Third-Party Risk Analyst

The expected rate of pay for this position is shown above. Compensation offers are based on a wide range of factors including relevant skills, training, experience, education and, where applicable, licenses or certifications obtained. Market and organizational factors are also considered. In addition to your base rate of pay and a competitive benefits package, successful candidates may be eligible to receive cash or equity-based incentives based on the role and performance.

Position Title: Third-Party Risk Analyst

Reports To: Deputy Chief Risk Officer

Department: Risk Department

FLSA Status: Exempt

Purpose: The Third-Party Management Analyst will be responsible for performing third-party risk-management activities, reporting to the Deputy Chief Risk Officer. The team acts as an independent, second line of defense function responsible for providing third-party risk oversight for the Company's Banking-as-a-Service (BaaS) partners, and also third-party service providers.

The individual will be responsible for performing all third-party risk management activities which will include, among others providing third-party risk oversight over BaaS Partner activities (risk-assessments, due diligence, ongoing oversight & monitoring), as well as more traditional third-party service providers (i.e., vendor relationships). Additionally, the role will provide recommendations on continuous enhancements to third-party risk-assessments, risk-appropriate due diligence, third-party Key Risk Indicators ("KRIs"), and Key Performance Indicators ("KPIs"). Lastly, the role will be responsible for assisting in the preparation of third-party risk matters to the various Management and Board-level governance committees.

Supervisory Responsibilities:

Degree of Supervision Received: Moderate

• Supervision Received (title): Deputy Chief Risk Officer

Degree of Supervision Given: None

• Supervision Given to (Titles): None

Essential Functions:

1. Complete third-party due diligence for prospective and existing third-party relationships, liaising with colleagues across Risk, Compliance, Financial Crimes, Information Security, Technology, Operations, and lines of business, among others to perform reviews in-line, with applicable interagency guidance and best-practices.
2. Lead the performance of risk-assessments for third-parties across all risk-stripes, including strategic, operational, information security, compliance, etc. at the time of initial onboarding, and periodically thereafter. Identify areas of heightened risk, and ensure appropriate risk-mitigants/controls are in-place to address.
3. Assist in developing and maturing existing KRIs and KPIs to strengthen monitoring over third-parties and provide key actionable insights into key risk areas.
4. Coordinate with colleagues across Information Security, Compliance, and Risk to assess existing and emerging third-party risks related to cyber, security, resiliency, regulatory compliance and financial health for the Company's traditional third-party service providers.
5. Develop risk profiles of third-party relationships and provide effective challenge to Product Owners to assess whether the risks of the third-party relationship are understood and within tolerance.
6. Continuously seek out opportunities to enhance/improve existing policies and procedures.
7. Communicate third-party risk policies and procedures to Product Owners, Lines of Business, risk owners and other functional areas as needed. Provide education on third-party risk processes and best-practices when called upon.
8. Perform ad-hoc analysis and assist in preparation of materials (PowerPoint, Word, Excel, etc.) for Executive Management, Company Risk Committee and Risk Oversight Committee of the Board of Directors. Additional presentations for various parties as needed.
9. Demonstrates the standards and principles of the Five Star Bank experience in every interaction with internal and external customers and associates. Incorporates the high-performance behaviors of teamwork, leading by example and service in every facet of work

Job Related Qualifications - Education and Prior Experience:

Required:

• Education: Bachelor's Degree in Accounting, Finance or business-related field
• Prior Experience: 4+ Years - Type: Financial services or consulting in financial services. Prior risk management experience, including knowledge of financial markets and regulatory environment. Experience in financial services, banking or public accounting in a risk management, audit, and/or information security compliance setting strongly preferred. Should have understanding and knowledge of applicable regulatory guidance, including Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks; and Interagency Guidance on Third-Party Relationships: Risk Management.

Competencies:

1. Logical thinking, ability to analyze complex sets of data and convert to meaningful risk reporting
2. Strong written and verbal communication skills; strong sense of ownership in project participation
3. Excellent interpersonal skills with the ability to interact effectively with all levels of Company employees
4. Ability to collaborate across multiple functional areas, while able to provide effective review and challenge, where needed
5. Understanding of risk and controls, including development and documentation in the financial regulatory environment
6. Strong Microsoft Office skills, especially PowerPoint, Excel and Word. Ability to craft presentations or documents based on high-level guidance
7. Ability to work independently to a deadline with limited supervision
8. Knowledge of the COSO Internal Control and Enterprise Risk Management - Integrated Framework; Interagency Guidance on Third-Party Relationships: Risk Management; and Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks
9. Must be familiar with conducting third-party due diligence reviews, including completing reviews of key documentation, which includes third-party due diligence questionnaires, Service Organization Controls (SOC) Type 1 / Type 2 Reports, Complementary User Entity Controls (CUECs), third-party risk-assessments, etc.

Physical Requirements:

1. Able to regularly sit for prolonged periods on time
2. Extensive computer usage is required
3. Occasional travel within corporate footprint

This job description is not exhaustive. The Third-Party Risk Management Analyst may be required to perform other duties as assigned.