Manager, IT Third-Party Risk

Job Title:

Manager, IT Third-Party Risk

Location:

San Diego, CA / Hybrid

Position type:

FLSA:

Full time

Exempt

Department:

Finance ID:

Information Technology

9180-2024-1-P

Strive to Bring a Profound Difference to our Patients

At Avidity Biosciences, we are passionate about the impact of every employee in realizing our vision of improving people’s lives by delivering a new class of RNA therapeutics. Avidity is revolutionizing the field of RNA with its proprietary AOCs, which are designed to combine the specificity of monoclonal antibodies with the precision of oligonucleotide therapies to address targets and diseases previously unreachable with existing RNA therapies. If you are a committed, solution-oriented thinker, join us in making a difference and become part of our growing culture that is integrated, collaborative, agile and focused on the needs of patients. 

Avidity Biosciences, Inc.'s mission is to profoundly improve people's lives by delivering a new class of RNA therapeutics - Antibody Oligonucleotide Conjugates (AOCs™). Utilizing its proprietary AOC platform, Avidity demonstrated the first-ever successful targeted delivery of RNA into muscle and is leading the field with clinical development programs for three rare muscle diseases: myotonic dystrophy type 1 (DM1), Duchenne muscular dystrophy (DMD) and facioscapulohumeral muscular dystrophy (FSHD). Avidity is broadening the reach of AOCs with its advancing and expanding pipeline, including programs in cardiology and immunology through internal discovery efforts and key partnerships. Avidity is headquartered in San Diego, CA. For more information about our AOC platform, clinical development pipeline, and people, please visit www.aviditybiosciences.com and engage with us on LinkedIn and Twitter.

The Opportunity

The Manager, IT Third-Party Risk is a key leadership role responsible for overseeing and enhancing Avidity’s third-party risk management program, ensuring that vendors, suppliers, and partners comply with security, regulatory, and operational risk requirements. This role is critical in assessing and mitigating cybersecurity, compliance, and operational risks associated with third-party relationships.

This position requires a technical and business-savvy leader who can collaborate across IT, procurement, compliance, security, and business units to evaluate and manage risks within the third-party ecosystem. The ideal candidate will have hands-on experience in vendor assessments, contract security requirements, risk analysis, and compliance monitoring while being able to communicate effectively with internal and external stakeholders.

Additionally, this role will be instrumental in implementing and managing GRC (Governance, Risk, and Compliance) tooling, such as OneTrust, and will be involved in privacy-related initiatives, including privacy policy updates, Data Subject Access Requests (DSAR), and cookie consent management. The Third-Party Risk Manager will also drive automation and efficiency within the vendor risk assessment lifecycle, ensuring streamlined compliance tracking and real-time risk visibility.

What You Will Contribute

• Develop and execute the third-party risk management (TPRM) strategy, ensuring alignment with industry standards and regulatory requirements.
• Conduct third-party security risk assessments, including vendor onboarding evaluations, periodic reviews, and contract risk analysis.
• Work closely with procurement, legal, compliance, and IT teams to integrate risk-based decision-making into vendor selection and management.
• Ensure third-party compliance with NIST Cybersecurity Framework (CSF), ISO 27001, FDA, HIPAA, GxP, and other relevant industry standards.
• Monitor vendor performance, security posture, and compliance with contractual obligations, ensuring continuous risk oversight.
• Develop and maintain a third-party risk register, tracking identified risks, mitigation plans, and remediation progress.
• Manage the third-party risk assessment lifecycle, including initial due diligence, ongoing monitoring, and vendor exit strategies.
• Oversee risk scoring methodologies and implement automation to streamline vendor risk evaluation processes.
• Implement and manage GRC tooling, such as OneTrust, to automate risk assessments, compliance tracking, and vendor monitoring.
• Participate in privacy tracking and compliance efforts, including privacy policy updates, DSAR processing, and cookie consent management.
• Drive incident response preparedness for third-party security breaches, ensuring rapid containment and remediation.
• Provide executive-level reporting on third-party risk trends, key risks, and mitigation strategies to senior leadership.
• Partner with business stakeholders to assess the impact of vendor risks on commercial readiness and operational resilience.
• Establish a continuous improvement program for third-party risk, leveraging data analytics and threat intelligence to enhance decision-making.

 

What We Seek

• Bachelor’s degree in Information Security, Risk Management, Business, or a related field (or equivalent experience).
• 8+ years of experience, with 5+ years in third-party risk management, vendor risk assessment, or IT security risk management.
• Strong understanding of cybersecurity frameworks, regulatory compliance (FDA, HIPAA, GxP), and enterprise risk management methodologies.
• Experience with vendor risk management platforms (e.g., Archer, OneTrust, ServiceNow VRM, or similar tools).
• Proven experience integrating TPRM strategies into broader cybersecurity and IT risk management programs.
• Strong negotiation and communication skills to engage with vendors, legal teams, and business stakeholders.
• Ability to translate technical risk findings into business-focused recommendations for executive decision-making.
• Prior experience working in biotech, pharmaceuticals, or highly regulated industries is preferred.
• Experience with privacy-related processes such as DSAR handling, cookie consent management, and privacy policy updates is a plus.
• Preferred Certifications or Equivalent Experience
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Third Party Risk Professional (CTPRP)
• Certified Information Systems Security Professional (CISSP)
• ISO 27001 Lead Auditor or equivalent experience
• Certified in Risk and Information Systems Control (CRISC) (Preferred for risk management expertise)

 

What We will Provide to You:

• The base salary range for this role is $156,750 – 173,250. The final compensation will be commensurate with such factors as relevant experience, skillset, internal equity and market factors.
• Avidity offers competitive compensation and benefits which includes the opportunity for annual and spot bonuses, stock options and RSUs, as well as a 401(k) with an employer match. In addition, the comprehensive wellness program includes coverage for medical, dental, vision, and LTD, and four weeks of time off.
• A commitment to learning and development which includes a variety of programming internally developed by and for Avidity employees, opportunities for job-specific training offered by industry, and an education reimbursement program.

 

Avidity Biosciences

10578 Science Center Dr. Suite 125

San Diego, CA

92121

O: 858-401-7900

F: 858-401-7901