Job Description
Third Party Risk Management Lead About Sungrow: Sungrow North America is a leading provider of renewable energy solutions, specializing in the development and manufacturing of photovoltaic inverters and energy storage systems. The company offers a comprehensive range of products and services designed to optimize the performance and efficiency of solar power installations. Sungrow North America is known for its commitment to innovation, high-quality standards, and exceptional customer service, aiming to provide sustainable and reliable energy solutions to meet the growing demand for clean power. The Position: Sungrow Americas is seeking a Third Party Risk Management (TPRM) Lead to establish and operate a scalable program for managing vendor, supplier, and third-party risk across the organization. This role is responsible for ensuring that third-party relationships are assessed, governed, and continuously monitored in alignment with regulatory expectations and customer requirements. In parallel, this role will support the development of business continuity and resilience capabilities, including Business Impact Analysis (BIA) and foundational BCDR program elements. This is a program leadership role requiring strong execution, cross-functional influence, and the ability to operate in a regulated, critical infrastructure environment Key Responsibilities Third Party Risk Management (Program Ownership) Build and operate the TPRM program lifecycle, including: Vendor intake and risk tiering Security assessments and due diligence Ongoing monitoring and reassessment Define and enforce minimum security requirements for vendors and suppliers Partner with legal and procurement to embed security and risk clauses into contracts Establish processes for exception management and risk acceptance Risk Assessment & Due Diligence Lead execution of third-party security reviews, including: Questionnaires and evidence validation Review of SOC 2, ISO certifications, and supporting artifacts Identify and communicate material risks and required mitigations Ensure alignment to frameworks (NIST, ISO 27001, SOC 2, NERC CIP where applicable) Continuous Monitoring & Issue Management Implement ongoing monitoring capabilities for vendor risk posture Track and drive remediation of identified third-party risks Maintain visibility into fourth-party and supply chain dependencies where relevant Business Continuity & Resilience (BCDR/BIA Support) Support development of Business Impact Analysis (BIA) across critical functions Partner with business and IT stakeholders to define: Critical processes Recovery time objectives (RTO) / recovery point objectives (RPO) Contribute to the development of BCDR plans and testing frameworks Ensure third-party dependencies are integrated into continuity planning Governance, Reporting & Audit Readiness Develop and track TPRM KPIs and risk metrics Provide executive-level reporting on third-party risk posture Maintain documentation and evidence to support: Audits Customer security reviews Regulatory inquiries Ensure program is defensible and repeatable Cross-Functional Collaboration Partner with: Procurement (vendor onboarding) Legal (contractual protections) IT and engineering (technical validation) Act as the central point of coordination for third-party risk decisions Requirements 7–10+ years of experience in third-party risk management, GRC, or vendor risk programs Proven experience building or leading a TPRM program in a regulated or enterprise environment Strong understanding of: Vendor risk assessment methodologies Security frameworks (NIST, ISO 27001, SOC 2) Experience reviewing: Security documentation (policies, controls, audit reports) Third-party attestations (SOC 2, ISO certifications) Working knowledge of business continuity and resilience concepts (BIA, BCDR) Ability to drive cross-functional alignment and accountability Preferred Experience in energy, industrial, or critical infrastructure sectors Familiarity with NERC CIP requirements Experience implementing or operating TPRM platforms/tools Certifications such as CRISC, CISM, CISSP, or CTPRP Competencies Program Builder: Can stand up and mature TPRM from structure to scale Risk Translator: Converts vendor risk into business and contractual impact Governance-Oriented: Ensures decisions are documented and defensible Cross-Functional Operator: Effective with procurement, legal, IT, and engineering Pragmatic Enforcer: Balances risk reduction with business enablement Strategic Fit Establishes control over external risk exposure Strengthens customer trust and regulatory alignment Enables defensible procurement and vendor onboarding decisions Builds foundation for enterprise resilience and continuity planning Travel Up to 10% Work Location and Status: Remote No visa sponsorship Sungrow is an equal opportunity employer. Due to strong interest in this position, Sungrow will only contact candidates who best meet the requirements. Thank you for your interest in Sungrow. #LI-YL1