Colorado Release: What’s Next in Third-Party Risk? Expanding the View to Fourth Parties

MetricStream- Colarado blog
2 min read


In today's world, organizations are increasingly dependent on their third parties – their consultants, vendors, and partners – to provide products and services. Financial institutions and large banks especially have large networks of third parties. However, with the numerous advantages of partnerships, comes the added responsibility to ensure the trustworthiness of the extended network—now often called the extended enterprise. As the pace of business expands, managing this extended enterprise not just becomes increasingly difficult – but also equally important.

It becomes critical for organizations to manage the risks associated with direct third parties as well as identify and manage the risks associated with the third party's third parties: i.e., the Fourth Parties. According to a recent Gartner report, more than 60% of organizations are now working with more than 1,000 third parties, and in some cases, that’s a low estimate, especially as business ecosystems continue to grow and expand.

Every one of those third parties and fourth parties poses a risk to your business. Understanding whom you’re doing business with is essential, and as the network expands, the view gets hazier.

Identifying Your Fourth Parties

Until now, it’s been a real challenge to identify fourth parties since your organization is not directly working with them, and it becomes difficult to track which product or service is being offered by the fourth party. With the implementation of the SSAE 18 report, which mandates your third party to disclose their vendor information, that information can be used to identify the fourth parties – and manage them.

Managing Fourth-Party Risks

Most of the recent security breaches and privacy vulnerabilities are due to lapses in the organization’s extended networks. This can bring serious reputational, legal, and financial risks to an organization, making it vital to start identifying fourth-party risks as soon as your fourth parties are identified. You can start by:

  • Identifying and managing fourth-party information providing products/services
  • Conducting due diligence on critical fourth parties – sometimes the same fourth-party could be working with different third parties for different products/services
  • Assessing different risk areas like Cyber Security, Reputational, Legal, etc.
  • Reviewing SOC 2/SOC 3 reports - understand the control effectiveness in third-party and fourth-party organizations (if any)

How Can MetricStream Help?

In the most recent Colorado release, MetricStream Third-Party Risk Management (TPRM) has expanded its fourth-party risk functionality, equipping you to better assess the risk of your critical fourth parties.

Now, MetricStream TPRM allows you to:

  • Capture fourth-party information in a central repository
  • Associate a fourth-party to a specific product/service or at an overall third-party level
  • Conduct due diligence on the fourth-party and identify the overall risk rating
  • View overall risk exposure from various associated fourth parties at the third-party level

Like to see it in action? Let us show you how we can help you manage and mitigate not just your immediate third party and supplier risk – but also that of their vendors and suppliers. Sign up for a demo today.

Interested to know more about how the new features and functionalities in MetricStream’s Colorado software release can help you thrive on risk? Click here to read more.

Kaul Siddharth- MetricStream

Kaul Siddharth Product Manager

Siddharth Kaul is a Product Manager at MetricStream. He is responsible for managing the Third-Party Risk Management product suite and the product lifecycle including product strategy, roadmap, design, requirement definition, field enablement, customer adoption, competitor analysis, and technology partnerships.


Ready to get started?

Speak to our experts Let’s talk