You’re probably familiar with the concept of third parties, but what about fourth parties and beyond? These are your Nth parties, and they have been in the news a lot recently; they’re a hot topic. There have also been fairly recent regulatory developments and changes, especially as it applies to managing Nth-party relationships, where your extended liabilities are defined, where they may start and end, as well as best practices for managing your fourth-party risks.
Governance, risk, and compliance (GRC) is a very important practice and discipline across businesses, but where I see most of the action happening now is in third-party risk management (TPRM). And what we’re seeing is an expansion of the landscape. We’re seeing ethics, compliance, risk, and regulatory risk in one group, one category where you have fraud, bribery, corruption, regulatory misalignment, ethical workplaces, beneficial ownership, and other kinds of reputational disciplines. And we’ve had this as part of TPRM for many years.
We also have financial and legal risks, again in relation to regulatory alignment, credit and payment risk, audit risk, evolving reporting risks that you need to deliver to your leadership, your boards, your shareholders, and your regulators.
You have information technology, which is rapidly changing for third-party risks and cybersecurity, but also things like secure systems, secure facilities, and things that are protecting your information technology, especially as it’s shared across data systems and interconnected third parties.
You have data risk, intellectual property risk, personal record risk, data privacy risk, ransomware risk, and all these other things that happen on the digital side.
You also have performance and delivery assurance risks as well as concentration risks, which can include performance with SLAs, business continuity, resiliency planning, operational, and strategic risks. All of this is happening now and expanding all at the same time. All these risks are being put in front of TPRM experts and professionals.
There are also newer, 21st-century risks, such as ESG risks, where the market is increasingly looking for more transparency, reporting alignment, and regulations to pressure companies to do well by doing good.
And you see sustainability practices. You see pressure to do friend-sourcing or near-sourcing for third parties where you have better insight and control over those risks than are associated with more distant connections with third parties.
And now you also see a lot of AI risk related to third parties, which is something that you may have internally and at your third parties. You want to understand how they’re using AI to generate content or generate testing of their material or to otherwise be integrating AI into the supply chain, where you need to have insight and clarity about what’s actually happening there.
This is all evolving quickly, and I admire many TPRM professionals because this is a very exciting, vibrant, and challenging market for many, many people. Aravo talks with many people in the market, and we sympathize with the professionals out there trying to make this all work.
At the same time, we have an active regulatory environment; regulations are changing constantly. Businesses must keep on top of that and manage not only their own regulatory alignment but that of their third, fourth, and Nth parties.
We also have escalating internal and external pressures. You see a lot more activists, shareholders, and governments who want more attentiveness and better systems in place. They want transparency and accountability. And what we’re seeing is that there are fewer acceptable excuses for not doing this well, for not having the transparent reporting that the market is looking for these days.
We also have strains on teams, systems, and processes. You have different processes, different scoring, different risk assessments, different reporting, and you’re trying to make it all make sense to your executives and your board so they can make the best decisions they can.
With all this happening at one time, it can be hard to grasp what to do with these challenges. There’s always a question of how many fourth or Nth parties you might have connected to your third parties. However, we know that the number of third parties that businesses work with has grown exponentially.
According to Gartner, 60% of businesses engaged with 1000 or more third parties in 2020. If that number grows exponentially, the average company today could be engaging with 8 thousand third parties. And that number grows when you consider 4th or Nth parties; you could be indirectly engaging with 200,000 or 1,000,000 4th or Nth parties: Security Scorecard reports there are 60 to 90 times the number of fourth parties as there are third parties tied to your organization.
So, with that scale the market and regulators expect you to better manage those fourth-party relationships, which can get overwhelming very quickly. And where does the culpability end? What are your real regulatory and market obligations?
Even where you may not have transparency or accessibility and the influence and leverage over a fourth party to make sure it’s performing as expected or aligning to regulations or your ethics requirements, the market is still going to hold you responsible.
Let’s talk about some real cases. There was a story in the New York Times last March about sugar farmers in India. It’s a terrible story. It sheds light on abuse on the sugar farms. It’s talking about families that are basically in indentured servitude, stuck in these farms for generations and abused by the owners of these farms.
And some of these farms keep sugar flowing to major soda companies – the article specifically mentions Coke and Pepsi, though it is referring to local franchisees and bottlers. And these companies have some culpability here, even though it’s about six steps down the supply chain to these specific farms.
If the soda companies’ headquarters knew anything about this, I’m sure they would stop it. But how far down the supply chain are you responsible? The authors confirmed that it’s likely true that both company’s headquarters were unlikely to know anything about these sugar farmers and their condition, and that it’s unfair to accuse them of supporting this, but they also said that every single link in that supply chain said it wasn’t their responsibility.
This suggests that there comes a point where the market is going to hold the soda companies at least partially responsible for the situation. This is a story that you don’t want to have in your company, related to your brand, affecting your customers, partners, shareholders, and business.
We’re going to be exploring more about fourth-party risks in upcoming blog posts, featuring more experts in this field. In the meantime, there are several steps you can take to begin to incorporate fourth and Nth-party management into your TPRM strategy:
This interview has been edited for length and quality.
Share with Your Friends:
