Third-Party Risk Lead Analyst

We are Builders FirstSource, America's largest supplier of building materials, value-added components and building services to the professional market. You'll feel proud of the work you do here every day to transform the future of home building and help make the dream of home ownership more achievable. At BFS, we believe building a successful career is not solely defined by a degree. Your experience, skills, and passion are just as important, if not more so. As such, we are committed to creating a diverse and inclusive workplace that welcomes candidates from all backgrounds and experience levels.

PURPOSE
The Third-Party Risk Lead is responsible for leading the end-to-end technology third-party risk lifecycle for BFS. This role partners with Procurement, Legal, IT Architecture, Information Security, Privacy, and Business Owners to evaluate and manage risk for IT vendors and service providers - before contract signature and throughout the relationship - using a combination of business use case review, solution/module scope, security questionnaires and evidence review, contract language requirements, and BFS architecture and controls compatibility.

This position establishes clear, risk-based decisioning (approve / approve with conditions / defer / reject), defines governance expectations (tiering, control requirements, monitoring cadence, and remediation tracking), and drives outcomes through influence rather than direct authority. The Third-Party Risk Lead leverages external security ratings (e.g., BitSight or similar) and internal risk data to continuously monitor vendors, identify emerging issues, and ensure vendors are integrated and governed in a manner consistent with BFS security standards and target architecture.
customer and regulatory requirements.

ESSENTIAL DUTIES AND RESPONSIBILITIES

• Leads architecture development for small projects and supports architectural efforts for medium to large projects (e.g., a project module or existing technology map review) or complex components of projects.
• Own and continuously improve the IT Third-Party Risk Management (TPRM) program, including intake, risk tiering, assessment standards, decisioning, governance, and continuous monitoring
• Partner with Business Owners and Procurement to confirm the business use case, intended modules/functional scope, data types (e.g., PII, PHI, PCI), hosting model, and criticality to BFS operations to determine the appropriate assessment path and required controls
• Lead vendor due diligence using questionnaires and evidence (e.g., SOC 2/ISO 27001 artifacts, pen test summaries, vulnerability management, incident response, BC/DR) and validate completeness and reasonableness of vendor responses
• Partner with Legal and Procurement to define and negotiate security, privacy, and technology contract requirements (e.g., security addendum, audit rights, breach notification, subcontractor controls, data handling/retention, encryption, SLAs, right-to-terminate for cause)
• Coordinate technical and architecture compatibility reviews with IT and Security Architecture, including identity integration (SSO/MFA), network connectivity, logging/monitoring, data flows, encryption, key management, and alignment to BFS reference architectures
• Leverage external security ratings (e.g., BitSight or similar) and internal signals to score vendors, set thresholds by risk tier, manage rating disputes/remediation plans with vendors, and define monitoring cadence and escalation triggers.
• Document findings in a consistent risk format, track remediation actions to completion, and facilitate risk acceptance/exception decisions with appropriate governance forums
• Maintain vendor risk inventory, risk registers, and dashboards/KRIs to report program health, vendor risk posture, exceptions, and trends to leadership monthly
• Execute ongoing continuous monitoring activities (ratings, attestations, evidence refresh, incident/breach tracking) and conduct periodic reassessments aligned to vendor tier and material changes (scope, modules, data, architecture)
• Support third-party (and fourth party if applicable) published security incidents by coordinating information requests, impact assessments, containment expectations, and post-incident corrective action tracking with vendors and internal teams
• Define and maintain TPRM policies, standards, and procedures, and integrate required risk gates into procurement and project delivery workflows
• Facilitate cross-functional reviews and decision meetings with IT, Security, Architecture, Legal, Procurement, Privacy, and Business Owners; drive clear outcomes, owners, and timelines
• Develop and maintain TPRM playbooks, questionnaire templates, contract language guidance, vendor integration/security requirement checklists, and executive-ready communications

SUPERVISORY RESPONSIBILITIES

This job has no supervisory responsibilities.

MINIMUM REQUIREMENTS

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required.

• 5+ years of experience in third-party risk management, cybersecurity risk, or technology risk, including leading vendor assessments from intake through decisioning and ongoing monitoring
• Bachelor's degree in Information Security, Information Systems, Risk Management, Business, or a related field (or equivalent practical experience)
• Proven ability to write clear, defensible risk assessments and executive-ready summaries; strong organizational skills with the ability to manage multiple vendor workstreams and deadlines
• Proficiency with common productivity and reporting tools (Excel, Word, PowerPoint, SharePoint; Power BI preferred) and comfort working with workflow/GRC tooling
• Hands-on experience with third-party risk tooling and/or external security ratings (e.g., BitSight, SecurityScorecard) including score interpretation, thresholding, remediation tracking, and ongoing monitoring
• Excellent communication and interpersonal skills, including the ability to influence across IT, Legal, Procurement, and the business, and to engage vendors professionally on findings and remediation
• Ability to operate with ambiguity, take initiative, and drive program outcomes in a fast-paced environment
• Strong analytical and critical thinking skills to evaluate evidence, quantify/communicate risk, and support risk-based decisioning and governance
• Experience performing vendor due diligence (questionnaires and evidence review), documenting gaps, driving remediation, and performing periodic reassessments and continuous monitoring
• Working knowledge of incident management and third-party incident/breach response expectations (notification, investigation support, corrective actions)
• Hands-on experience creating or operating risk tiering models, assessment methodologies, governance reporting, and integrating TPRM controls into procurement and contract processes
• Strong understanding of the full third-party lifecycle (pre-contract due diligence, onboarding/go-live, ongoing monitoring, change management, renewal, and offboarding)
• Experience aligning vendor risk requirements to frameworks/standards such as NIST CSF, NIST 800-53, ISO 27001, PCI DSS, and common assurance artifacts such as SOC 2
• Experience implementing or optimizing third-party risk workflows in platforms such as ServiceNow, Archer, or AuditBoard (or equivalent tooling)
• Experience in audit, compliance, or a related control function; relevant certifications such as CISA, CRISC, CISSP, CISM, or similar are a plus

COMPETENCIES

• Evaluates Problems: Evaluates and analyzes different types of information objectively to identify appropriate solutions; writes fluently, establishing the key facts clearly and interprets numerical data effectively.
• Technical Communication/ Presentation: Communicates with clarity and precision, presenting complex information in a concise format that is audience appropriate.
• Adjusting and Driving Change: Takes a positive approach to tackling work and embraces change; invites feedback relating to performance and deals constructively with criticism. Identifies the need for and drives change when required to achieve objectives.
• Focuses on Customers: Understands and anticipates customer needs and takes action to provide high-quality products and services to exceed expectations.
• Demonstrates Business Acumen: Demonstrates working knowledge of market, economic, legal, and regulatory environments and how they impact the business.
• Agile Best Practices: Understands how agility is leveraged in IT ways of working. Adopts agile best practices as appropriate throughout the assigned work lifecycle. Responds to feedback quickly based on comments of internal and external customers and needs of the market.
• Bias for Action: Takes initiative and identifies what needs to be done and acts without waiting to be asked. Executes work in a timely manner. Suggests improvements to current ways of working.

BFS COMPETENCIES

Business and Financial Acumen

• Demonstrates depth of understanding for the P&L and financial analysis
• Teaches business and financial acumen to others.
• Understands KPIs and how BFS makes money.
• Knows the different business segments and how they relate to one another.
• Understands customer sales and engagement.
• Demonstrates functional and/or technical expertise.
• Understands complex issues and demonstrates problem solving skills.
• Understands how to maximize business results regardless of industry cycle.

Results Driven

• Holds self and others accountable.
• Communicates and sets clear goals with plans to deliver.
• Manages competing priorities effectively.
• Demonstrates appropriate urgency.
• Drives to exceed expectations in alignment with our BFS SPICE values.
• Embraces and follows best practices.
• Demonstrates self-starter, can-do attitude.

Strategic Thinking and Decision Making

• Leverages resources and teams around them to solve problems and create mutually beneficial outcomes.
• Demonstrates willingness and courage to make tough decisions in a timely manner.
• Balances short-and-long term priorities
• Demonstrates proactive versus reactive thinking.
• Asks questions to identify root cause and analyze situations more accurately.

Servant Leadership

• Demonstrates humility by putting others first.
• Builds trust-based relationships.
• Leads by example with kindness and respect.
• Collaborates well across all areas of the business.
• Advocates for others
• Actively listens to understand the meaning and intent of what the other person is communicating.
• Demonstrates authenticity and encourages others to do the same.

Emotional Intelligence

• Demonstrates situational awareness - knows when and how to adjust leadership style in different situations.
• Demonstrates self-awareness - understands strengths and weaknesses.
• Demonstrates empathy - puts themselves in other's shoes.
• Assumes positive intent.

Develops and Leads Others

• Drives alignment through clear communication of vision, goals, and expectations.
• Invests time on a regular basis in performance feedback and developmental conversations.
• Fosters a respectful and inclusive environment.
• Empowers, motivates, and inspires others.
• Coaches and mentor others for their development.
• Guides and persuades others to deliver positive outcomes.

Growth Mindset

• Demonstrates a growth mindset; takes appropriate risks, fails fast and forward, learns from mistakes.
• Perseveres and champions growth, even in the face of resistance, ambiguity, or possible failure.
• Thinks like an owner with an entrepreneurial spirit.
• Demonstrates and encourages intellectual curiosity.
• Continuous learner; seeks opportunities and knowledge for personal and professional growth.
• Sees possibilities over problems - actively seeks solutions.

Innovation

• Encourages out-of-the box thinking to create new ways of doing things.
• Continuously seeks to improve and simplify pain points in the business.
• Anticipates, embraces, and leads change.
• Develops and executes breakthrough strategies.

Integrity

• Does the right thing even under challenging circumstances?
• Communicates with honesty.
• Consistently treats others fairly and equitably.
• Demonstrates reliability and does what they say they will do.
• Conducts tough conversations and delivers difficult messages with kindness and respect.

WORK ENVIRONMENT / PHYSICAL ACTIVITY
The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Subject to both typical office environment and outside locations with temperature and weather variations.
• Must be able to lift and carry up to 25 pounds.
• Occasional travel may be required.

This position was posted on April 20, 2026 and we anticipate it will be open for a minimum of five days, though it may be open for a longer period. We encourage your prompt application.

Successful, innovative, and fulfilling careers are built here, and your professional development is a high priority. We invest in your future through the latest training, tools, and technologies. Highly collaborative, we work together to solve problems and find better ways to continually grow our business and careers every day. You'll be empowered to try new things, gain new experiences, and build a career with unlimited horizons. The scale and depth of resources that being the #1 building materials distributor in the nation provides a variety of opportunities for you to explore - all in a friendly, people-first environment. Join us to be more, do more, and build more, together at BFS.

In addition to the base wage listed, this position is also eligible to earn an annual bonus subject to changes in plan design and documents and in accordance with applicable law. Eligibility and the amount of the bonus varies based on overall company success, thresholds met and other terms and conditions of the Company's active bonus policy for the respective year.

At Builders FirstSource, we offer competitive, affordable benefits designed to make life better for you and the people you love. Our goal is simple - provide great plans that help you and your family to live happier, healthier and more secure lives. This role is eligible for medical, dental, vision, and disability insurance plans, 401(k) retirement savings plan, PTO (including paid sick time), and 8 paid holidays per year (for salaried and hourly team members). Details about Builders FirstSource's benefits offerings are available here www.bldrbenefits.com.

Builders FirstSource is an Equal Opportunity/Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, protected veteran status or status as an individual with a disability.

In compliance with the ADA Amendments Act (ADAAA), if you have a disability and would like to request an accommodation in order to apply for a position with Builders FirstSource, please call (214) 765-3990 or email: ADA.Accommodation@bldr.com. Please do not send resumes to this email address - it is intended only to be used to request an accommodation in submitting an application for a job opening.

If there's legally required pay transparency information missing from our job posting, it's not intentional and we'd like to know. To let us know, please email the job title and location to JobPostings@bldr.com. Please do not send resumes to this email address - it is intended only be used to provide a notice of non-compliance.

Please note that due to the volume of applications received, we are unable to respond to individual inquiries about the status of your application.