We’ve signed up to an ambitious journey. Join us!

As Arrive, we guide customers and communities towards brighter futures and more livable cities, it isn’t a challenge just anyone could take on. Luckily, we have something to help us make it happen. Our people and our values. We Arrive Curious, Focused and Together. Just as our entire brand is inspired by the North Star, the shining light leading travelers to their destinations since time began, our values guide us. They help us be at our best. For our customers. For the cities and communities we serve. For ourselves. As a global team, we are transforming urban mobility. Let’s grow better, together.

Role Overview:

We are seeking an experienced Third-Party Risk Management (TPRM) Manager to own and mature Arrive’s global third-party risk program.

Reporting to the Risk & Compliance Lead, this role will serve as the single point of accountability for third-party security risk across the Arrive Group. This is a strategic governance role focused on enabling business growth while ensuring vendors, partners, and suppliers meet Arrive’s security, resilience, and regulatory expectations.

The ideal candidate will combine strong vendor risk assessment expertise, regulatory alignment experience, and senior stakeholder management capability in a global environment.

Key Responsibilities:

Vendor Risk Assessments & Due Diligence

• Lead security risk assessments for new and existing third parties (SaaS, cloud, fintech vendors, payment processors).

• Review and analyze vendor certifications and assurance artifacts (ISO 27001, SOC 1/2, PCI DSS, GDPR documentation).

• Evaluate third-party control effectiveness and document risk findings.

• Drive remediation tracking and closure with vendors and internal stakeholders.

• Maintain and mature standardized third-party assessment frameworks.

Risk-Based Decision Support

• Translate technical findings into business-aligned risk insights.

• Advise leadership on risk acceptance, mitigation, and compensating controls.

• Maintain a defensible third-party risk register and reporting structure.

• Support procurement decisions through risk scoring and tiering models.

Regulatory & Contractual Alignment

• Partner with Legal and Procurement to embed security requirements in contracts (MSA, DPA, security addendums).

• Ensure alignment with ISO 27001, PCI DSS, GDPR, NIS2, SOC, and other regulatory frameworks.

• Validate subcontractor and supply-chain security obligations.

• Support customer due diligence and regulatory inquiries related to vendor security.

Program Governance & Continuous Improvement

• Own and continuously enhance the TPRM lifecycle (onboarding, assessment, monitoring, offboarding).

• Define and track KPIs for vendor risk posture (coverage, remediation time, risk trends).

• Support internal and external audits by providing third-party assurance evidence.

• Leverage GRC or TPRM tools to automate workflows and reporting.

• Scale the TPRM program in line with business growth and geographic expansion.

Continuous Improvement

• Drive ongoing enhancement of the TPRM framework, processes, and tooling to align with evolving regulatory and business requirements.

• Identify gaps and implement process efficiencies to strengthen risk mitigation and stakeholder experience.

• Monitor industry best practices and emerging risks to proactively refine the third-party risk management program.

Reporting

• Design and implement TPRM KPIs and KRIs to measure third-party risk exposure, assessment coverage, remediation timelines, and control effectiveness.

• Develop executive dashboards and periodic reporting to provide data-driven insights to senior leadership and governance forums.

• Monitor performance against defined risk thresholds and drive accountability through structured reporting and escalation mechanisms.

Stakeholder & Cross-Functional Collaboration:

• Act as primary security liaison for Procurement, Legal, IT, and Business Units.

• Provide clear guidance on third-party security expectations.

• Drive a security-enablement mindset across the organization.

• Present risk updates to senior leadership and governance forums.

Required Skills:

• 12+ years of experience in information security, risk management, GRC, or third-party risk management.

• Proven experience leading or owning a Third-Party Risk Management program in a complex, global organization.

• Strong understanding of ISO 27001,NIS2, SIG, and vendor risk frameworks.

• Proven experience assessing SaaS, cloud, and technology vendors.

• Experience partnering with Legal and Procurement teams.

• Experience maintaining risk registers and executive-level reporting.

• Strong stakeholder communication and presentation skills.

• Experience supporting audits and regulatory compliance activities.

Preferred Experience:

• Experience implementing or managing a TPRM platform/tool.

• Exposure to NIS2, revDSG, or other European regulatory frameworks.

• Experience in fintech, payments, SaaS, or high-growth digital environments.

• Certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor.

• Experience aligning vendor risk programs with enterprise risk frameworks (NIST, CIS).

Why Join Arrive?

• Work on global-scale payment systems impacting millions of users.

• Be part of a growing India engineering team with strong ownership.

• Collaborate with diverse, international teams.

• Opportunity to influence architecture, strategy and team growth.

• Build technology that directly improves urban mobility and sustainability.