How to Develop a Fourth-Party Risk Management Framework

For many Americans, this time of year has us thinking about BBQs, firework displays, and Fourth of July parties, but today, we’re going to talk about a different kind of party that relates to third-party risk management – fourth parties! A fourth party is essentially your vendor’s vendor, or an entity that works indirectly with your organization and therefore has no contract with you. Other terms for a fourth-party vendor include subservice provider or subcontractor. 

It can get a little confusing when thinking about how your organization can manage fourth-party risk. How far do you need to go? Is fourth-party risk management something you need to consider? Can you just rely on your third-party vendors to monitor and manage your fourth parties? 

Let’s answer all those questions and more so you can feel confident in your vendor environment. 

How to Build a Framework for Fourth-Party Risk Management 

The extent to which you manage fourth-party risk will be more limited than your usual third-party risk management activities. Remember, your fourth parties don’t have any contractual obligations with your organization, so you probably aren’t going to have access to as much information. 

However, there are still steps you can take to ensure that your organization is mitigating and managing fourth-party risk:

• Identify your critical fourth parties. Begin the process by figuring out which fourth parties should be in scope for your framework. Some of your fourth parties will pose very minor risk, so it’s best to focus on your critical fourth parties. These are, by extension, your critical vendors’ third parties. Fortunately, the SSAE 18 report makes this step a little easier by requiring your third-party vendors to identify their subcontractors in their SOC reports. 
• Prepare for due diligence. Once you’ve identified your critical fourth parties, prepare a list of due diligence questions that you can ask your third parties. Depending on the fourth party, you may need to ask for details about business continuity and disaster recovery plans, SOC reports, cybersecurity, and finances. Overall, you want to make sure that a subject matter expert has verified that the fourth party meets the same standards as your third-party vendor. You should also ask your vendor about their due diligence practices and ask to see samples of their work. This will ensure that they are suitable to meet your standards.
• Write requirements into the contract. Managing fourth-party risk will be a lot more effective when relevant clauses are included in your vendor contract. This might include terms and conditions about how your third-party vendor manages its subcontractors through risk-based due diligence and ongoing monitoring. Also, consider clauses that give your organization the right to audit your third party and its subcontractors and assurance that non-disclosure agreements (NDAs) are extended to both parties.

3 Tips for Collaborating With Third-Party Vendors for Fourth-Party Requests

An effective fourth-party risk management framework will require a strong partnership with your third-party vendors. You probably won’t get far with your requests if you start making unrealistic demands about how your fourth parties should be managed. 

Instead, consider these tips on how to collaborate better with your third-party vendors: 

1. Highlight the mutual benefits. Managing fourth-party risk should be seen as a mutually beneficial activity for both your organization and your third-party vendor. Many of the risks associated with the fourth party can likely impact your direct vendor as well, so approach the situation in a way that shows how both of you will benefit from your organization’s strict standards. 
2. Accept your limitations. Managing fourth-party risk can be especially challenging for those who like to take a hands-on approach to business activities. It’s important to accept that your organization won’t be directly involved in managing or monitoring your fourth parties, but will instead need to collaborate with your third-party vendors.
3. Communicate your concerns. Your third-party vendors are more likely to obtain the information you’re requesting and address issues with your fourth parties if they understand your concerns and needs. For example, make sure to provide valid reasoning for why you’re requesting a fourth party’s SOC report. A valid reason could be that a fourth-party vendor has access to your organization’s data, so you’ll need to ensure that it’s secure with the fourth party. 

Building a fourth-party risk management framework can seem intimidating but remember that your primary focus should continue to be on your third parties. When your third-party risk management program is working effectively to your organization’s expectations, those practices will naturally extend to your fourth parties and beyond.