Skip to content
Back to all posts
The Hidden Pipeline: Managing Fourth-Party Risk
Third-Party Risk Management

The Hidden Pipeline: Managing Fourth-Party Risk

William C Hord
William C HordChief Strategy Officer - ERM Pilot

The Hidden Pipeline: Managing Fourth-Party Risk

ERM Pilot | Third-Party Risk Management Series, Part 1 of 3 by William Hord - Chief Strategy Officer

Your institution has a vendor management program. You track your critical vendors, conduct periodic due diligence, review SOC reports, and maintain contracts with appropriate termination rights. What you may not fully know is what your vendors' vendors are doing with your data, your processes, and your operational continuity.

This is the fourth-party risk problem — and it is one of the most significant gaps in institutional TPRM programs that examiners are now actively probing.

What Regulators Are Seeing

The 2023 Joint Guidance on Third-Party Relationships issued by the OCC, FDIC, and Federal Reserve represents the most comprehensive interagency statement on vendor risk in years. It explicitly extends the scope of TPRM expectations beyond direct contractual relationships, noting that institutions should understand "the extent to which third parties rely on other parties to fulfill their obligations." This is regulator language for fourth-party risk — and it signals that "we have a contract with the vendor" is no longer a sufficient answer.

The OCC's FY2025 Bank Supervision Operating Plan reinforces this, directing examiners to assess "all stages of the third-party risk management life cycle" and to evaluate whether institutions have achieved an "enterprise-wide view of third-party risk." An enterprise-wide view, by definition, includes the supply chain beyond your direct vendors.

How Fourth-Party Risk Actually Manifests

The mechanism is often invisible until it isn't. A community bank relies on a regional core processor. That core processor hosts services on a major cloud infrastructure provider. The cloud provider experiences a significant outage — and the bank's core banking system goes down for 18 hours. The bank had no direct relationship with the cloud provider. It had no visibility into that dependency. And it had no contractual leverage to demand a recovery timeline.

CISA's operational advisories have documented numerous incidents of this structure: software supply chain compromises, cloud hosting chain failures, and third-party data breaches that propagated through layers of subcontractors before reaching the financial institution. The 2020 SolarWinds compromise — affecting federal agencies and private sector firms simultaneously — was a canonical example of nth-party risk materializing at scale.

Mapping Your Vendor Ecosystem

The first step toward managing fourth-party risk is visibility. Institutions need to understand, for each critical vendor, what subcontractors or technology providers that vendor relies on for the services they deliver. This information should be obtained contractually — through subcontractor disclosure requirements built into vendor agreements — and reviewed as part of the periodic due diligence cycle.

The FFIEC IT Examination Handbook provides a useful framework: due diligence depth should correspond to the criticality and complexity of the vendor relationship. For vendors supporting core operations, payment processing, or cybersecurity functions, that depth should extend to material subcontractors.

Practically, this means asking vendors: — What cloud infrastructure providers host your services? — What third-party software libraries or platforms are embedded in your product? — Do you have business continuity plans that account for the failure of your key subcontractors? — Are you required to notify us if a material subcontractor changes or fails?

Contractual Leverage Is the Key Tool

Once you have visibility, you need leverage. The 2023 Joint Guidance specifically notes that contracts with third parties should include provisions addressing subcontractor management — the right to review subcontractor arrangements, notification requirements when material subcontractors change, and expectations for how vendors manage their own supply chain risk.

Institutions that negotiate these provisions before signing are in a fundamentally different position than those who discover mid-incident that their vendor's vendor has failed and they have no visibility into the recovery timeline.

The Examiner Expectation

The OCC's Spring 2025 Semiannual Risk Perspective notes that "recent disruptions highlight the importance of sound third-party risk management." When examiners reference "disruptions," they include precisely these cascading supply chain failures — events that originated outside the institution's direct vendor relationships but produced significant operational impact.

Fourth-party risk is no longer a theoretical concern. It is an active examination topic, a documented source of operational disruption, and a gap that institutions can close — with the right contractual language, the right due diligence questions, and the right visibility into their vendor ecosystem.

ERM Pilot's Vendor Management module includes dependency mapping through Navigator — so you can see exactly what breaks, and what it affects, before a disruption occurs. Start a free trial at ermpilot.com.

Article References —

1. Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System. Interagency Guidance on Third-Party Relationships: Risk Management. OCC Bulletin 2023-17; FDIC FIL-29-2023; Federal Reserve SR 23-4. June 6, 2023. Available at: https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html

2. Office of the Comptroller of the Currency. 'Third-Party Relationships: Interagency Guidance on Risk Management.' OCC Bulletin 2023-17. Washington, D.C.: OCC, June 6, 2023. Available at: https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html

3. Board of Governors of the Federal Reserve System. SR 23-4: Interagency Guidance on Third-Party Relationships: Risk Management. Washington, D.C.: Federal Reserve, June 6, 2023. Available at: https://www.federalreserve.gov/supervisionreg/srletters/SR2304.htm

4. Office of the Comptroller of the Currency. Fiscal Year 2025 Bank Supervision Operating Plan. Washington, D.C.: OCC, October 2024. Available at: https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf

5. Federal Financial Institutions Examination Council. Business Continuity Management. IT Examination Handbook. Washington, D.C.: FFIEC, November 2019. Available at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management

6. Cybersecurity and Infrastructure Security Agency. #StopRansomware Guide. Washington, D.C.: CISA, Updated 2023. Available at: https://www.cisa.gov/stopransomware/ransomware-guide

Ready to transform your risk management?

Discover how ERM Pilot can streamline your compliance, automate workflows, and provide real-time insights for your organization.

Request a DemoGet Started

Stay Updated on ERM Pilot

Join our newsletter to receive the latest news, feature updates, and expert insights on all things risk related.

We respect your privacy. Unsubscribe at any time.