We recently had a service disruption because our cloud provider’s CDN went down. We didn't even know they used that specific CDN! How can we, as CRISC professionals, perform a thorough risk assessment on our vendors' own vendors (the fourth parties) without it becoming a never-ending cycle of audits? Is there a standard "Stopping Point"?
3 answers
You can't audit everyone, so you must use a "Risk-Based Approach." In 2023, we started requiring our Tier 1 vendors to provide their own third-party risk management (TPRM) report as part of the contract. We look for a "Summary of Residual Risks" in their Fourth-Party ecosystem. You don't audit their vendors; you audit their process for managing their vendors. If your primary vendor doesn't have a robust TPRM program, that itself is a high-level risk you need to report to your Governance Board for "Risk Acceptance" or "Avoidance."
Have you looked into using a "Cyber Risk Rating" tool? These platforms can sometimes give you a map of a vendor's digital footprint, including the fourth parties they rely on, without you having to ask them directly.
Always check the "Concentration Risk." If all your vendors are using the same fourth-party (like AWS or a major DNS provider), you have a single point of failure that no audit can fix.
Nancy hits the nail on the head. Awareness of concentration risk is a strategic insight that separates a CRISC professional from a basic IT auditor.
Jeffrey, we tried one of those tools, but it gave us too many false positives. Cynthia, your idea of "auditing the process" is much more aligned with the CRISC Domain 1 (Governance). If I can see that my vendor is doing their due diligence on their CDN, I can sleep better. I’m going to update our "Right to Audit" clauses in new contracts to specifically include a review of the vendor's internal TPRM reports. It’s a way to scale our oversight without needing a team of 50 auditors.