Third Party Risk Management (TPRM) as a business function contains many moving parts – touching everything from procurement to contracting to offboarding/termination (and everything in between). There is a component of third-party risk management that is often overlooked, and that’s the concept of fourth party risk. Who are your vendor’s vendors, and what risk might they pose to your organization?
Managing your organization’s vendors from a risk, performance and compliance perspective can be a tough job in and of itself… So why bother going a level deeper and assessing your vendor’s vendors?
Evaluating fourth party risk is a good business practice. Your vendors (your third parties) may use vendors of their own (your fourth parties) to support the work they provide to your organization. The following examples help to demonstrate the concept of fourth party risk:
- Your organization shares confidential data with one of your vendors, and they in turn share it with one of their vendors. Can you trust your vendor’s vendor (fourth party) to protect your data? Do you even know who that fourth party vendor is?
- A vendor provides your organization with a software solution that directly supports one of your critical business functions. Without this software, your business could not operate. Does your vendor host their software on another vendor’s servers (your fourth party)? If something were to happen to that fourth party, your vendor may not be able to provide the software you depend on.
Fourth party risk is something that your organization can grow into and mature over time. Here are four tips for managing fourth party risk:
1. Create an Inventory
Before you can start managing fourth party risks, you need to identify who your fourth parties are. The best way to obtain this information is to ask your vendors directly. Have them tell you who they work with.
Be specific in what you are asking for, though. You don’t need them to provide you with a list of all of their vendors. What you really need is for them to tell you about vendors they use who have a role in delivering the product/service you are paying your third party for.
If you are looking for a good place to start, try beginning with your organization’s critical and high-risk vendors. Find out who they work with first, then work your way to vendors who are lower risk.
2. Don’t stop at just knowing who your 4th parties are
Knowing that your software provider uses Amazon Web Services (AWS) to host their software is great, but there are other (potentially more important) things you need to find out as well. Some additional detail you may want to ascertain could include:
- Will the fourth party have access to your data?
- Will the fourth party have access to your organization’s system and/or network?
- Will the fourth party have access to your building/offices?
3. Address concentration risk
As you begin to build out your inventory of fourth parties, you can use the information you collect to start evaluating concentration risk as well! While there are a few different types of concentration risk to be aware of (geographic, operational, etc.), fourth party concentration is certainly an area to pay attention to.
Fourth party concentration risk occurs when many of your third parties (especially your critical third parties) all rely on the same fourth party. If that fourth party experiences a significant/disruptive business event, your third parties who rely on that their party may not be able to provide the goods/services you need.
4. Ask how your vendors manage their vendors
Aside from asking your vendors to tell you which vendors they work with, you also should ask them about their own business practices for managing their vendors. In other words, what does their Third-Party Risk Management (TPRM) program look like? Here are some questions to consider:
- Does your vendor have a formal TPRM program?
- Ask your vendor to provide copies of their TPRM policies and procedures.
- Does your vendor review and update its TPRM policies at least annually?
- Does your vendor provide any type of TPRM training to its staff who engage with vendors?
The goal of this exercise is not to audit your vendor’s TPRM program and tell them to make improvements if you don’t agree with something. Rather, it’s to allow you to obtain a level of comfort with regard to how your vendor manages their own third-party risks.
You may also want to consider asking your vendors to provide evidence that they performed certain risk management activities (a “trust but verify” exercise). In addition to asking them for a copy of their TPRM policies and procedures, you could also ask them to provide a copy of a recent risk assessment and/or due diligence assessment they performed for one of their vendors.
As mentioned earlier, fourth party risk is not something that organizations with newer TPRM programs typically assess. However, it is certainly an area of risk you do not want to ignore. So, as your TPRM program matures over time, fourth party risk should be an area of focus for you to develop and/or improve.