CareFirst Careers

Third Party Risk Management Manager - Hybrid

This job posting is no longer active

Resp & Qualifications


The Integrated Risk Management (IRM) department is responsible for the education, empowerment, and governance of business owners in identifying and managing enterprise and operational risks, including Medicare and Medicaid, in a consistent and integrated manner.  IRM, facilitated by the Integrated Compliance teams and business owners across the enterprise, establishes frameworks for effectuating consistency within enterprise and operational risk management.  The Third-Party Risk Management (TPRM) Program is a key component of the IRM department.  TPRM is responsible for providing enterprise-wide services, including an operating model, policies, procedures, governance, and Risk Management Programs for all third parties with whom CareFirst conducts business, including First Tier Downstream and Related Entities (FDRs).  TPRM has been established to respond to, and adhere to, new and existing regulatory guidelines and initiatives enabling CareFirst to effectively assess and manage the risk introduced by engaging with third parties.  The TPRM Manager will support TPRM by facilitating assessment of third parties (both self-assessments and end-to-end independent assessments), providing governance of third-party services and controls, as well as providing support, tools and education to third party accountable executives.  CareFirst has 1000+ third party relationships which present risk to the organization.  The TPRM Manager through oversight and implementation of the TPRM Program will provide awareness, education, and governance to management across the enterprise to effectively manage the risk provided by these third parties.   


Oversight, Planning and Execution of Third-Party Assessments

Oversee, guide and mentor Third Party Risk staff in the completion of third-party assessments. Lead oversight of activities for planning and executing end-to-end third party assessments to ensure the adequacy of controls in place to safeguard the organization, including: identifying third party services and business owners; mapping services to business process taxonomy and systems inventory; documenting process flows and reconciling services performed to the contract; defining assessment scope and establishing a test plan; executing test plan and issuing an assessment report including remediation plans for issues identified; and driving remediation of issues identified, gathering evidence to support remediation, and reporting on progress of remediation through to completion. Manage use of co-source partner to facilitate third party assessments, including review of deliverables and ensuring consistency is maintained with established CareFirst methodology and requirements. Facilitate self-directed assessments with third party accountable executives, including: identifying third party key stakeholders, services provided and related third party metadata (e.g., Areas of Risk, Partner Segment, Business Associate Agreement, Data Use Agreement); deliver awareness and training materials to management; facilitate assessment to identify awareness opportunities and risks for further review/assessment. Maintain documentation in an organized and re-performable fashion, including leveraging the Governance Risk and Compliance (GRC) tool and repository (e.g. Compliance 360 and SharePoint). Develop teamwork and synergies among staff personnel throughout the organization working closely with subject matter resources (SMRs), embedded compliance functions, and third party managers across the enterprise.

TPRM GRC Tool Maintenance

Throughout assessments, identify and maintain a repository of best practices and tools/accelerators related to Third Party Risk Management. Utilize expertise to identify evolving risks and threats pertaining to third parties and provide in-depth understanding of if, how, and when the risks/threats should be addressed. Develop training and awareness materials to deliver to third party managers across the enterprise. Lead training and awareness sessions to convey best practices, lessons learned, and pervasive issues identified as it pertains to third party risk management.

Support the Maturity of the Third Party Risk Management Program

Establish and maintain close working relationships with third party accountable executives and managers. Identify third parties with access to sensitive customer data Map the relationships between third parties and internal business owners to identify internal stakeholders. Refine internal framework for assessment including standardized measures which ensure internal standards for data protection, privacy, and access control are acceptable by internal requirements. Evaluate and assess third party criticality and review changes in scale and scope of services contracted with third party for impact. Confirm ongoing roles, responsibilities and persons involved with the third party. Provide periodic reports to management and stakeholders. Manage, monitor, and track third party compliance to the Third-Party Risk Management Program; evaluate to execute recommendations for improvement where appropriate. Lead continuous monitoring and improvement activities to assure continued refinement and compliance of third-party risk management assessments and practices across the enterprise. Be a catalyst for change, leading staff across the enterprise to welcome/accept change with minimum anxiety. Maintain a high level of knowledge of technological changes, new technology, assessment issues, risk management best practices, third party modifications, and incorporate them into TPRM. Provide consulting and advisory services, best practices and change leadership to drive continuous improvement to internal processes and controls. 

