“Taking the Pulse of Nth Parties in a Post-COVID World” webinar brought together a capable panel of risk experts to discuss Nth Party Risk concepts. With close to 100 combined years of experience in the Third Party Risk Management field, speakers included Brad Keller (SVP & CSO, Shared Assessments), Sean O’Brien (Managing Director, DVV Solutions), James Arnold (Americas Data Privacy & Protection Officer, Mitsubishi UFJ Financial Group Inc.) and moderator Tom Garrubba (VP & CISO, Shared Assessments).
The challenge for understanding Nth Parties is recognizing whether you have an Nth Party relationship at all. Pair this knowledge with your approach to how you would like to control data: to whom and where does the data go? Nimble contracting addresses the data question – tri-party contracts can guide how your vendor shares your organization’s data with their predominant fourth parties.
Good contracting is rooted in solid partnership and collaboration skills. As a TPRM practitioner, it is your job to help a vendor understand why you need certain contract provisions, particularly in regulated environments such as financial services. Vendors are business partners, not just parts of a supply chain, and a contract needs to ensure the relationship is mutually beneficial.
Walking through Shared Assessments’ free VRMMM tool with a vendor can help explain the importance and standardization of contractual language. Additionally, when you use continuous monitoring to evidence to a third party why there might be a risk issue with a fourth party, describe this finding from a place of understanding rather than accusation.
To gain a better sense of Nth Parties used by vendors, create a vendor register or vendor inventory. A vendor register is a simple questionnaire technique or attestation asking third parties to identify their fourth parties. As you develop a vendor register, consider that every vendor sitting outside of your critical vendor list is a vendor waiting to move onto the list. (The pandemic exemplified how increasingly distant parties gained remote access to organization’s networks and systems – this moved vendors up from a risk standpoint).
A vendor register records what you find in your assessments. Many companies use procurement or contract management systems for this with the theory that all vendors go through procurement. As a risk professional, you need more information on data, systems, vendor’s location for privacy considerations. But, you can use one system to validate the other.
Addressing the “limbo dilemma” or how low organizations need to go in terms of assessing downstream vendors, follow the practical guidance of going as far down the food chain as the risk you are taking. Evaluate the risk associated with business service you are requiring. Fine tune your risk-based decision making through a benefit analysis – what is the cost, expense and likelihood of a problem arising from a subcontractor to your vendor? Develop and document a set of criteria, parameters or rules you use every time you make this decision. (You must decide if better risk posture is worth the three months it takes to perform a detailed assessment of a vendor and their subcontractors – or does the time spent present diminishing returns?)
Finally, when you are not able to directly assess vendor subcontractors, not all is lost. You should expect your vendor to address their subcontractors and to have an effective TPRM program. When and where you cannot assess, make sure your vendor can! Perpetuate the practice of TPRM mirroring – the idea that a vendor’s controls should parallel your own. Say YES! to robust Third Party Risk Management across the supply chain.