6 minute read 5 Mar 2021
Male and female hikers climbing up silhouette mountain

How to identify and evaluate your fourth parties to drive resiliency

Authors
Nicholas Kula

Americas Consulting Senior Manager, Business Consulting Third Party Risk Management, Ernst & Young LLP

Father of two. Travel and wine enthusiast. Enjoys golf and supporting Chicago sports teams.

Nick Toth

Senior Manager, Consulting, Ernst & Young LLP

Purpose enthusiast, third-party risk management advisor and proud father!

Pooja Sabnani, PMP

Americas Consulting Senior Manager, Business Consulting, Ernst & Young LLP

Leader focused on transforming business. Strives to build a better working world. Believes in the power of people, technology and innovation.

Jordan Serre

EY Americas Consulting Senior Manager, Ernst & Young LLP

Over 15 years of experience helping clients manage business and technology risk, enhance their control environment, and support regulatory demands.

6 minute read 5 Mar 2021

Our survey shows how reimagining fourth-party risk management can drive resiliency amid accelerated change.

In brief:

  • While the outsourcing boom brings many benefits, it has also shifted risk management dynamics.
  • Third, fourth and so-called Nth parties comprise a complex ecosystem that must be navigated carefully.
  • Business leaders should employ data management strategies, revise contractual agreements and much more to stay ahead of the third-party risk management curve. 

As reliance upon third parties grows, there is increased pressure for leaders to understand their organizations’ critical external dependencies beyond solely those of third parties. Supplier resiliency, data security and privacy concerns are also prompting organizations to increase tracking of fourth parties and even beyond — so-called “Nth” parties — for potential weaknesses or vulnerabilities (see Figure 1). While many organizations recognize the challenges and risks of outsourcing, most struggle with managing them, leaving a potential blind spot for risk. To that end, we recently surveyed over 200 global institutions with third-party risk management (TPRM) functions in various sectors. Our findings and several key insights are discussed below in detail.

Circle graphic Third, fourth and Nth parties

Understanding why fourth-party risk management is important 

A fourth party is an individual, company or other entity that provides goods or services directly to an organization’s third party. Fourth-party risks are similar to those that are typically managed throughout third-party relationships, but they must be considered in conjunction with third-party relationships to understand overall potential impacts given the potential to shift the risk profile of an entire organization. Another key concern is developing the right risk mitigation strategies, including a broad-based approach to vendor reliance. About half of the organizations we surveyed find it relatively easy to report on concentration of spend and third-party concentration, but far fewer said the same about fourth-party or reverse concentration.

Circle graphic of organizations that find reporting on vendor concentration relatively easy

Our 2020 TPRM survey results identified the following key challenges for managing  fourth-party risk:

  1. Identifying all fourth parties and maintaining a central fourth-party inventory
  2. Determining the significance of a fourth party 
  3. Understanding roles and responsibilities of managing risk by doing business with fourth parties

1. Identifying all fourth parties and maintaining a central fourth-party inventory

The biggest challenge organizations face is not having sufficient knowledge about their fourth parties. While an organization may loosely understand and/or request how a third party is managing its fourth parties, organizations rarely maintain a centralized inventory of fourth-party information or include contract considerations to enforce compliance. In practice, fourth-party inventories are not being built unless the organization receives a finding from either internal audit or regulatory bodies for data loss from third parties. 

2. Determining the significance of a fourth party 

One obstacle in creating this type of inventory is uncertainty about which fourth parties to include and where to obtain relevant information about them. This requires analysis of all fourth parties — largely informed by access to data and business dependency — to determine just how significant each one is to the underlying third-party services. In turn, this determination reveals which fourth parties must be assessed further. Only one in three of the organizations surveyed collects information on all fourth parties. It is likely that privacy and global inventory expectations will increase the collection of fourth-party data in years to come.

Survey question of how is fourth-party information identified and collected

3. Understanding roles and responsibilities of managing risk by doing business with fourth parties

There is also some uncertainty around whether the organization or the third party bears responsibility to manage the risk of doing business with the fourth party. Organizations that delineate clear monitoring and other risk-related roles for management while also clearly outlining third-party duties in a range of scenarios will be best prepared when fourth-party risk issues arise.

