Third Party Risk Lead - DORA

About Cigna Healthcare

Cigna Healthcare is a global health service company dedicated to transforming healthcare. With roots in the U.S. and operations in over 30 countries, we serve more than 180 million customers and patients worldwide. Ranked 13th on the Fortune 500 in 2025, Cigna is recognized as one of the most trusted and influential names in the industry.

Our mission is to improve the health, well-being, and peace of mind of those we serve.

Join our globally recognized brand, where trust, communication, and a positive culture are at the core of everything we do. Our leadership is consistent, approachable, and supportive-ensuring your well-being and work-life balance.

We're looking for individuals who thrive in collaborative environments, are passionate about meaningful change, and want to grow in a company that puts people first.

At Cigna, you'll be part of a purpose-driven team that values innovation, compassion, and impact. Whether you're shaping better care experiences or supporting customers through life's key moments, your work will matter.

Grow with us-and help shape the future of healthcare.

About the role

This role leads a risk-driven regulatory change programme to deliver and sustain DORA compliance for ICT third-party services (critical and non-critical suppliers). It translates regulatory expectations into a practical delivery roadmap, prioritised, sequenced and measurable, so outcomes land in BAU, not just in documentation. 

Accountable for end-to-end execution, the role drives progress across Technology, Procurement, Legal, Vendor Owners and Risk: managing competing priorities, dependencies and delivery risk, and removing blockers to maintain momentum in live BAU environments. This role should be comfortable making proportionate, risk-based decisions with incomplete information and progressing delivery as requirements and frameworks evolve; maintaining regulatory confidence through clear governance, timely escalation and audit-ready evidence. 

Key Outcomes 

• DORA-aligned Third-Party Risk Framework defined and embedded into BAU 

• Clear criticality classification and vendor tiering model 

• Defined roles and responsibilities across the 3 Lines of Defense 

• Effective vendor lifecycle management from onboarding through exit 

• Regulatory-ready evidence for audit and supervisory review 

Core Responsibilities 

1. Framework & Policy Definition 

• Lead delivery of the Third-Party Risk Framework aligned to DORA, ensuring it is implemented and embedded into BAU across functions 

• Drive delivery of criticality tiering and ICT service classification, aligning Technology, Vendor Owners, Procurement and Risk on decisions and dependencies 

• Operationalise proportionality rules for critical vs non-critical vendors to enable timely, risk-based decisions and consistent execution across the vendor lifecycle 

• Run governance and refresh cycles, tracking delivery progress, sequencing activity and managing dependencies to maintain regulatory confidence 

• Align and socialise roles and responsibilities across the 3 Lines of Defense to enable clear ownership, escalation paths and delivery execution 

2. Onboarding & Contracting Controls 

• Deliver pre-contract due diligence and ICT risk assessment standards, coordinating Technology, Vendor Owners, Procurement and Risk to meet milestones 

• Drive implementation of DORA-aligned contractual clauses and addendums, coordinating Legal and Procurement to resolve issues and keep delivery on track 

• Coordinate Technology, Vendor Owners, Procurement, Legal and Risk to manage dependencies, resolve blockers and drive onboarding and contracting outcomes 

• Embed differentiated onboarding requirements based on vendor criticality into BAU processes, ensuring consistent execution across functions 

3. Vendor Management & BAU Execution 

• Operationalise standard and enhanced vendor management task sets, aligning Technology, Vendor Owners and Risk on execution expectations and timelines 

• Drive periodic reassessment of vendor criticality, aligning Technology, Vendor Owners and Risk on risk-based decisions and resulting actions 

• Coordinate delivery of resilience testing and exit planning for critical ICT suppliers, managing dependencies across Technology, Vendor Owners, Procurement and Risk 

4. Reporting, Governance & Regulatory Readiness 

• Deliver programme reporting to governance and executive forums, providing clear progress, risks, dependencies and decisions required 

• Coordinate regulatory engagement and audit activity, ensuring timely delivery of evidence and remediation actions across stakeholders 

• Provide pragmatic DORA third party risk expertise to resolve ambiguity, enable decisions and keep delivery moving 

Skills & Experience Required 

Essential: 

• Proven Third Party / Vendor Risk Management experience, delivering improvements across the end-to-end vendor lifecycle 

• Strong understanding of ICT third party risk and controls, with ability to drive consistent execution across onboarding, contracting and BAU oversight 

• Experience delivering complex regulatory change in regulated environments, with clear ownership of milestones, dependencies and outcomes 

• Strong GRC capability, focused on turning requirements into operational controls, evidence and measurable BAU outcomes 

• Experience interpreting and applying regulatory requirements in a pragmatic, risk-based way to maintain regulatory confidence 

• Proven ability to operationalise regulatory requirements into BAU, driving delivery plans, sequencing activity and managing cross-functional dependencies 

• Strong stakeholder management and influencing skills, able to deliver outcomes through Technology, Procurement, Legal, Vendor Owners and Risk without formal authority 

Why You'll Love Working here

• Competitive salary

• Multicultural and hybrid working environment

• Private Medical Insurance

• Employee Wellbeing Benefits

• Educational Development Program