Nth party risk: What it is and how to address it

Third party risk management (TPRM) is a comprehensive process that involves identifying, assessing, managing, and continuously monitoring the risks faced by your organization and its customers due to business relationships with external vendors, suppliers, and service providers. In the past few years, TPRM has evolved beyond just managing direct relationships with your third parties; it now also includes identifying, assessing, and mitigating risks related to fourth-party or Nth-party relationships—essentially, the vendors of your vendors and beyond. This layered approach is crucial, as risks within the supply or service chain can propagate through your third parties, potentially impacting your organization unexpectedly. Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial concerns, and reputational risks. 

To illustrate what fourth and nth party relationships are, imagine your organization is utilizing a third party customer service call center experiencing an outage with its call management software provider (your fourth party). Even though you do not have a contract with the vendor providing the call management software, this outage can still lead to operational disruptions for your organization, resulting in service delays and dissatisfied customers. Consider another scenario where that same software provider suffers a data breach from their contracted data center (your Nth party), ultimately impacting your customers' data. In both situations, the issues do not originate directly from your third party, but rather from their vendors (and the vendors of those vendors) who are engaged to deliver products and services to your organization.  

Just thinking about fourth and nth-party risks can be overwhelming, especially as the risk landscape seems to grow with each additional layer of a relationship. And many regulatory requirements now include effectively identifying and managing these risks. However, there is no need to panic. There are effective strategies you can implement to address them, even with limited resources. 

How To Manage Fourth- and Nth-Party Risks 

It's essential to recognize that managing all fourth-party and nth-party risks is neither feasible nor practical. Your organization has limited time and resources. And, you do not have direct contracts with these fourth and nth parties, so they are not legally obligated to you. Furthermore, your visibility into their operations may be limited, making oversight difficult. A strategic approach is essential, so defining what "managing" these risks entails and how it is implemented in practice is important. For many organizations, this means identifying where fourth-party and nth-party risks exist and ensuring that the third party manages those extended relationships effectively.  

Consequently, having strong third party risk management practices at your organization is crucial for success. This includes conducting thorough risk assessments, assigning risk ratings, identifying critical vendors, performing due diligence, establishing contracts, and implementing continuous monitoring. These processes are vital for effectively identifying and managing fourth-party and nth-party risks. 

Take a stepwise approach and start with your own critical third party vendors and service providers. Critical third parties are those relationships that can seriously impact your operations if there should be a business interruption. Critical third parties are those that access, process, transmit, or store Personally Identifiable Information (PII) or confidential data, or any vendor or service provider that interacts with your customers. Targeting your critical third parties first can help you narrow your scope and concentrate on where the most significant risks are.  

Build your 4th and nth party inventory 

Once you have your list of Critical third parties, you’ll need to understand which of their vendors and service providers are essential for delivering products and services to you, or those that could cause regulatory issues or customer dissatisfaction.  Here are some tips for accomplishing that task. 

• Ask your third parties to list their critical vendor and service provider relationships. This should be a requirement in your critical third party contracts, but if it isn’t, schedule a meeting to discuss your objectives and criteria so they can report back to you. Ensure they provide the organization’s name, location, and product or service. It’s also important to ask if they have additional relationships through their vendors (your nth parties) that can impact your organization or its customers. 

• Check your critical vendors’ third party SSAE 18 (SOC reports) to find relevant fourth-party vendors. Look in the “Subservice Organizations” section for this information. These vendors provide the controls needed to meet your third party’s system requirements or commitments to you. 

• After you have identified these fourth and nth party relationships, keeping the inventory current and organized is essential. Remember to look for fourth and nth parties servicing more than one of your third parties. For example, if all your cloud, data, and analytics providers are using AWS, you may need to consider and address that additional nth-party concentration risk. 

Review Your Vendor’s TPRM Policy And Practices 

You must rely on third parties to effectively manage their vendor and service provider relationships. A key aspect of successfully addressing third party risk is understanding how your vendors and service providers are managing their third party risks. Never assume that they have it under control. You must see evidence that their TPRM practices meet your requirements. Always review the following: 

When you understand how your third parties manage vendor relationships and can see proof of effective and timely processes, you will be able to address nth-party risk more confidently. 

Update your contracts 

It is essential to recognize that your organization relies heavily on third parties to identify and manage risks associated with fourth and nth parties. If your current third party contracts do not require the disclosure of critical nth parties or do not include provisions for managing third party risks, it may be time to amend those contracts. If immediate changes aren't feasible, it's crucial to document the necessary improvements so your organization can effectively negotiate them before renewing the contracts. 

Monitor nth party risk. 

Like other risks, you need to stay aware of third-party and fourth-party risks that could impact your organization or its customers. You should require your third party vendors to provide monitoring information about their vendors and service providers, and review this information regularly, especially if any issues have arisen. Ensuring that you receive proof of remediation for these issues is essential. Additionally, consider utilizing risk intelligence services to monitor critical or high-risk fourth and nth parties. 

In conclusion, although addressing fourth and nth-party risks may seem complex, they become more manageable with a strategic approach. By focusing on your critical third parties, building an inventory of their essential vendors, and requiring them to uphold robust TPRM practices, you create a solid framework for proactively identifying and mitigating risks. Committing to continuous monitoring and maintaining open communication with your third parties will enable you to identify and address the risks in your service or supply chains more effectively.