Fourth-party risk: Why your supply-chain security and risk assessments need a wider lens

The concept of fourth-party risk is increasingly relevant for organisations that rely on extended supply chains and multi-layer subcontracting. In the article by Russell McVeagh, a prominent New Zealand law firm, the authors argue that firms must look beyond their third-party vendors and examine the vendors’ vendors — the so-called “fourth parties” — in order to safeguard operational resilience and regulatory compliance.

The piece explains that while third-party risk management (TPRM) programmes have become mainstream, many organisations still lack visibility into their fourth-party relationships. A major risk arises when a fourth-party suffers a data breach, system outage or regulatory issue, causing cascading effects across the supply chain. The authors state:

“Recent global events … show that even when the core platform stands, weak links at the edges or in underlying cloud services can still create material exposure.”

Regulators are starting to address this gap. The article outlines how frameworks such as the EU’s Digital Operational Resilience Act (DORA) require financial entities to assess subcontractor exposure, and UK bodies like the Prudential Regulation Authority (PRA) emphasise concentration risk stemming from common fourth parties.

For firms in insurance, financial services and infrastructure, the article recommends extending due diligence and contractual terms to cover fourth and even fifth-party links, developing real-time monitoring of outsourced layers, and collaborating across sectors to map shared dependencies. This wider lens on supply-chain risk is no longer optional — it is a critical dimension of governance, cybersecurity and operational resilience.

For more details and structured learning, please explore our structured  course  on Supply Chain Risk Management 

author avatar
RMA INDIA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.