Program Management, Leadership and Development

Manages the full project management life cycle and software development life cycle for the implementation of highly complex, large scale, strategic IT and Business initiatives. Implements established policies, system monitors and controls to ensure the successful management and reporting of all initiatives in the Program. Supervises and leads the program and project staff to oversee the impacts and interdependencies between programs and works to ensure initiatives meet the CareFirst goals and objectives of the executive leadership team.  Perceived by peers and staff as a leader. Serves as subject matter resource, providing technical, business, and analytical guidance to the program and project teams. Works with Technical and Business areas to provide support and coordination to ensure adoption of new systems and business processes in the CareFirst environment. Manages contracts and vendors assigned to projects included in the assigned program(s). Manages and directs multiple medium to large-scale projects that may not fit into a defined program. Works on complex problems where analysis of situation or data requires an in-depth evaluation of various factors to achieve best results. Exercises judgment within broadly defined policies and practices to develop corporate-wide methods and techniques. Works effectively with internal and external clients, third party vendors, and Senior Management in accomplishing project objectives. Evaluates complex situations accurately and identifies viable solutions that create successful outcomes for the customer. Develops and maintains lessons-learned inputs in the project repository for utilization on future projects. Collaborates with the finance department and various functional managers to ensure project budgets are properly estimated and controlled; provide overall financial recommendations and develop controls and measurements to monitor progress. Provides Finance with monthly accrual and forecasts by the due date established by Finance using the tools developed by Finance/PMO. Maintains currents statements of work for all contractors; tracks and approves contractor invoices in a timely manner. Provides regular updates to project sponsor and stakeholders on the status of the budget.  Documents reasons for budget excess or shortfall. Resolves political, resource, budgeting, change, and legal issues affecting the program. Acts as administrator to the GRC tool/repository maintained for assessment reports, findings, recommendations, evidence, tools, and accelerators. Develops and trains staff for purposes of performing assessments, learning CareFirst processes and controls. Responsible for leading staff in adequately performing assessments in accordance with TPRM methodology. Maintains accountability for the accuracy of information maintained within the GRC tool/repository. Maintains responsibility for timely escalation of concerns identified to the Third-Party Risk Manager.

Staff Management

Supervises and leads a team of direct and indirect reports (associates; contractors; vendor staff) consisting of: Auditors, Project Management Staff (Sr. Project Managers, Project Managers, Project Controller/Coordinators), Budget Analysts, Contractor Staff and Vendor Staff. (Team size will vary by approved initiatives); IT and Business Directors, Managers, other program staff in a matrix model. Supervises Vendors/Contractors based on project needs against a Contract and Statement of Work, against a set of deliverables and defined payment milestones. Review staffing goals and expectations to ensure that each is consistent and adequate to meet departmental/divisional goals in support of overall company goals. Sets high expectations of significant influence on other departments/divisions for all audit activities, risk assessments and process improvements to support control objectives with cross-functional impacts. Delegate responsibility and authority to appropriate staff within the team, regularly monitoring progress to ensure goals are met. Evaluate performance of each team member, generates development plans and sets goals within the context of the corporate policy. Provided coaching, counseling and motivation to team members ensuring staff has the appropriate tools and training (establishes Performance Development Plans for staff). Drive commitment and continuous personal improvement, self-confidence, insight, judgment, integrity, ethics, and responsiveness, timeliness, flexibility and adaptability.


Education Level: Bachelor's Degree, Finance, Accounting, Business or related field OR in lieu of a Bachelor's degree, an additional 4 years of relevant work experience is required in addition to the required work experience.

Experience: 5 years Risk management or related risk assessment field as well as previous financial institution experience required. 1 year supervisory or demonstrated leadership experience.

Knowledge, Skills and Abilities (KSAs)

  • Strong capabilities and experience in performing independent assessments, including compliance & legal reviews, contract reviews, testing controls, and developing & reviewing assessment reports.
  • Experienced problem solver who works independently and within a team using interpersonal skills, including excellent oral and written communication skills, and has a strong ability to influence and collaborate to achieve a mutually beneficial outcome
  • Excellent written skills are required to prepare reports/documents for internal presentations as well as presentation to various Senior Leadership committees.  Advanced planning, organization, analytics and business acumen are required to understand and present the implications of various decisions. 
  • Proficient in MS Office, Project Management tools, financial/budget management systems (e.g., Oracle). 
  • Understands and possesses general project management skills relevant to performing assessment functions and responsibilities. 
  • Ability to work effectively in a fast-paced environment with frequently changing priorities, deadlines and workloads that can be varied for extended periods of time. Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence. 
  • Ability to exercise sound judgment.
  • Ability to communicate with tact to all levels of staff. 
  • Demonstrated initiative, trustworthiness and integrity.


  • Experience with performing third party risk assessments.
  • Understanding of legal requirements and health insurance operations.
  • Relevant risk or business certification (e.g., CPA, CIA, CISA, CISM). 

Knowledge of organization and operations of the business areas being supported.

Salary Range: $100,160 - $185,922


Salary Range Disclaimer

The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the work is being performed. This compensation range is specific and considers factors such as (but not limited to) the scope and responsibilites of the position, the candidate's work experience, education/training, internal peer equity, and market and business consideration. It is not typical for an individual to be hired at the top of the range, as compensation decisions depend on each case's facts and circumstances, including but not limited to experience, internal equity, and location. In addition to your compensation, CareFirst offers a comprehensive benefits package, various incentive programs/plans, and 401k contribution programs/plans (all benefits/incentives are subject to eligibility requirements).


Third Party Risk Office

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Where To Apply

Please visit our website to apply:

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.


The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights up to 25 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship


Not finding the right job?
Stay informed about future openings by joining one of our Talent Networks!

Learn more about Audit & Legal