Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

Hi
I'm looking for insights in how other organisations address 4th party risk management - is this largely left to third parties to manage or do you have any direct due diligence and monitoring of 4th parties?  Would love to hear about any frameworks and models used in this topic
Thanks in advance

This message was posted by a user wishing to remain anonymous

I suggest at a minimum gathering an Nth Party inventory.  Nth Party Inventory should include at least some minimal data on the Nth Party (vendor using the Nth Party, service provided, service location(s), data access status, vendor's TPRM adequacy,  etc.)

Concentration risk has been a frequent concern in the Nth Party discussion as has vendor's TPRM adequacy. 

Buyer be ware: Direct DD on Nth Parties can be difficult since you are not their customer.  As they say, "make sure the juice is worth the squeeze".
Original Message:
Sent: 08-10-2021 10:25 AM
From: Anonymous Member
Subject: 4th Party Risk Management

This message was posted by a user wishing to remain anonymous

Hi
I'm looking for insights in how other organisations address 4th party risk management - is this largely left to third parties to manage or do you have any direct due diligence and monitoring of 4th parties?  Would love to hear about any frameworks and models used in this topic
Thanks in advance

Completely agree re Nth parties.  An inventory at minimum.  In addition to concentration risk among these vendors, we also track location to get a handle on concentration risk related to geography.  Finally we track if they are foreign based or headquartered outside the US.  This is something our primary regulators have started to ask about for our 3rd parties and we have added this as part of our risk assessment for Nth parties to get a jump on where we suspect regulators are heading.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 08-11-2021 09:56 AM
From: Anonymous Member
Subject: 4th Party Risk Management

This message was posted by a user wishing to remain anonymous

I suggest at a minimum gathering an Nth Party inventory.  Nth Party Inventory should include at least some minimal data on the Nth Party (vendor using the Nth Party, service provided, service location(s), data access status, vendor's TPRM adequacy,  etc.)

Concentration risk has been a frequent concern in the Nth Party discussion as has vendor's TPRM adequacy. 

Buyer be ware: Direct DD on Nth Parties can be difficult since you are not their customer.  As they say, "make sure the juice is worth the squeeze".
Original Message:
Sent: 08-10-2021 10:25 AM
From: Anonymous Member
Subject: 4th Party Risk Management

This message was posted by a user wishing to remain anonymous

Hi
I'm looking for insights in how other organisations address 4th party risk management - is this largely left to third parties to manage or do you have any direct due diligence and monitoring of 4th parties?  Would love to hear about any frameworks and models used in this topic
Thanks in advance