So you have assessed your third-parties and established a third-party risk management (TPRM) program for continuous monitoring, along with a mitigation plan. Good job! But what about the risk posed by your vendors’ third-parties? It’s time to start thinking about fourth-party risk.
Once your TPRM strategy starts to grow and scale, you will need greater visibility into the risk landscape, and that includes discovering unknown subcontractor relationships. How can you be sure your program extends far enough? Just consider the following aspects.
1. What is fourth-party risk?
It’s the risk posed by your suppliers’ suppliers. Fourth-parties can be anything from financial consultants to business planners working with your third-parties.
This extended ecosystem is a complex and ever-growing web of interconnected business relationships. Without a clear understanding of it, outages, disruptions, and cyber attacks could compromise your organization.
2. Why is fourth-party risk important for your strategy?
Modern business is fast-paced and the supply chain is rapidly growing. By managing the risk of the extended ecosystem, you can expand your visibility to achieve a new level of risk awareness and reduction.
Mapping your third-parties to their service providers enables you to:
- Understand your concentrated risk. For example, what happens if a key sub-contractor goes down and which of your third-parties would be impacted?
- Develop controls and standards for assessing third-party use of significant providers
3. How can you address fourth-party risk?
Fourth-party risk management should be a collaborative effort based on a strong relationship with your third-parties. By monitoring their service providers in tandem, you’re not only improving your own TPRM strategy but also your third-party’s strategy.
Technology can definitely help: our ThirdPartyTrust platform allows you to make a requirement for your third-parties to add their third-parties, and uses that data to build a connections map to show you who’s connected to who. You can also build a subset of questions around how your third-parties are assessing their third-parties’ security posture. You want to make sure your business partners are performing proper due diligence on their partners as well. So it might be worth asking, what are they doing to mitigate any risk that could potentially affect you?
This doesn’t mean you need to perform assessments or continuous monitoring on all of your third-party’s sub-contractors. It means you need to be aware of who are the most risk-critical parties in your supply chain – be they third, fourth, or fifth-parties. To that end, follow these best practices:
- Identify your most critical third-parties (you probably have this information ready from when you built your TPRM strategy).
- Ask them who their third-parties are as well and what type of relationship and responsibilities do they have with each one of them.
- Identify the services your third-party’s contractors indirectly provide to you.
- Hold your third-party accountable: include language to protect you from fourth-party risk in your third-party relationship contracts.
- Have a strong contingency and Business Continuity Plan in place in case an incident does occur.
To learn more about how ThirdPartyTrust can help you manage fourth-party risk, request your demo now:
