Third party, fourth party, fifth party, and so on! Unfortunately I recently turned thirty, and I am not referring to my typical weekend’s social agenda. Rather I am referring to the numerous levels of the supply chain risk your company should be managing, or at the very least considering and monitoring.
In today’s world it has become increasingly complicated to stay up to date with all the different types of risk that are emerging let alone manage them. I have no doubt we are all generally familiar with the concept of third party risk management (TPRM), and have a firm understanding of what an effective program looks like. Despite these assumptions, I am going to drop a few quick definitions in order to play it safe.
a. Third Party Vendor: any entity that a company does business with directly. This may include suppliers, vendors, contract manufacturers, business partners and affiliates, brokers, distributors, resellers, and agents.
b. Fourth Party Vendor: a company to whom your company’s third party outsources to, in other words, your “vendor’s vendor”.
c. Fourth Party Vendor Risk: risk to your company introduced by your suppliers' suppliers.
Today I am going to discuss fourth party risk management (FPRM) and why it bears consideration of being equally weighted to TPRM within procurement departments. I know there are many out there likely screaming “Pump the brakes! It is hard enough to manage third party risk, why should I spend my time trying to track 4th party risk. If something goes wrong with a 4th party, my 3rd party will be responsible.” Sikeee! Your third parties may handle rectifying issues that arise with their suppliers, but B2B customers and regulators are more likely to hold you accountable. Especially if customer information is involved. This is why it is mandatory that procurement departments have risk policies in place that extend beyond their third parties.
Before diving deeper into these protective measures and discussing how to build an effective fourth party risk management program, I want to briefly discuss the types of fourth party risks we should be concerned with avoiding. Put simply fourth party risk types are identical to third party risk types with the exception of the source, they are driven by your suppliers’ suppliers. Fourth party risks include: strategic, reputation, operational, transaction, compliance, concentration, and information security. For more definition on what constitutes each of these risk types please refer to this blog.
NAME THAT RISK TYPE!
Below I described a scenario that presents fourth party risk.
Company A partners with Company B who is a large PEO. Company B directly handles the majority of Company A’s HR functions and payroll services, but once a year when tax season comes they outsource payroll tax filing to Company C. Company C is a small software company that developed a propriety solution that files form 1095-C on behalf of its clients with the IRS. Because Company A has no direct contract in place with Company C, this situation presents a great deal of fourth party risk.
What type of fourth party risk is present in this scenario?
Now, if you were able to correctly diagnose the risk type present in this scenario as information security then you are catching on fast!
RISK COMBAT
In closing, I am going to list a few actions you can take to protect your organization against fourth party risk:
1. Perform as much due diligence in evaluating your fourth parties as you do your third parties. Work with your third parties to request information. Since you don’t have a contract in place with your fourth parties, you may need their assistance to get all of the information you need.
2. Verify your third party vendor’s own TPRM policies are on par with your own. You want to be certain you are comfortable with the degree to which they assess and manage risk.
3. Whenever possible, require that your third parties contractually commit to notifying you prior to contracting with a fourth party vendor.
Identifying and managing fourth party risk is no easy task, and regulators recognize the challenges we all face. Helping to demonstrate that you have adequate procedures in place and have made all reasonable efforts through appropriate documentation and a well-organized approach can really help your case upon an examination. When a fourth party is involved, the risk should be analyzed as extensively as it would be when reviewing a third party. If you do your due diligence in ensuring this is standard practice, your organization will benefit in the long run.
In today’s world it has become increasingly complicated to stay up to date with all the different types of risk that are emerging let alone manage them. I have no doubt we are all generally familiar with the concept of third party risk management (TPRM), and have a firm understanding of what an effective program looks like. Despite these assumptions, I am going to drop a few quick definitions in order to play it safe.
a. Third Party Vendor: any entity that a company does business with directly. This may include suppliers, vendors, contract manufacturers, business partners and affiliates, brokers, distributors, resellers, and agents.
b. Fourth Party Vendor: a company to whom your company’s third party outsources to, in other words, your “vendor’s vendor”.
c. Fourth Party Vendor Risk: risk to your company introduced by your suppliers' suppliers.
Before diving deeper into these protective measures and discussing how to build an effective fourth party risk management program, I want to briefly discuss the types of fourth party risks we should be concerned with avoiding. Put simply fourth party risk types are identical to third party risk types with the exception of the source, they are driven by your suppliers’ suppliers. Fourth party risks include: strategic, reputation, operational, transaction, compliance, concentration, and information security. For more definition on what constitutes each of these risk types please refer to this blog.
NAME THAT RISK TYPE!
Below I described a scenario that presents fourth party risk.
Company A partners with Company B who is a large PEO. Company B directly handles the majority of Company A’s HR functions and payroll services, but once a year when tax season comes they outsource payroll tax filing to Company C. Company C is a small software company that developed a propriety solution that files form 1095-C on behalf of its clients with the IRS. Because Company A has no direct contract in place with Company C, this situation presents a great deal of fourth party risk.
What type of fourth party risk is present in this scenario?
Now, if you were able to correctly diagnose the risk type present in this scenario as information security then you are catching on fast!
RISK COMBAT
In closing, I am going to list a few actions you can take to protect your organization against fourth party risk:
1. Perform as much due diligence in evaluating your fourth parties as you do your third parties. Work with your third parties to request information. Since you don’t have a contract in place with your fourth parties, you may need their assistance to get all of the information you need.
2. Verify your third party vendor’s own TPRM policies are on par with your own. You want to be certain you are comfortable with the degree to which they assess and manage risk.
3. Whenever possible, require that your third parties contractually commit to notifying you prior to contracting with a fourth party vendor.
Identifying and managing fourth party risk is no easy task, and regulators recognize the challenges we all face. Helping to demonstrate that you have adequate procedures in place and have made all reasonable efforts through appropriate documentation and a well-organized approach can really help your case upon an examination. When a fourth party is involved, the risk should be analyzed as extensively as it would be when reviewing a third party. If you do your due diligence in ensuring this is standard practice, your organization will benefit in the long run.
Post A Comment:
0 comments so far,add yours