Risk Assessments

Hello. I'm in the process of building contract owner guidance for identification of material 4th parties. What criteria do you provide to contract owners and/or your third parties to obtain an inventory of their most high risk/material subservice providers? Want to make sure I'm on the right page and not missing anything in scope.

Thank you.

Material or critical fourth parties can still expose your organization to risk, so you're definitely on the right track of wanting to identify them. 

The good news is that these critical fourth parties can be identified in your third parties' SOC reports. The SSAE 18 essentially requires an organization to identify its critical third parties through its applicable complementary subservice organization controls (CUECs). Anyone who's familiar with reviewing SOC reports should be able to identify these CUECs, and therefore identify the third party's critical vendors (your fourth parties). 

Once you identify these critical fourth parties, I would recommend preparing a list of specific questions to ask your third party about how they manage their critical vendor's operational risk, information security risk, and financial risk. Since you don't have a contract with your fourth parties, you'll need to depend on your third parties to provide evidence of their third-party risk management practices. This evidence can include reports from qualified subject matter experts (SMEs) on the critical vendor's control environment. The goal is to determine whether your third party is effectively managing its own third-party risk. After asking these questions and learning more about your third party's risk management practices, you may want to consider adding relevant clauses into your vendor contract. 

I hope my answer helps with your contract owner guidance and I look forward to other suggestions from the community.