Fourth-party risk is daunting – make it manageable in three steps

Fourth parties don’t have the same degree of contact with your business as third-party vendors, which makes them easy to overlook. However, that lack of familiarity also creates additional risk. Most likely, you don’t have any contact with your fourth-party vendors on a day-to-day basis, and you might not have examined their policies, procedures, and business practices. In some cases, you might not even know who your fourth-party vendors are.

Especially when it comes to your most critical vendors, fourth-party relationships can expose you to reputational and cybersecurity risk. Operational risk is a concern, too: If you rely heavily on a third-party vendor for your day-to-day operations and that vendor relies on a critical subcontractor, what happens when that subcontractor experiences a disaster or interruption in service? In that case, the dominos can begin to fall: The subcontractor’s disaster knocks your third party offline – and depending on the vendor, that interruption could bring entire areas of your business to a standstill.

There are three critical steps you can take that will go a long way toward protecting your organization from unacceptable levels of fourth-party risk.

1. Set a foundation through vendor contracting and initial due diligence.

The foundation of fourth-party management should be the contract. Whenever you sign a vendor contract, you should understand the involvement of key fourth parties in the delivery of that contract, especially fourth parties that will store or process sensitive information or have direct contact with customers. Your contract template should include clauses that require your vendor to notify you if they materially change these fourth-party relationships.

To further mitigate risk, consider language that compels your vendors to oversee fourth parties and make sure those parties comply with your vendor contract and any stipulations or requirements. When you perform initial due diligence for new third parties, make sure you feel comfortable with the third party and any material fourth parties that provide support.

2. Assess your vendors’ third-party risk programs.

You have so many fourth-party relationships that you could never assess them all directly. Instead, you should rely on your third parties to oversee their vendors appropriately.

Before you can feel confident in your vendors’ TPRM activities, you’ll need to examine their programs and make sure they’re performing due diligence on their own vendor relationships. If your vendor can prove that their TPRM program meets your expectations and adequately addresses risk, you can feel much more confident that fourth-party risk is under control. It also helps to validate that vendors not only define a policy for TPRM but actually have assessed the fourth parties important to you.

3. Only inventory key fourth parties.

Not every fourth party presents equal risk, and you don’t need to name every fourth party in your inventory of vendor relationships. However, your inventory should include a short list of high-risk, mission-critical fourth parties. These critical fourth-party relationships should come to light when you perform your initial due diligence on vendor, with a focus on fourth parties that will store and process data and contact customers.

For example, if you’re entering into a vendor relationship with a development firm that relies on a subcontractor for 80% of its work, then you might want to insert a clause into your contract giving you the contractual right to assess the subcontractor directly. This type of direct oversight should be limited and targeted, but the addition of these critical fourth parties to your inventory can help greatly with your overall risk management effort. You might also want to add these fourth parties to monitoring platforms like SecurityScorecard so you can receive alerts in the event of a breach.