Lilly Risk Assessor, Third Party Risk Management (TPRM) in Cork, Ireland
At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our 35,000 employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.
At Lilly, we make a difference for people the world over by discovering, developing and delivering medicines that help people live longer, healthier and more active lives. Central to all that we do are our talented and motivated professionals, circa 850 of whom are based at our Global Business Solutions centre in Little Island, Cork. There we boast vibrant workforce made up of over 44 nationalities.
Established in 2010 to gain efficiencies in areas such as General Accounting, Purchase to Pay and Order to Cash, the GBS Cork quickly excelled in its financial mandate, allowing the Cork leadership to ask, how can we apply these processes to other areas of the business? And so the GBS we have today was born, still leading in finance, but also evolving and expanding into diverse Business Service functions including Customer Meeting Services, Global HR Data Management, Medical Information ,Procurement, Trial Capabilities, Global Scientific Communications and more to come on stream in 2020/21.
Lilly works with an extensive network of third party organizations to perform a vast range of activities across the enterprise. Known internal risks that impact Lilly such as privacy, information security, compliance, pricing, IT, etc. are amplified or compounded with the use of third parties. Today, third party oversight is decentralized at Lilly. There are many functions working with third parties in some capacity including, but not limited to: Procurement, Third Party Management Organizations (TPMOs), Risk Domain Partners including Audit/Assessment Teams.
The TPRM organization is implementing a holistic program to support consistent, efficient, and effective decision making and determining potential inherent risk.The central team’s scope encompasses priority business and risk areas across all stages of the third party collaboration lifecycle.
Successful execution of this strategy will reduce third party risk, strengthen capabilities, drive consistency and efficiency, and reduce cost.
The scope of the TPRM Hub Team will include the following:
Create and maintain policies, procedures, and training to drive consistent TPRM for third party use. Liaise with Risk Domain Partners to create and maintain: Risk Definitions, Tolerances, and Required Training for TPMOs, Engagement Owners, and Third Parties. Construct and own the overall TPRM Program. Own the enterprise TPRM technology solution. Provide oversight of the TPRM initial and on-going monitoring due diligence processes. Report progress and results to Senior Leadership including, but not limited to, the CPO, the SVP of Ethics & Compliance, and the Compliance & Enterprise Risk Management Committee (CERMC).
The Risk Assessor will work in partnership internally, cross functionally and externally with third parties, and to assess and mitigate third party risk. Current risk domains in scope are Anti Corruption, Privacy, Information Security and Information Systems Quality, which will expand as we grow the programme.
Determine, conduct and incorporate applicable risk domain screenings into due diligence activities and ongoing oversight plan
Conduct assessments in a coordinated fashion with other risk domains. Assessment work includes but is not limited to scoping the assessment, testing controls, conducting interviews, reviewing evidence, determining final disposition of findings, written and verbal communication of findings, rating criticality of findings and evaluating action plans provided by the third party
Set risk domain ongoing monitoring schedule and activities per inherent risk domain level
Perform Ongoing Monitoring activities per the inherent risk domain level as a part of the TPRM Program
Define and own risk domain assessment methodology for control assessments activities
Provide risk domain requirements for termination and off-boarding activities, supporting these activities as required
Maintain risk domain questions for Inherent Risk Questionnaire (IRQ) for the TPRM tool
Work with risk domain partners to provide risk domain specific scoring thresholds for inherent risk domain levels per common TPRM risk tiering scale
Provide feedback on centralized intake form
Classify and consolidate report of findings using centralized TPRM tool whilst notifying appropriate stakeholders / partners
Opine on / recommend risk domain specific controls to mitigate identified findings and determine residual risk domain level for respective risk domains
Provide risk domain subject matter expertise and standard setting on findings tracking and mitigation
Create and own standards for qualitative residual risk scoring that adhere to the overall scoring methodology set by the TPRM Program
Issue approvals according to TPRM Approvals Matrix
Provide guidance to business teams on Third Party Risk Management
Support internal education and best practices sharing with peers and colleagues, as well as third party education & awareness
In partnership with the Legal team, maintain inventory of risk domain specific contract principles, provide feedback on contract terms in contract negotiations and approve edits or adjustments to risk domain contractual principles
Drive and deliver on risk domain IRQ and process metrics to measure control effectiveness and allow decision making
Continually monitor and update assessments of the control environment, keeping abreast of significant control issues, trends and developments
Integrate emerging risk control requirements into the existing risk assessment process
Internal subject-matter expert of Lilly’s TPRM risk procedures and standards, owning & updating as required
Maintain list of third parties by risk domain in centralized TPRM tool
Consult or provide risk domain input into Lilly’s framework for third party governance
Support the TPRM Team in the implementation and maintenance of an effective enterprise risk management framework
Participate at forums including but not limited to TPRM Steer Committee (Risk Domain Partner Leadership), Assessment Coordination and TPRM Operations Committee
Support TPRM Projects as required
Partner with risk domain business functional areas to ensure TPRM activities are maintained and reflect current risks and expectations.
Bachelor’s Degree or CIPP/CIPT/CTPRP/CRISC/CISA/CISM qualification
Experience performing third party risk assessments in areas including but not limited to Anti-Corruption, Privacy, Information Systems and Information Systems Quality.
Minimum of three or more years of audit, operational risk or other risk management experience or other proven related business experience
Good understanding of risk management and internal control leading practices within specialized area of focus
Demonstrated ability to work effectively in a complex, highly regulated environment
Ability to plan, organize, prioritize and drive workload autonomously
Effective communication, organization and presentation skills
Effective influence management skills
Evidence of strong analytical and data management skills
Collaborate and builds partnerships across functions and regions, works well with others
Ability to work in a matrix organization to influence outcomes
Languages desired but not essential across all languages and in particular French, German, Italian and Spanish
Eli Lilly and Company, Lilly USA, LLC and our wholly owned subsidiaries (collectively “Lilly”) are committed to help individuals with disabilities to participate in the workforce and ensure equal opportunity to compete for jobs. If you require an accommodation to submit a resume for positions at Lilly, please email Lilly Human Resources ( LillyRecruitingCompliance@lists.lilly.com ) for further assistance. Please note This email address is intended for use only to request an accommodation as part of the application process. Any other correspondence will not receive a response.
Lilly does not discriminate on the basis of age, race, color, religion, gender, sexual orientation, gender identity, gender expression, national origin, protected veteran status, disability or any other legally protected status.
At Lilly we strive to ensure our employees are part of a team that cares about them and our shared purpose of making life better for those around the world. How do we do this? We continue to look for ways to include, innovate, accelerate and deliver while maintaining integrity, excellence and respect for people. We hope that you seek to join us on our journey as we create medicine and deliver improved outcomes for patients across the globe!