulatory frameworks relevant to outsourcing, data protection, operational resilience

• Intake mastery - ability to quickly classify requests, separate exempt/low‑risk from high‑impact cases, and keep pipelines flowing without bottlenecks.
• Orchestration and influence: cross‑functional leadership and stakeholder alignment throughout contracting and onboarding; strong meeting facilitation.
• Tool fluency - ProcessUnity administration/usage and WSS intake routing; comfort with dashboards, SLAs/KPIs, and audit trails.
• Risk Judgment & Decisioning: Makes timely, defensible inherent risk determinations with clear rationale.
• Process Excellence: Builds and enforces standardized intake workflows, SLAs, and data quality checks.
• Stakeholder Partnership: Collaborates cross-functionally
• Detail Orientation: Catches gaps in scope, data during risk reviews.
• Systems & Data Literacy: Comfort with dashboards, forms, integrations, and vendor artifacts (SOC reports, SIG, CAIQ).
• Communication: Clear, concise, and business-friendly briefings and guidance.

In certain jurisdictions, CNA is legally required to include a reasonable estimate of the compensation for this role. In District of Columbia, California, Colorado, Connecticut, Illinois, Maryland, Massachusetts, New York and Washington, the national base pay range for this job level is $72,000 to $141,000 annually. Salary determinations are based on various factors, including but not limited to, relevant work experience, skills, certifications and location. CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals.  For a detailed look at CNA’s benefits, please visit cnabenefits.com.

CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact leaveadministration@cna.com.