Why is it important to perform risk assessments on third and fourth parties?

Risk assessment of any Third Party is so important to assess the suppliers’ position in the market along with its compliance with regulatory requirements.  What is blurred in many cases is the relationship the third party has with its contractors/fourth party.  Hence the implementation of questions for the assessment of fourth parties is required in the Third Parties assessment especially around Data Privacy, Cyber Security, sanctions and topic such as ESG.

Fourth parties are becoming more involved in supply chains, especially in countries such as the UK where Brexit has opened alternative channels of supplies to UK companies, however these suppliers are offshore therefore full assessments are needed to ensure they meet regulatory requirements.

In essence, the supply chain can be very long and blurry, Organisation must protect themselves, their investors and customers against any possible risk from Nth parties causing damage to their reputation or breach regulatory requirements

What makes Nth Parties such a big risk to an organisation?

Daniel Terdiman (2021) states, Increasingly, hacks are spreading malware across hundreds or even thousands of organizations by exploiting the security updates for widely-used tools. This shows that companies up and down the enterprise IT supply chain face considerable risk, not just from the vendors, suppliers and partners that companies work with directly — what is called third-party risk — but also from attacks at many degrees of separation. And some businesses may not even be aware that they are vulnerable to this “nth-party risk” — and the consequences may be devastating.

In addition to the aforementioned, there are many example of risk surrounding Nth Parties, but essential, relationships between Client and Third Party is primary, therefore Third Parties may establish relationships with Fourth Parties outside the control of Client’s assessment.  In the event that a Nth Parties engage in activities which could import risk to the client and will have reputational as well as other regulatory implications, the client needs to ensure the relevant questions are completed to safeguard themselves against regulatory breaches.

VentureBeat Magazine, 16 September 22 reported 54% of organisations breached through third parties in the past 12 months, therefore with more than 50% of organisations facing threats through third parties is not just a problem, but is a disaster for industry.

This being said , Organisations are investing funds as well as manpower to perform heighten due diligence on their business to ensure Risk Management is managed appropriately to ensure the capture and mitigation of risk is completed as a priority.

How can collection of granular data help to monitor supply chain concentration?

Transactional Risk is becoming a hot topic for many organisations and over the past 10 years more focus is being placed upon this subject area. In essence, the review of granular data, will enable clients of services to clearly understand the landscape of its Third parties.  Many organisations do not clearly articulate their supply chain and pending risk which can impact their business.

Recognition of the various types of risk which can impact an organisation is important as its not only the standard types of Risk which we hear about in the news that make the biggest impact i.e. GDPR or Cyber Security.  We need to be cognisant of Anti-Slavery, Sanctions or Conflict of Interest which causes detrimental damage to organisations.

The statement, ’the devil is in the details’ is so poignant with Transactional Risk as examining the granule level information about an organisation is critically important.  When we look at some suppliers especially those with close relationships with government officials, or those who are linked to ‘Persons of Interest’, it is important that full checks are made to ensure there are no breaches in Risk such as Conflict of Interest, Money Laundering or Anti Bribery and Compliance.

Why should you incorporate publicly available data into assurance?

Using companies such as Dow Jones, Bloomberg or another rating agency will enable companies to clearly understand the landscape of a potential supplier’s risk and if there is any red flags which it needs to be aware.  Publicly available information is not only essential but for some organisations, it’s the only route to understanding Suppliers within a Supply Chain.

In order to provide the necessary assurance to ensure supplier within the Supply Chain are legitimate with good public standing and meets regulatory requirements (especially Critical Third Parties) Public available data is a must.

What can organisations do to ensure there is willingness from vendors to share information?

There are several platforms which perform ‘Trust Your Supplier’ activities.  When organisations instruct their Suppliers to sign-up with one of these agencies, the agents will conduct a thorough review of the supplier.  In this way, the client organisation has a one stop shop to find out any info on a supplier and its suppliers down the chain.

Reference List:
Daniel Terdiman (2021) The rise of nth party risk: What you need to know, https://www.mastercard.com/news/perspectives/2021/the-rise-of-nth-party-risk/
Venture Beat, September 16, 2022,  https://venturebeat.com/security/report-54-of-organizations-breached-through-3rd-parties-in-last-12-months/