Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Fourth Party Oversight and How to Organize the Effort

4 min read
Featured Image

Institutions have a lot to consider when assessing third party risk, but if vendor risk management hasn’t followed the process of understanding the inner workings of their third party vendors, they may be in for a surprise to learn that their third parties operate in a similar function to themselves in the sense they too also use third party vendors.

These additional vendors in turn become the financial institution's fourth party vendors. The best way to think about this is that your process is made up of links and the more participants to the service you’ve outsourced opens your organization up to additional layers of risk.

There are many examples of fourth party vendors and all vary in terms of criticality and risk that they present to you. The level of oversight will vary depending on the criticality, but foundational best practices will help in addressing your initial risk assessment of these fourth parties and identify what types of risk they could present to you. 

Fourth Party Vendor Oversight Examples

Consider the following company types:

  1. Appraisal Management Firms - This is your direct third party vendor, the Appraisal  Management Firm (AMC) leverages networks of individual fee appraisers. Your traditional oversight on the AMC is just the tip of the iceberg. Keep in mind that a regulator would not expect you to perform additional oversight on 10,000 appraisers who are registered with a AMC. They would expect that you understand the oversight and approval of this vendor type at the AMC operational level.
  2. Cleaning Companies - Depending on the organization, sub-contractor temporary employees are used and have direct physical access to your company. Do you operate a paperless environment? Are your shred bins always locked? How well do you know “Joe the friendly cleaner”? Why was Joe’s friend filling in for him; due to sickness? Why is the new guy using Joes’ badge to access the office?

The above examples are clear but with the increased use of technology in financial services companies, there is great demand on IT outsourcing and firms do leverage sub-contractors to fulfill many of the outsourced vendor risk management services.

Consideration must be given to the amount of access that any third party and fourth party vendor will be granted as part of the outsourcing agreement. There is overwhelming evidence that many data breaches are caused by third and fourth party vendors and the level of mistrust regarding data breach notification increases significantly between client and the fourth party.

The Biggest Issue with Fourth Parties

Out of sight, out of mind. Since the institution does not have a direct contract with a fourth party, the thought of risk and liability have the tendency to be overlooked and this offers the potential to be the weak link in many third party risk management programs.

Surely, our third party is responsible for their own contractors, right?  It’s a great question but considering the limited rep and warranty relief which vendors provide institutions, they are unlikely to be able to protect you from the fall out should something go wrong. We’re a big proponent of knowing your vendor and in light of the importance of fourth party oversight, the internal vendor management team must drill down into more detail with their existing and potential new third party vendors.

How Do You Organize the Oversight?

This is a common question for the vendor manager who has realized there's a gap in their policy and program. The best approach is to:

  1. Review your existing vendor list. 
  2. In your pre-contract due diligence of assessment questionnaires include that the third party provide their vendor partnerships along with clarification if these newly identified vendors will be interacting with your consumers or accessing your primary technology systems.
  3. Ask for your third party’s own vendor management policy along with control evidence. Does your direct vendor perform a sufficient, or any, level of oversight? If the response is No, then this should be cause for concern. It’s a great catch at the pre-contract stage because you may have dodged a lightening bolt! However, if the same answer is for an existing vendor relationship and you didn’t know that fourth parties were being leveraged for the outsourced service, you have some work to do. This really points back to where strong contractual language and ensuring that you have assessed, scoped and set expectations with the potential new vendor is a priority.

Items to Request on Your Fourth Party Subcontractor Vendor

  • Resume - Are they qualified to perform this function?
  • Licensing - If required to perform this specific function
  • References  - Make sure to call them!
  • Insurance Information - The certificate of insurance should be on file
  • OFAC check - A department of the U.S. Treasury that enforces economic and trade sanctions against countries and groups of individuals involved in terrorism, narcotics and other disreputable activities
  • User Access Logs - Noting IP address capture and time stamps around when the subcontractor was accessing your network
  • Any Risk-Based Assessment and Control Data - These are the documents showing that your third party vendor has performed this on the fourth party. If the information cannot be shared due to confidentiality, then request an attestation that the third party has conducted a level of oversight and review on the worthiness of the sub-contractor.

While this list isn’t exhaustive, it does provide a framework which you can include in your policy and program and be specifically geared towards fourth party oversight. The key point to remember as you further develop your fourth party oversight practices is that you need to scale the oversight requirements relevant to the level of criticality of the vendor and the type of data access they will be working with meaning critical and non-critical to the operations. There are many different types of fourth party vendors and each will offer a different type of risk which you need to be aware of and mitigate.

Want to know how to conduct vendor oversight on your other third and fourth party vendors? Download our infographic to learn how.

Vendor Management Oversight and Ongoing Monitoring

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo