Look Beyond the Obvious: Tackling Fourth-Party Risks in the Supply Chain

Businesses today deal with hundreds, if not thousands, of third-party vendors.

These vendors, in turn, work with their vendors, subcontractors, software providers and other third-party organizations. All these constitute a complex ecosystem of fourth parties that aren’t directly connected to the primary organization and yet pose tremendous risk.

While the term “fourth-party risk” is not commonly used in the industry, it refers to potential risks that can arise from external parties beyond direct suppliers and partners in the supply chain.

The extended network of interconnected business relationships poses several risks to your business. For example, your business is directly impacted when a third-party vendor ceases operations because of a security incident impacting one of their critical vendors.

Likewise, a fourth-party vendor may have access to business-sensitive data. A security breach can compromise the data and expose your business to operational and regulatory risk.

It is therefore vital for a business to identify and oversee fourth parties, especially those that work closely with your direct suppliers and support critical business operations.

Identifying Fourth Parties

Tracing and identifying fourth parties can be a challenging exercise. Your first-tier suppliers may not be willing to share information about their vendors.

Getting this information from your direct suppliers can be very difficult because of confidentiality agreements and for other competitive reasons, says Willy Shih, professor of management practice in business administration at Harvard Business School. “Oftentimes, a supplier may not want you to know who their suppliers are for fear of being disintermediated,” he explains in this white paper.

Another key challenge facing organizations is the absence of a direct commitment or contract with the fourth party, unlike a third party with whom the business has a legally binding agreement. This makes it even more difficult to oversee fourth-party entities.

Monitoring Fourth-Party Risk

A mature and comprehensive third-party risk management (TPRM) program is key to effectively managing fourth-party risks. Businesses that have the right TPRM practices and processes in place can easily incorporate fourth parties in the risk management program.

Before signing a contract with a vendor, a business must understand the involvement of key fourth parties. While it may not be practically feasible to identify all fourth parties, it is advisable to identify those that play a key role in your primary supplier’s operations. These fourth parties may have access to business data. They may also have direct contact with customers.

To overcome supplier reluctance about sharing vendor information, businesses must state their requirements upfront during the bidding process. Ask suppliers to share the names of their vendors in the request for proposal. Ensure that suppliers perform due diligence and have a contract with their vendors. Also include a clause that makes it necessary for your supplier to notify you if there is any change in the fourth-party relationships.

Asking Third-Party Vendors for Reports

A business can ask for a service organization controls (SOC) report from third-party vendors. This report provides detailed information about the controls and processes implemented by a service organization. It helps a business assess risks associated with engaging the service provider. It also helps identify gaps that can affect security and compliance.

Auditing standards such as the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) have made it mandatory for a third-party vendor to report on its own vendors and check that these vendors have effective controls in place.

Such an audit can provide valuable information about risks associated with a fourth party’s systems and processes. It can also help a business make informed decisions about engaging with and mitigating risks associated with fourth parties.

However, as SSAE 18 audits focus on controls related to financial reporting, they may not cover all aspects of fourth-party risk management.

To effectively manage fourth-party risks, a business should adopt a broader risk management framework that includes a detailed assessment of the vendor’s operations, security practices, data protection, business continuity plans and other factors beyond financial controls.