How to Build a Fourth-Party Vendor Inventory

Podcast Transcript

Hi, this is Kelly Vick with Venminder.

In this podcast, you'll learn some tips on how to build a fourth-party vendor inventory. We’ll cover how to identify your organization's most important fourth parties and understand how they should be handled in your vendor risk management program.

Here at Venminder, our team of vendor risk management experts help organizations of all sizes and industries build, implement, and maintain vendor risk management programs every day.

Vendor risk management generally involves vendors directly providing products and services to your organization, but have you thought about those other businesses that are supporting your vendors? 

Your third parties' vendors, or subcontractors, are considered your fourth parties, and it's essential to identify them as they can expose your organization to risk. To adequately address fourth-party risk, you have to first identify them, so you know exactly where to focus your attention. 

However, you don’t need to identify every single fourth party. Instead, you'll want to identify the fourth parties that expose you to the most risk. Although you don't have a direct contract with these fourth parties, there are steps you can take to protect your organization. 

So, let’s cover three simple ways to identify your critical fourth-party vendors: 

1. First is to start with your critical vendors. A critical vendor is one that can have a serious impact on your organization or customers if they were to fail or suffer a prolonged outage. By identifying critical vendors, you’re one step closer to understanding who your critical fourth parties are.  
2. Second, request that your critical vendors disclose their third-party vendors or subcontractors who are essential in providing services and products to your organization. 
3.  And finally, a great method to discover high-risk fourth parties are through your third party's SOC 2 Type II report. As part of this report, your third party is required to disclose its "subservice organizations," which are essentially vendors that carry out processes or controls that are part of the third party's service delivery to customers. If necessary, enlist a qualified subject matter expert to assist in interpreting the SOC report.

Once you’ve identified your critical relationships, review the fourth parties of any high-risk relationship involved in accessing, processing, transmitting, or storing sensitive information or anything with material regulatory impacts, or any relationship with significant financial investments.

Now, let’s consider some information to include in your fourth-party inventory:

• First, you’ll want to include details on the third-party relationship and the product or service the fourth party is providing, and the physical location of the fourth party. This offers greater insight into the types of risk involved with the fourth party. 
•  Second, identify any concentration risk that might exist in your fourth-party inventory. Concentration risk might occur if you discover that any of your fourth parties are working with more than one of your third-party vendors. Consider the impact if a single fourth party were to shut down and impact several of your critical vendors. This would create significant operational disruptions for your organization, so it's essential to know where this risk occurs.

Now that you know how to build a fourth-party inventory, it's important to understand how to use the information to enhance your vendor risk management program. 

Two tips to keep in mind are:

1. One, remember to maintain your inventory as much as possible, so the data is useful and reportable. This should involve keeping third-party SOC reports current and obligating third parties to alert you or request your approval before making any changes to their subcontractors.
2. And secondly, it's important to make sure your third parties have established their own vendor risk management activities. Although you can't manage your fourth parties directly, you should obligate your third party to meet certain standards, such as performing regular due diligence, managing and resolving issues, and monitoring their vendors' performance.

Building a fourth-party inventory can be a challenging skill to master, but one that's important to protect your organization from an extensive risk landscape. Maintaining awareness and visibility into your vendor inventory will leave you better prepared to effectively manage third-party risk.

Thanks for tuning in; Catch you next time!