Third Party Risk Analyst

As part of Team Amex, you will experience our powerful backing with comprehensive support for your holistic well-being and many opportunities to learn new skills, develop as a leader, and grow your career. Here, your voice and ideas matter, your work makes an impact, and together, you will help us define the future of American Express.

International Card Services (ICS) Governance & Control is responsible for supporting our international Issuing businesses across 28+ international markets excluding the USA. Colleagues operate across a variety of geographies and disciplines ensuring a robust ICS first line of defence, and in playing an active role in supporting the ICS Business and our International Legal Entities meet its growth objectives whilst demonstrating an effective control framework.

The organization partners closely with Third Party Lifecycle Management (TLM), Technology Risk and Information Security, Control Management, Risk Pillar owners, and Business stakeholders to ensure robust risk management across our third-party ecosystem.

How will you make an impact in this role? The Third Party Risk Analyst will report to the Third Party Information Security Manager and will play a key role in supporting effective third-party risk management across ICS. This role will primarily focus on Third-Party Information Security risk assessments, control evaluation, and advisory support to ICS business stakeholders. The Analyst will help ensure that third parties meet American Express Information Security standards, application lifecycle management requirements, and Third Party Lifecycle Management (TLM) expectations.

In addition, this role is designed to be flexible and may support broader Third Party Risk Management activities beyond Information Security, including due diligence reviews, reporting, issue follow-up, governance activities, and other third-party risk initiatives based on business priorities.

• Support Third-Party Information Security risk assessments, ensuring identified control gaps are clearly documented, risk-assessed, and tracked through remediation to closure.
• Partner with business stakeholders to collect required evidence and provide practical guidance on compensating controls and risk mitigation strategies where applicable.
• Partner with Technology teams, Third Party Relationship Managers, and business stakeholders to drive compliance of application lifecycle management across third-party supported applications.
• Provide clear, practical, and risk-based guidance to business stakeholders on information security, technology governance, and third-party risk requirements, translating technical risks into business-impact terms and identifying alternative or compensating controls where appropriate.
• Support preparation of third-party risk reporting, dashboards, and leadership updates, leveraging data analysis and visual storytelling to highlight key risk themes, trends, and emerging issues.
• Raise awareness and educate stakeholders on third-party information security expectations, and technology risk management practices.
• Identify opportunities to strengthen internal controls, enhance compliance posture, and improve the overall third-party risk management and governance framework.
• Support regional or market-specific third-party risk activities, including regulatory, outsourcing, or compliance-related requirements where applicable.
• Contribute to broader Third-Party Risk Management activities as needed, including due diligence reviews, ongoing monitoring, governance support, regulatory & audit response coordination, reporting, and ad-hoc risk initiatives in line with business priorities.

Demonstrated understanding of Third-Party Risk Management, Information Security fundamentals, and technology risk principles. Relevant experience in Information Security, Technology Risk, Third-Party Risk Management, Operational Risk, or related disciplines, including support of risk assessments, control reviews, or vendor due diligence activities. Strong analytical skills with the ability to assess control design and effectiveness, identify gaps, and interpret risk data from multiple sources. Ability to exercise sound judgment, constructively challenge where appropriate, and maintain effective stakeholder relationships. Excellent verbal and written communication skills, with the ability to translate technical security and lifecycle management concepts into clear, business-focused language. Experience preparing senior management reports, dashboards, and presentations using data-driven insights. Strong proficiency in Microsoft Excel (data analysis), PowerPoint (executive-ready presentations), and Word (structured documentation).

Foundational knowledge across multiple Information Security domains (e.g., network security, data protection, identity and access management, secure development, cloud security), with an understanding of Third-Party Security Risk Management principles. Familiarity with industry-recognized security frameworks and standards such as ISO 27001, PCI DSS, NIST, or comparable regulatory and control frameworks. Relevant professional certifications (or actively working toward certification), such as CISA, CISM, CRISC, Security+, or similar risk and security credentials are a plus. Experience supporting third-party due diligence, vendor risk assessments, or technology risk reviews, preferably within financial services or other regulated industries. Exposure to international markets and multi-jurisdictional regulatory environments, with the ability to interpret and apply security and outsourcing requirements in a practical business context.

Employment eligibility to work with American Express in the UK is required as the company will not pursue visa sponsorship for these positions.

At American Express, our culture is built on a 175-year history of innovation, shared values and Leadership Behaviors, and an unwavering commitment to back our customers, communities, and colleagues. From delivering differentiated products to providing world-class customer service, we operate with a strong risk mindset, ensuring we continue to uphold our brand promise of trust, security, and service.

• Competitive base salaries
• Bonus incentives
• Support for financial well-being and retirement
• Comprehensive medical, dental, vision, life insurance, and disability benefits (depending on location)
• Flexible working model with hybrid, onsite or virtual arrangements depending on role and business need
• Generous paid parental leave policies (depending on your location)
• Free access to global on-site wellness centers staffed with nurses and doctors (depending on location)
• Free and confidential counseling support through our Healthy Minds program
• Career development and training opportunities