Fourth-party risk is daunting – make it manageable in three steps

Jill M. Czerwinski
How to handle fourth party risk

As the financial services industry grows more interconnected, complex, and specialized, it’s increasingly common for your third-party vendors to rely on their own set of subcontractors. These fourth parties might add value to your vendor relationships, but they also add risk. If you’re a risk management professional, you’ve probably heard or read about fourth-party risk – every year, it becomes a topic of greater concern and focus for risk leaders.

But even if you want to address fourth-party risk, it can be extremely difficult to know where to start. Fourth parties are rarely under contract, so your organization has no right to assess or even inquire with these parties directly. Your third-party vendors can change their vendors or subcontractors without notice, so keeping a complete inventory of your fourth parties might be impossible.

And finally, there’s the problem of sheer numbers. Most banks and credit unions have a big and ever-growing list of vendors. If you work with hundreds of vendors and each of those vendors has hundreds of vendors, then your extended enterprise can stretch into the millions of companies, even with consideration for overlap.

The fourth-party vendors you don’t know about might be the ones who present the most risk.

Fourth-party vendors

Fourth parties don’t have the same degree of contact with your business as third-party vendors, which makes them easy to overlook. However, that lack of familiarity also creates additional risk. Most likely, you don’t have any contact with your fourth-party vendors on a day-to-day basis, and you might not have examined their policies, procedures, and business practices. In some cases, you might not even know who your fourth-party vendors are.

Especially when it comes to your most critical vendors, fourth-party relationships can expose you to reputational and cybersecurity risk. Operational risk is a concern, too: If you rely heavily on a third-party vendor for your day-to-day operations and that vendor relies on a critical subcontractor, what happens when that subcontractor experiences a disaster or interruption in service? In that case, the dominos can begin to fall: The subcontractor’s disaster knocks your third party offline – and depending on the vendor, that interruption could bring entire areas of your business to a standstill.

Managing fourth-party risk depends on having the right third-party processes in place.

The most effective way to manage fourth-party risk is to build a mature, comprehensive third-party risk management (TPRM) program. If you have the right TPRM practices and processes in place, then incorporating fourth parties into those processes should feel manageable and mostly seamless.

On the other hand, if you haven’t fully defined and developed your approach to third-party risk, you’ll find it difficult if not impossible to “skip ahead” and start tackling fourth-party risk.

By targeting your efforts, you can manage fourth-party risk without feeling overwhelmed.

Manage fourth-party risk without feeling overwhelmed

There are three critical steps you can take that will go a long way toward protecting your organization from unacceptable levels of fourth-party risk.

1. Set a foundation through vendor contracting and initial due diligence.

The foundation of fourth-party management should be the contract. Whenever you sign a vendor contract, you should understand the involvement of key fourth parties in the delivery of that contract, especially fourth parties that will store or process sensitive information or have direct contact with customers. Your contract template should include clauses that require your vendor to notify you if they materially change these fourth-party relationships.

To further mitigate risk, consider language that compels your vendors to oversee fourth parties and make sure those parties comply with your vendor contract and any stipulations or requirements. When you perform initial due diligence for new third parties, make sure you feel comfortable with the third party and any material fourth parties that provide support.

2. Assess your vendors’ third-party risk programs.

You have so many fourth-party relationships that you could never assess them all directly. Instead, you should rely on your third parties to oversee their vendors appropriately.

Before you can feel confident in your vendors’ TPRM activities, you’ll need to examine their programs and make sure they’re performing due diligence on their own vendor relationships. If your vendor can prove that their TPRM program meets your expectations and adequately addresses risk, you can feel much more confident that fourth-party risk is under control. It also helps to validate that vendors not only define a policy for TPRM but actually have assessed the fourth parties important to you.

3. Only inventory key fourth parties.

Not every fourth party presents equal risk, and you don’t need to name every fourth party in your inventory of vendor relationships. However, your inventory should include a short list of high-risk, mission-critical fourth parties. These critical fourth-party relationships should come to light when you perform your initial due diligence on vendor, with a focus on fourth parties that will store and process data and contact customers.

For example, if you’re entering into a vendor relationship with a development firm that relies on a subcontractor for 80% of its work, then you might want to insert a clause into your contract giving you the contractual right to assess the subcontractor directly. This type of direct oversight should be limited and targeted, but the addition of these critical fourth parties to your inventory can help greatly with your overall risk management effort. You might also want to add these fourth parties to monitoring platforms like SecurityScorecard so you can receive alerts in the event of a breach.

This is the year to tackle fourth-party risk in earnest.

Tackle fourth-party risk in earnest

Fourth-party risk is rising to the top of many financial institutions’ 2021 plans, and for good reason. Any of the risks you typically would look for when dealing with third-party risk – reputational, operational, financial –also can extend to your fourth parties.

When you can’t do everything you want in terms of assessing fourth parties, you can focus your efforts on creating contracts with the right provisions, checking for strong TPRM programs among your vendors, and selecting critical fourth parties for direct oversight. By focusing on these three areas, you can make a big impact with moderate effort.

Let's connect

Crowe employs a global team of hundreds of specialists who devote their time and energy to third-party risk management. If you have questions or concerns about your third-party risk program, get in touch. We can apply our deep financial services industry knowledge and extensive TPRM expertise to assess your program and build a road map for improvement.

Contact us

Jill Czerwinski
Jill M. Czerwinski
Principal, Third-Party Risk Leader
Kassi Wilson