Fourth-party risk management is a hot topic these days. Regulators have stepped up their expectations for the identification and oversight of fourth parties, with an emphasis on those that are in your supply chain and are responsible for supporting critical operations and business functions within your organization.
In this post I’ll break down some of the key components of a fourth party risk management function. And give you some practical ways to both identify and manage your fourth parties.
Who Are 4th Parties?
Simply put, they are the downstream ‘vendors of your vendors’.
Your own vendors enlist the help of subcontractors, suppliers, software providers and other organizations to run their own business. In most cases, the work that these ‘fourth parties’ do is of little risk to you. However, things start to get interesting when those fourth parties play a vital role in the services that your third-party vendor provides to you. Here’s an example to illustrate:
- You hire Vendor A to handle all of your back-office accounting. In essence, you’ve outsourced your entire accounting function to them.
- In order to provide those services to you, Vendor A relies on:
- Two subcontractors (not employees) to handle certain parts of your day-to-day accounting
- A software company that supplies the cloud-based accounting system they (and you) will be using.
- An online bill payment company that is going to connect to your accounting system and process all of your electronic (ACH, wire and virtual card) and check payments.
So while your contract is with Vendor A, you are also relying on the performance of two subcontractors, a software company and payment processing company to ensure that your accounting function is performed and that your confidential information is being protected.
That’s a lot of risk tied up into one relationship. But not every fourth party is created equal.
Which fourth parties should you really care about?
At the end of the day, it’s all about risk.
Trying to track down all of your fourth (and fifth and sixth) parties is overwhelming. Frankly, it’s hard enough maintaining an effective program for your third parties. Adding 4th parties to the mix can take it to a whole new level unless you take a thoughtful, risk-based approach.
Since most organizations have either a very young vendor management program, or one that may be mature but likely under-resourced, I recommend focusing efforts in two places.
- You need to always identify key fourth parties of your mission critical vendors. If these fourth parties go down, so do important parts of your operations. That can’t happen, so having clarity about who these fourth parties are is highly important.
- Second (and only after you’ve done #1 above), do a broader scan of your vendor portfolio to tease out any fourth parties that are common to multiple vendors. Amazon Web Services is a good example as many software companies host their applications on AWS. The concern here is not that a fourth-party failure would impact a critical area of operations, but rather the accumulation of small impacts across multiple business units may add up to something that becomes more than just a headache.
Since you don’t have a direct relationship with a fourth party, the best way to identify them is to have a solid process for identifying them during the procurement and due diligence process. Transparency is critical; you want your vendors to readily share this information rather than hide it; the latter is a giant, red flag and could potentially create a lot of risk exposure to you.
Start the conversation early. If you go through a competitive bidding process, ask about fourth parties in your request for proposal (RFP). And of course, after you down select to a finalist, you should have an entire set of due diligence questions around fourth parties. In addition to identifying the fourth parties your vendor will be using, some important questions you should be asking about each fourth party include:
- Do you have a current contract with them?
- Will they perform any part of their services offshore?
- Will they have access to (your) data?
- Will they be interacting directly with any (of your) clients, customers, members or employees?
- In the last 12 months, what type of due diligence have you performed on them? Were there any significant findings and, if so, what were they and how were they remediated?
These are just some of the questions you can consider asking. But the idea here is to get as much information as you feel you need to understand which fourth parties they are using, what they’ll be doing, what risks are present and how they are being managed.
Monitoring Fourth Party Risk
So now that you know who they are, what are you supposed to do?
In reality, fourth-party risk management is more challenging than managing risk with your third parties. Namely because you don’t have a direct contractual relationship. So, the core of your monitoring is going to come from two places: your vendors and external monitoring solutions.
The focus with your vendors should be in understanding how they, themselves, are monitoring your fourth parties. This includes direct monitoring (i.e. what are they doing to monitor the fourth parties specific to you), and general vendor management (i.e. do they have their own vendor management program and how effective is it). You can get at these questions through periodic performance reviews as well as through your annual risk and due diligence reassessments.
Another important (and very cost effective way) to monitor fourth parties is to leverage data intelligence and monitoring solutions like Argos Risk (business health) or Bitsight (information security). These tools provide you great visibility into fourth parties on an ongoing basis, providing data that you can’t or won’t get directly from your vendors.
Putting It All Together
An effective fourth-party risk management function isn’t a stand-alone program; rather, it is a critical component of your vendor management program. Your vendor management policy should identify fourth party risk as a category of risk to manage, and your standard operating procedures should back fourth-party assessments and monitoring into your standard process.
And remember. Your approach should always be risk-based. Start with your riskiest fourth-parties (generally those who support your critical vendors), and mature your activities from there. There will always be room for improvement.
Need Help with Fourth-Party Risk Management?
Our specialists can help you establish a practical, effective fourth party risk function. Contact us for a free consultation to explore how we can help.