Fourth-party risk: the vendors behind your vendors
Two vendors can look independent and still fail together. Your real concentration risk lives one level down, where most programs never look.
You assess your suppliers. Your suppliers depend on their own suppliers. When a single cloud provider or payments processor sits behind dozens of your vendors, your real concentration risk lives one level down, where most programs never look.
Concentration hides in the fourth party
Two vendors can look completely independent on your register and still fail together, because they run on the same infrastructure underneath. That shared dependency is invisible until it breaks, and when it does, what looked like diversified risk turns out to have been a single point of failure wearing two logos.
The pattern shows up everywhere once you look for it: the same hosting provider behind your CRM and your payroll tool, the same identity provider behind half your SaaS stack, the same payment processor behind three "independent" billing vendors.
You cannot assess what you cannot see
Directly assessing every fourth party is neither practical nor, in most cases, something you have the contractual right to do. The workable move is to make the dependency visible rather than pretending to control it.
- Capture critical subprocessors as part of each material vendor's record, at onboarding and at every reassessment.
- Roll them up across the portfolio to see where many vendors share one underlying provider. That roll-up is your real concentration map.
- Treat a heavy concentration as a finding in its own right, even when every individual vendor scores well. The risk is the overlap, not any single relationship.
- Watch the big shared dependencies as signals. An incident at a provider you have never contracted with can still be the most important alert of your quarter.
A standing question, not a one-off audit
Fourth-party exposure shifts as your vendors change their own stacks, which they do constantly and without telling you. A one-time mapping exercise decays within a year. Ask for critical subprocessors at onboarding, refresh the answer each cycle, and the map stays current; a new concentration shows up as a change you can act on rather than a headline you read about.
The takeaway
Your biggest single point of failure is probably a fourth party you have never assessed and never will. You do not need to assess it. You need to see it, name it, and decide deliberately how much of your portfolio you are willing to stack on top of it.