Unraveling Layers of Hidden Fourth-Party Risks

October 9th, 2024 Loren Johnson Reading Time: 5 minutes
24 1745 Rsk Blg Feature Image 1200x628

You’re probably familiar with the concept of third parties, but what about fourth parties and beyond? These are your Nth parties, and they have been in the news a lot recently; they’re a hot topic. There have also been fairly recent regulatory developments and changes, especially as it applies to managing Nth-party relationships, where your extended liabilities are defined, where they may start and end, as well as best practices for managing your fourth-party risks.

Third, Fourth, and Nth-Party Risks are Growing

Governance, risk, and compliance (GRC) is a very important practice and discipline across businesses, but where I see most of the action happening now is in third-party risk management (TPRM). And what we’re seeing is an expansion of the landscape. We’re seeing ethics, compliance, risk, and regulatory risk in one group, one category where you have fraud, bribery, corruption, regulatory misalignment, ethical workplaces, beneficial ownership, and other kinds of reputational disciplines. And we’ve had this as part of TPRM for many years.

We also have financial and legal risks, again in relation to regulatory alignment, credit and payment risk, audit risk, evolving reporting risks that you need to deliver to your leadership, your boards, your shareholders, and your regulators.

You have information technology, which is rapidly changing for third-party risks and cybersecurity, but also things like secure systems, secure facilities, and things that are protecting your information technology, especially as it’s shared across data systems and interconnected third parties.

You have data risk, intellectual property risk, personal record risk, data privacy risk, ransomware risk, and all these other things that happen on the digital side.

You also have performance and delivery assurance risks as well as concentration risks, which can include performance with SLAs, business continuity, resiliency planning, operational, and strategic risks. All of this is happening now and expanding all at the same time. All these risks are being put in front of TPRM experts and professionals.

Newer Fourth-Party Risks are Here and Knocking

There are also newer, 21st-century risks, such as ESG risks, where the market is increasingly looking for more transparency, reporting alignment, and regulations to pressure companies to do well by doing good.

And you see sustainability practices. You see pressure to do friend-sourcing or near-sourcing for third parties where you have better insight and control over those risks than are associated with more distant connections with third parties.

And now you also see a lot of AI risk related to third parties, which is something that you may have internally and at your third parties. You want to understand how they’re using AI to generate content or generate testing of their material or to otherwise be integrating AI into the supply chain, where you need to have insight and clarity about what’s actually happening there.

Pressure from Regulators and Stakeholders

This is all evolving quickly, and I admire many TPRM professionals because this is a very exciting, vibrant, and challenging market for many, many people. Aravo talks with many people in the market, and we sympathize with the professionals out there trying to make this all work.

At the same time, we have an active regulatory environment; regulations are changing constantly. Businesses must keep on top of that and manage not only their own regulatory alignment but that of their third, fourth, and Nth parties.

We also have escalating internal and external pressures. You see a lot more activists, shareholders, and governments who want more attentiveness and better systems in place. They want transparency and accountability. And what we’re seeing is that there are fewer acceptable excuses for not doing this well, for not having the transparent reporting that the market is looking for these days.

We also have strains on teams, systems, and processes. You have different processes, different scoring, different risk assessments, different reporting, and you’re trying to make it all make sense to your executives and your board so they can make the best decisions they can.

Finding Your Fourth-Party Obligations

With all this happening at one time, it can be hard to grasp what to do with these challenges. There’s always a question of how many fourth or Nth parties you might have connected to your third parties. However, we know that the number of third parties that businesses work with has grown exponentially.

According to Gartner, 60% of businesses engaged with 1000 or more third parties in 2020. If that number grows exponentially, the average company today could be engaging with 8 thousand third parties. And that number grows when you consider 4th or Nth parties; you could be indirectly engaging with 200,000 or 1,000,000 4th or Nth parties: Security Scorecard reports there are 60 to 90 times the number of fourth parties as there are third parties tied to your organization.

So, with that scale the market and regulators expect you to better manage those fourth-party relationships, which can get overwhelming very quickly. And where does the culpability end? What are your real regulatory and market obligations?

Even where you may not have transparency or accessibility and the influence and leverage over a fourth party to make sure it’s performing as expected or aligning to regulations or your ethics requirements, the market is still going to hold you responsible.

Six Degrees of Separation

Let’s talk about some real cases. There was a story in the New York Times last March about sugar farmers in India. It’s a terrible story. It sheds light on abuse on the sugar farms. It’s talking about families that are basically in indentured servitude, stuck in these farms for generations and abused by the owners of these farms.

And some of these farms keep sugar flowing to major soda companies – the article specifically mentions Coke and Pepsi, though it is referring to local franchisees and bottlers. And these companies have some culpability here, even though it’s about six steps down the supply chain to these specific farms.

If the soda companies’ headquarters knew anything about this, I’m sure they would stop it. But how far down the supply chain are you responsible? The authors confirmed that it’s likely true that both company’s headquarters were unlikely to know anything about these sugar farmers and their condition, and that it’s unfair to accuse them of supporting this, but they also said that every single link in that supply chain said it wasn’t their responsibility.

This suggests that there comes a point where the market is going to hold the soda companies at least partially responsible for the situation. This is a story that you don’t want to have in your company, related to your brand, affecting your customers, partners, shareholders, and business.

Where to Go from Here

We’re going to be exploring more about fourth-party risks in upcoming blog posts, featuring more experts in this field. In the meantime, there are several steps you can take to begin to incorporate fourth and Nth-party management into your TPRM strategy:

  • Identify critical fourth and Nth parties: Pinpoint which fourth parties are most critical to your operations and how a disruption or regulatory infraction could impact your organization.
  • Incorporate fourth-party risk management into your due diligence process: Develop assessments and questionnaires that establish how your third parties deal with their subcontractors. Use the responses to determine where improvements or more drastic actions should be made.
  • Continuously monitor fourth and Nth parties: Continuous monitoring is essential. Look for areas of improvement in communication, compliance, and reliability.

This blog is the first of a series focusing on fourth and n-party risks. Stay tuned for future stories and contact us with any questions!

This interview has been edited for length and quality.

Loren Johnson

Senior Director, Product Marketing

Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success. Loren is a long-term TPRM advocate with an MBA in International Management from Thunderbird, and more than 30 years working in the technology sector. With eight years in the GRC market, Loren brings enthusiasm and an informed perspective to his work with Aravo.

Senior Director, Product Marketing

Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management