What is Fourth Party Risk and How to Manage it

3 minute read

July 2021

As we’ve seen in recent events such as the SolarWinds hack, third-party risk poses a serious threat to business continuity. What the incident also demonstrated is that fourth-party risk, or the risk posed by a contracted vendor’s third parties, can equally threaten data security and operations. Your organization may have integrated a robust third-party risk management program (TPRM) – but what if keeping an eye on your third parties alone isn’t enough? 

Fourth-party vendors are typically overlooked in a traditional third-party risk management program, making the risk they pose invisible to the organization. A  recent podcast  from ProcessUnity and Crowe discussed why organizations are placing increasing importance on this type of vendor risk: as the vendor population grows, so does the potential for fourth-party risk, creating exponential opportunities for business disruption that need to be addressed.  

Identifying Risk in Fourth-Party Vendors

You may wonder how fourth-party vendors can pose a threat to your organization without a contractual relationship. However, an organization’s third parties can be used as a back door to access customer data or breach the organization’s network. Attackers need only one back door to access an integrated network and jumpstart a cascading disruption throughout the supply chain.  

Third-party risk management professionals can begin to mitigate risk throughout the extended enterprise by building fourth-party controls into the core of their TPRM program. 

Fourth-party risk management begins with a comprehensive third-party risk management system. During vendor onboarding, pre-contract due diligence should scope a vendor’s third-party risk management processes. Transparency around a potential third party’s key vendors should be established so that fourth parties can be wholistically understood from the start. 

SecurityScorecard outlined three key items to understand about your fourth-party vendors:

  • Who they are.
  • What services or products they provide to your vendor that causes them to be significant to operations.
  • What your service provider has done for cybersecurity due diligence on their part for these vendors.

Ongoing review of subcontractors should be an integral part of any intelligent vendor assessment, particularly if those services are critical. Overall, an organization’s risk is vastly reduced when their vendors also practice proper risk management.  

Focus on Critical Vendors

According to a Ponemon study, companies share confidential and sensitive information with an average of 583 third parties. If each of these third parties has 583 vendors themselves, managing all the possible avenues for risk can seem impossible. 

Fortunately, you don’t have to focus equal attention on your vendor population. Consider potential fourth-party risk as a factor during vendor classification to determine the most critical vendors. Leverage inherent risk scoring during vendor onboarding to classify which third and fourth parties to focus resources on. Ranking vendors by risk criticality with fourth-party risk in mind will help your organization sort through the noise and prepare for issues as they arise.

Using Vendor Risk Management Centralization to Address Fourth-Party Risk 

Fourth-party risk can directly impact the organization’s brand and reputation within the market, making fourth-party risk the organization’s risk. Organizations can automate their vendor management processes to address a broad web of risks throughout their fourth parties. Leveraging a centralized technology platform is essential to govern third and fourth parties with cross-functional integration between departments. 

ProcessUnity Vendor Risk Management offers the agility and efficiency to adequately mitigate disruption throughout the extended enterprise – including even the most distant fourth parties


Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.