Contrary to the name, there’s more to third-party risk management (TPRM) than just third parties – it also includes fourth-party risk management. A fourth-party vendor is one with which your third-party vendor has a direct relationship and you do not.
Similar to how your organization outsources work to third parties, your third party may utilize their vendors to assist in delivering the product or service they’re providing to your organization, making those entities your fourth-party vendors. The vendors of your fourth parties (fifth, sixth and so on) are known as nth parties.
Many organizations understand the need to manage fourth and nth parties, but when it comes to your organization's critical vendors, it’s essential that you are aware of and can monitor extended relationships that are material for delivering the specific critical product or service. Because your organization doesn't have a direct relationship, effectively monitoring your critical fourth parties can be tricky without planning and consistent efforts.
Vendor Due Diligence Considerations and Suggestions
Remember that due diligence should never be treated as a check-the-box activity that’s identical for every vendor. Nor should it only be performed during the initial stage of the vendor engagement.
Below are some considerations and suggestions for handling critical fourth and nth-party relationships:
- Validate your critical third-party vendor’s TPRM practices by reviewing their policy and program. Make sure they address the following:
- Risk assessment and criticality
- Risk-based due diligence
- Contract management
- Ongoing risk and performance monitoring
- Periodic risk reviews
- Safe and sound vendor terminations and exit
- In particular, you should confirm that your critical third-party vendor has sufficient due diligence practices on their own critical third parties (your fourth parties), including:
- The review of business continuity plans and test results
- The review and assessment of vendor’s SOC reports
- Verification that the vendor has appropriate and effective information security and privacy protection processes and protocols
- The review and assessment of vendor’s compliance policies and practices
- Evaluation of the vendor’s reputational risk (customer complaints, litigation, negative news)
- Confirmation that the vendor is not on any sanctions list
Vendor Contract Considerations
Since your organization does NOT have a contract with your fourth parties, it’s essential make sure that your third-party vendor contracts are well-written.
Consider the following measures for your vendor contracts:
- Utilize nondisclosure agreements (NDAs) that cover your fourth and nth parties
- Require your critical and high-risk vendors to ask permission in writing, before they outsource material functions or processes
- Specify if your vendor is allowed to use offshore fourth parties
- Require your vendor to disclose existing third-party relationships essential for providing products and services to your organization
- Include service level agreements (SLAs) specific to third-party risk management practices and deliverables
- Stipulate fourth and Nth party breach notification requirements
- Include a right to audit clause
Ongoing Monitoring Best Practices
When it comes to critical fourth parties, your organization must depend on your vendors to manage and monitor those relationships. However, that doesn't mean your organization is off the hook. In the end, a data breach or too many customer complaints from a fourth party can still negatively affect your operations, reputation or revenue and result in regulatory actions or fines.
Here are some considerations and suggestions for keeping an eye on those critical fourth parties:
- Incorporate critical fourth-party performance and risk monitoring into your regular third-party business discussions and performance reviews:
- Require your critical third party to report on fourth-party risk monitoring and performance
- Review any open fourth party issues, remediation plans and timing in regular business discussions with your critical vendor
- Review critical fourth party contract renewal or termination dates
- Consider adding critical fourth parties to your risk alert and monitoring services
- Utilize online news feeds (such as Google News alerts) to watch for negative fourth-party news
- Audit fourth-party monitoring and management as part of your critical vendor's regular risk reviews
When it comes to monitoring critical fourth and nth parties, there are some practical limitations. The best course of action is to hold your critical third parties accountable for those relationships without blindly trusting that your standards are being me. Don’t be afraid to set explicit expectations with your critical vendors and check their work from time to time.
Remember, effective and successful third-party risk management doesn’t stop with your third party, especially when that third party is considered critical to your organization.