Policy, Program and Procedures

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!

I think it would depend on the scope of the interaction and what department it is for i/e if you were in procurement a 4th party policy would look a little different than if you were in third party risk management or even if you were on the business side trying to do business with a 4th party. can you expand on what department it is for? 

Hello,

In my experience, your third parties (vendor) should be responsible for conducting risk assessments and they should have an effective TPRM framework in place. A good TPRM program ensures that your vendors perform their due diligence and track their fourth parties through appropriate metrics. Because your organization likely has thousands of fourth-party relationships, which would be impossible to evaluate independently. To effectively monitor fourth-party risk, you should establish a manageable fourth-party risk program, but the monitoring methods depend on your third-party, because your organization doesn't have a direct relationship with the fourth-party. Therefore, for this type of monitoring to be successful it requires close collaboration with your third-party vendors. I think it is better to include in your due diligence a request to your third-party for a list of their critical vendors, and with this you can request a risk assessment report from your vendor. But like I said this is my experience. I would simply include a chapter in the TPRM policy about the fourth-party monitoring. 

Best.

Hello

Consider your organization's risk management practices, which are influenced by factors such as size, complexity, risk profile, and the nature of your third party relationships. My recommendation would be to incorporate this consideration into your third-party risk or vendor management policy. When dealing with fourth-party risk, adopt a risk-based approach since assessing all fourth parties directly may not be feasible.  If your critical provider outsources to their own critical fourth party, expect them to apply similar controls for assessing their third parties (which are your fourth parties). Additionally, establish a foundation within your agreements with these third parties, specifying how they manage their key third parties.  Prioritize key fourth parties, often this can overlap within your third party assessments.

pls. you can access Venminder site you will find a  policy template contains the main criteria