Due Diligence and Ongoing Monitoring

  • 1.  4th Party Risk Management

    This message was posted by a user wishing to remain anonymous
    Posted 08-10-2021 10:38 AM
    This message was posted by a user wishing to remain anonymous

    Hi
    I'm looking for insights in how other organisations address 4th party risk management - is this largely left to third parties to manage or do you have any direct due diligence and monitoring of 4th parties?  Would love to hear about any frameworks and models used in this topic
    Thanks in advance


  • 2.  RE: 4th Party Risk Management

    This message was posted by a user wishing to remain anonymous
    Posted 08-11-2021 10:12 AM
    This message was posted by a user wishing to remain anonymous

    I suggest at a minimum gathering an Nth Party inventory.  Nth Party Inventory should include at least some minimal data on the Nth Party (vendor using the Nth Party, service provided, service location(s), data access status, vendor's TPRM adequacy,  etc.)

    Concentration risk has been a frequent concern in the Nth Party discussion as has vendor's TPRM adequacy. 

    Buyer be ware: Direct DD on Nth Parties can be difficult since you are not their customer.  As they say, "make sure the juice is worth the squeeze".


  • 3.  RE: 4th Party Risk Management

    Posted 08-11-2021 10:21 AM
    Completely agree re Nth parties.  An inventory at minimum.  In addition to concentration risk among these vendors, we also track location to get a handle on concentration risk related to geography.  Finally we track if they are foreign based or headquartered outside the US.  This is something our primary regulators have started to ask about for our 3rd parties and we have added this as part of our risk assessment for Nth parties to get a jump on where we suspect regulators are heading.

    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------