Survey graphic of how does yoru organization assess fourth parties

Determining the right path forward

Fourth-party identification and data capture

Building a comprehensive fourth-party inventory begins with identifying the right steps for an organization to capture and document these relationships. For many clients, there are often two points of control that have been impactful for data capture:

  • Pre-contract: Establish contract terms for notification (or approval) of subcontracting activities and ask the right questions during inherent risk assessments
  • Post-contract: Perform information security control assessments (a more mature control pillar) to obtain the most reliable data points about potential fourth parties

Data management

From a data perspective, there is a growing interest among institutions to also comprehend how and with whom their data is being further shared, accessed, processed and/or stored. Key factors to consider:

  • The percentage of third parties that share sensitive information with fourth parties, driving up the firm’s exposure to external entities
  • Whether these fourth parties directly interact with the firm’s customers
  • Whether sensitive data is encrypted at rest, in transit or within the fourth party’s environment

Reimagining the future of fourth-party risk management

Updated contract terms

Organizations should have a defined approach for how fourth parties are identified and potentially controlled through third-party contract terms and conditions. Considerations include the following:

  • Require approval and the ability to assess the need and capabilities to conduct services offshore
  • Provide specific cloud data storage and security requirements, if applicable
  • Identify specific data breach or incident requirements of fourth parties
  • Confirm the right (and ability) to audit the fourth party, including an independent assessment by the organization of the fourth party’s control environment
  • Dictate contractual impacts if the contracting organization fails to appropriately identify, share and/or monitor the fourth party

Ongoing monitoring of fourth parties and beyond

To continuously monitor their third-party ecosystem in lieu of conducting mere point-in-time assessments, organizations must develop a process to monitor their fourth and Nth parties. In doing so, they should start with the following:

  • Evaluate the riskiest or most critical fourth/Nth parties and focus efforts there
  • Understand how the organization’s third, fourth and Nth parties conduct ongoing monitoring of their third parties
  • Develop an automated, data-driven approach that enables assessment of fourth/Nth parties in a more real-time manner

Backup plan and exit strategy

Finally, third- and fourth-party backup plans and exit strategies should be documented and aligned to best support the organization’s business objectives. Below are some leading practices:

  • Introduce exit strategies that are fully developed with a known scope of activities, effort and costs before entering into any agreements
  • Determine whether the organization could feasibly re-integrate the services in an effective manner
  • Consider temporarily moving to another provider and/or implementing enhanced supervision and control over the third or fourth party
  • Quickly develop a more long-term plan

Forward-thinking organizations must begin to address the underlying risks associated with their fourth parties by asking tough questions and developing new approaches. Given the evolution and maturity of third-party risk management, the fourth-party challenges discussed above represent an expansion of risk exposure that has been taking place for quite some time. Many organizations’ third-party selection processes are lacking maturity, which has had significant long-term impacts in many risk areas, including environmental, social and governance; cyber and data privacy; and business continuity management. These impacts include reputational considerations along the value chain and emerging geostrategic risks, including supply chain concerns, leading to a significant effect on operational excellence and resiliency, as well as on risk likelihood. Leadership that prioritizes these issues now will be better equipped to achieve organizational resiliency and navigate the road ahead.

Summary

Given today’s rapidly changing business conditions, organizations must gain deeper knowledge about their third, fourth and so-called Nth parties as part of a wide-reaching risk management and operational re-assessment of its vendors.

About this article

Authors
Nicholas Kula

Americas Consulting Senior Manager, Business Consulting Third Party Risk Management, Ernst & Young LLP

Father of two. Travel and wine enthusiast. Enjoys golf and supporting Chicago sports teams.

Nick Toth

Senior Manager, Consulting, Ernst & Young LLP

Purpose enthusiast, third-party risk management advisor and proud father!

Pooja Sabnani, PMP

Americas Consulting Senior Manager, Business Consulting, Ernst & Young LLP

Leader focused on transforming business. Strives to build a better working world. Believes in the power of people, technology and innovation.

Jordan Serre

EY Americas Consulting Senior Manager, Ernst & Young LLP

Over 15 years of experience helping clients manage business and technology risk, enhance their control environment, and support regulatory demands.