CareFirst Careers

Sr. Third Party Risk Management Analyst (Medicaid)

Resp & Qualifications

CareFirst, Inc., and its affiliated companies, generally referred to as CareFirst BlueCross BlueShield (CareFirst), is the Mid-Atlantic region’s largest private sector health insurer, with over $10 billion dollars in revenue, serving the healthcare needs of 3.4 million members in Maryland, the District of Columbia, and portions of northern Virginia. The Company offers a comprehensive portfolio of products and services to individuals and groups, as well as state and federal government sponsored plans.

As a not-for-profit, CareFirst regularly ranks among the most philanthropic organizations with $43 million invested in the community in 2019 to improve overall health, and increase the accessibility, affordability, safety, and quality of healthcare throughout its market area. The company’s associates consistently add to this impact by devoting thousands of volunteer hours to numerous community organizations and social causes.

We practice empathy, seek to understand, invest in inclusion, demand equity, and nurture belonging every day for our associates and the communities we serve. We rely on the rich diversity of our associates’ experiences and backgrounds to achieve our mission. In 2019, we proudly held our first Day of Equity and Action. On this day, 5,000 CareFirst associates gathered across five locations to develop skills for creating new dialogues and greater understanding of each other and our communities. In 2020, we hosted a week of Diversity, Equity, and Action programming engaging 5500+ CareFirst associates virtually. Events included workshops on inclusion and the social determinants of health, skill-based volunteering, and featured crucial conversations with executive leaders on their personal connections to Diversity, Equity, and Inclusion (DEI).

Senior Third Party Risk Management Analyst (Medicaid)

The Integrated Risk Management (IRM) department is responsible for the education, empowerment, and governance of business owners in identifying and managing operational risks in a consistent and integrated manner.  IRM, facilitated by the Integrated Compliance teams and business owners across the enterprise, establishes frameworks for effectuating consistency within operational risk management.  The IRM team is a catalyst for change, providing leadership and subject matter expertise for establishing and maturing risk mitigation and controls critical to the success of the overall organization.  Specifically, the IRM team is responsible for identifying and mitigating risks; managing controls and safeguards to minimize the impact of potential and existing risks affecting the organization; ensuring compliance with laws, regulations, and organization frameworks; and monitoring and effectuating remediation of issues identified.  This requires strong collaboration and partnership with business owners and stakeholders across the enterprise. 

PRINCIPAL ACCOUNTABILITIES: Under the direction of the Manager of Third Party Risk Management with dotted line reporting to Manager of Integrated Risk Management, responsibilities include, but are not limited to:

Provide Oversight and Governance of Third Parties

  • Support maintenance of the centralized repository for third parties including accountable business owners, inherent risk, and tier for each respective third party relationship inclusive of delegated vendors for Medicaid plans.  
  • Provide support to the Medicaid Integrated Compliance team to ensure compliance with the Third Party Risk Management (TPRM) framework and standards to ensure that controls in place surrounding data protection, privacy, and access (among other areas) are compliant with CareFirst standards and risk appetite.
  • Support completion of Pre-Delegation Audits per CMS requirements on third party Delegated vendors to assess controls in place both at CareFirst and at the third party, in collaboration with subject matter resources across all relevant risk domains to determine residual risk of third party relationships.

Establish Standards and Frameworks for Standardization and Consistent Understanding

  • Establish and implement policies and procedures that address: formal baseline risk assessments, ongoing risk assessments, and re-evaluation of baseline risk assessments; the performance of assessments for operational areas specific to DC and Maryland Medicaid plans.
  • Collaborate with the Integrated Compliance team and key subject matter resources across all relevant risk domains to define and establish frameworks (e.g., Compliance, Risk Assessment, Risk Governance) and definitions for key data elements.  Maintain frameworks to meet industry standards (e.g., NIST, HITRUST).
  • Contribute to the development of enterprise-wide training and awareness materials that educate associates and leadership on Medicaid best practices, pervasive Medicaid risk management issues, Medicaid risk management tools and processes, and lessons learned.

Oversight, Monitoring, and Execution of Assessments

  • Conducting audits and risk assessments in accordance with Centers for Medicare and Medicaid Services (CMS) requirements for a DC and Maryland Medicaid health plans
  • Conduct formal baseline risk assessments and ongoing risk assessments for operational areas specific to Medicaid activities to include periodic re-evaluations of the accuracy of the baseline Medicare risk assessments (minimum annually) in alignment with 42 C.F.R. §§ 422.503(b)(4)(vi)(F), 423.504(b)(4)(vi)(F)).
  • Establish and ensure monitoring of Delegated vendors for continuous monitoring purposes for complying with all applicate Medicaid regulations, as well as internal policies. 
  • Govern and support associates in the completion of third party and control assessments, including self-assessments, to ensure the adequacy of controls in place to safeguard the organization, including tracking, monitoring, and managing issues identified. 
  • Maintain documentation for re-performance ability, including leveraging the Governance Risk and Compliance (GRC) tool and repository (e.g., Compliance 360).
  • Contribute to the repository of best practices and tools/accelerators related to third party assessments, operational risk assessments, and control self-assessments. 

Governance, Risk & Compliance (GRC) Program

  • Provide support to the Medicaid Integrated Compliance team and the Medicare and Medicaid Compliance Officer to ensure compliance with the established Common Compliance Framework (CCF).

Leadership and Development

  • Responsible for mentoring more junior associates
  • Maintains accountability for the accuracy of information maintained within the centralized repository.
  • Maintains responsibility for timely escalation of concerns identified during risk and control assessments to the IRM Director and the Medicare and Medicaid Compliance Officer.
  • The intent of this list of primary duties is to provide a representative summary of the major duties and responsibilities of this job. Incumbents perform other related duties assigned. Specific duties and responsibilities may vary based upon departmental needs




  • BA/BS degree or equivalent, in lieu of a BA/BS degree, an additional 4 years of relevant experience is required and 5+ years of work experience in risk management, third party risk management, Medicare/Medicaid audit, Medicare/Medicaid compliance, Medicare/Medicaid security governance or Medicare/Medicaid legal services role.
  • Technical knowledge of and experience executing CMS compliance and audit requirements, CMS audit protocols, CMS monitoring projects, and/or CMS risk assessments.


  • Capabilities and experience in performing independent assessments, including compliance & legal reviews, contract reviews, testing controls, and developing & reviewing assessment reports.
  • Problem solver who works independently and within a team using interpersonal skills, including excellent oral and written communication skills.
  • Understands and possesses general project management skills relevant to performing assessment functions and responsibilities. 
  • Ability to work effectively in a fast-paced environment with frequently changing priorities, deadlines and workloads that can be varied for extended periods of time.  Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence.
  • Considerable judgment, tact, initiative, accuracy, trustworthiness and integrity.


  • Understanding of legal requirements and health insurance operations
  • Possess or in the process of obtaining a relevant risk or business certification (e.g., CPA, CIA, CISA, CISM)
  • Hands on with the implementation, support, or assessment of third party risks or operational risks.

Performance and success are rewarded through a comprehensive and competitive Total Rewards Program. This approach is comprised of not only your pay and incentive programs, but also outstanding health insurance and disability coverage, comprehensive wellness programs with free virtual fitness classes, retirement plan contributions, and paid time off (PTO). Our benefits support you at every stage in life, including domestic partner coverage, parental and caregiver leave, adoption assistance, tuition reimbursement, and student debt reimbursement. Our employee-run Associate Resource Groups (ARGs) offer opportunities to meet colleagues who share your interests while supporting the causes that matter to you. We respect and celebrate the diversity of our people, and we understand that Total Rewards is not one-size-fits-all. This is why in addition to evaluating the marketplace, we continuously assess the needs of our associates to offer a Total Rewards program that makes a difference to you.



Department: MD Medicaid - Legal

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.


The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights up to 25 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Not finding the right job?
Stay informed about future openings by joining one of our Talent Networks!

Learn more about Audit & Legal