Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


What to Know About Fourth Party Vendor Risk

7 min read
Featured Image

Third party risk, fourth party risk, maybe even fifth party risk? There’s a lot of potential risk to know and understand. In this blog, we thought it’d be helpful to focus on one that seems to be increasingly important to regulators – fourth party risk 

So, what do you need to know? Let’s break down the basics: 

What is a fourth party? 

A fourth party is your vendor’s vendor. It’s a vendor that your organization doesn’t have a direct contract with but your vendor (third party) does.  

When should you require due diligence on a fourth party? 

If the fourth party vendor is providing a critical product or service to your third party vendor, then it’s time to dig further. This means if they have access to your customer’s information or your organization’s confidential data.  

What steps can you take to evaluate the fourth party risk?  

Take these 3 steps: 

  1. If you can, require that your third party contractually commits to notifying you prior to contracting with a fourth party vendor.  

  2. Review your fourth party’s SSAE 18 report to identify fourth party vendors. As of May 2017, your third parties should now be disclosing any of their significant fourth party providers. You should ask your third party vendor to provide you with the due diligence you require. 

  3. Likely, you won’t have a direct contractual relationship with the fourth party vendor. Any contractual relationship will be with your third party vendor.  You will have to request that your third party assist you with obtaining any documentation you need to perform your due diligence on your fourth party. If your third party vendors want to maintain a positive partnership with your organization then they should be more than willing to help.  

What if you find out that the fourth party presents risk to your organization?  

All fourth parties present some level of risk to your organization. If you knew, before you signed the contract with your third party, that a fourth party would be involved, the fourth party should be part of your original risk assessment. If the fourth party is new to the relationship, between you and your third party vendor, you will have to will have to reassess the risk associated with the additional player. 

If the fourth party has access to your infrastructure, your data or your customer’s data, the risk can be significantly higher for your organization. The risk assessment you performed on your third party should be augmented to account for the fourth party. You will have to go through your due diligence process for the fourth party. 

If you discover that the fourth party does indeed present a significant risk to your organization, you should take the following steps: 

  1. Contact your third party and review your findings. You always want to make sure you completely understand the nature of the relationship between the third party and the fourth party.

  2. Next, once you have a complete picture of the risk a fourth party presents to your organization, you can begin to take steps to mitigate the risk. You need to know what additional steps, if any, you will have to take to mitigate the level of risk the fourth party poses to your organization. These steps may include going back to the original contract and amending some parts of the contract or creating a new contract all together. 


Examiners will expect your organization to have fourth party due diligence and documented findings on file. When a fourth party is involved, the risk should be analyzed as extensively as it would be when reviewing a third party. 

Monitoring a fourth party is a unique challenge and can be tricky. Download this infographic to help.



Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo