Monitoring your fourth-nth parties

  • Release version: Yokohama
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitoring your fourth-nth parties

    The Third-party Risk Management (TPRM) application enables you to identify and manage risks associated with fourth-nth parties—entities that your third parties rely on to deliver products or services. These can include sub-suppliers, service providers, consultants, or others who may access your sensitive data, systems, or processes, potentially introducing risk.

    Show full answer Show less

    Monitoring fourth-nth parties helps ensure they comply with the same security and compliance standards as your primary third parties, thereby reducing downstream risks in your supply chain.

    Understanding Fourth-nth Parties

    • Fourth-nth parties can be linked in a hierarchy (e.g., Fourth party A relies on Fourth party B), but circular dependencies are prohibited to prevent loops.
    • Examples include hardware parts suppliers or cloud services used by a third-party service.

    Managing and Monitoring Fourth-nth Parties

    As part of your risk management program, you can handle fourth-nth party information in two ways:

    • Manual creation: Quickly add a fourth-nth party record without sending questionnaires.
    • Registration via questionnaire: Collect detailed information by sending a fourth-party registration questionnaire to your third parties (not engagements).

    Once registered or created, fourth-nth party records are available for monitoring in the Vendor Management Workspace.

    Key Actions for ServiceNow Customers

    • Register fourth-nth parties: Use the fourth-party registration questionnaire sent to third parties to capture downstream supplier information efficiently.
    • View associated fourth-nth parties: Access the Downstream suppliers tab on a third-party page to see all linked fourth-nth parties, supporting informed decision-making about engagements based on risk profiles.
    • Access fourth-parties overview: Utilize the Vendor Management Workspace home page to see known fourth parties (previously assessed as third parties), unknown fourth parties, and their relationships, enabling a comprehensive risk view.
    • Manually create fourth-nth party records: Add new records directly when needed or add existing third parties as fourth-nth parties to other third parties, preserving all collected risk information.
    • Promote fourth-nth parties to third parties: Convert a fourth-nth party record into a third-party record to apply full due diligence and risk management processes, while identifying the original fourth party as a known fourth party.

    Benefits for ServiceNow Customers

    By leveraging these capabilities, you can extend your risk management program deeper into your supply chain, improve visibility into downstream risks, and maintain current, accurate information as business relationships evolve. This supports better risk-informed decisions and helps maintain compliance and security standards across all parties involved.

    You can identify and manage the third-party risks that depend on the services of the fourth-nth parties by using the Third-party Risk Management application. By monitoring your fourth-nth parties, you can help to ensure that they adhere to the same security and compliance standards as the primary third party.

    Fourth-nth parties

    Fourth-nth parties can include various entities, such as sub-suppliers, service providers, consultants, or any other organization that the third party relies on to deliver its products or services. These parties could have access to your sensitive data, systems, or processes, which makes them potential sources of risk.

    Let's look at some fourth-nth party risk examples:
    Parts
    A company regularly uses an item from a third party that relies on a hardware part from another organization. In this case, the organization that provides the additional part is a fourth party that can potentially create a downstream risk for the item that is provided by the third party.
    Services
    A company stores its payroll application by using the Automatic Data Processing (ADP) service. The ADP service is a third-party service that relies on Amazon Web Services (AWS) to store its data. The ADP service depends on AWS to have security measures and processes in place to safeguard their data and maintain its safety. Although AWS is often a third party of primary services, the AWS service is a fourth party to the third party ADP in this case.

    You can link two fourth parties to each other. For example, a link can occur when an organization that provides an additional part relies on another fourth party to deliver the hardware part. However, you can't create a loop when you link two fourth parties. The starting point can be either a third or fourth party. For example, let's consider Fourth party A, which has a child Fourth party B. Fourth party B, in turn, has a child Fourth party C. However, Fourth party C can’t have a child that leads back to Fourth party A. This restriction ensures that a circular dependency isn’t formed among the fourth parties.

    Fourth-nth party actions

    As part of your risk management program, you can add fourth-nth party information manually or by collecting responses from a third party by using a fourth-party registration questionnaire. You can manually create a fourth-nth party record if you don't have time to send a questionnaire to a third party or only need to create one record. After reviewing and registering, or manually creating these fourth-nth party records, they’re available for monitoring by using Vendor Management Workspace. As your business relationships change, you can keep relevant information current by promoting a fourth-nth party record to a third-party record. This third-party record incorporates all existing information and then designates the existing fourth-nth party as a known fourth party.

    Here are the different actions that you can take to manage and monitor fourth-nth parties:

    Register the fourth-nth parties
    If you're a third-party risk (TPR) assessor or manager, you can register fourth-nth parties after collecting responses from a third party by using the fourth-party registration questionnaire. You can send the fourth-party registration questionnaire only to the third parties and not engagements. For more information, see Register a fourth-nth party.
    View the fourth-nth parties that are associated with a third party
    You can view all the related fourth-nth parties by navigating to the Downstream suppliers tab of the third-party page in Vendor Management Workspace. Viewing all the fourth parties that are linked to a third party can help you make informed decisions about initiating or continuing a relationship with an engagement. For instance, if a fourth party that is associated with a third party is known for higher risks in the automotive industry, it might still be acceptable to pursue an engagement in a different industry. However, if an engagement with the same third party involves the automotive industry, the risk could be considered too high.

    For more information on how to view all the related fourth-nth parties, see Viewing information on fourth parties.

    View the fourth-parties overview section
    You can view the known fourth parties, the sub-parties that are associated with the third parties, and the unknown fourth parties by navigating to the Vendor Management Workspace home page. Having this high-level view is helpful in understanding how much information is available for a fourth party and how it relates with the other third parties and engagements. For example, if it’s a known fourth party, you can leverage all the existing due diligence information that was gathered while it was assessed as a third party.
    Note:
    The known fourth parties are organizations that have already been used as third parties in your risk management program. The unknown fourth parties are only categorized as fourth parties that haven’t been used or identified as third parties.

    For more information on viewing the known fourth parties, the sub-parties that are associated with the third parties, and the unknown fourth parties, see TPRM Home page.

    Manually create a fourth-nth party record
    If you’re a TPR assessor or manager, you can manually create a fourth-nth party record.

    For more information on how to create a fourth-nth party record, see Create a fourth-nth party record.

    Note:
    You can add an existing third party as a fourth-nth party to another third party by navigating to the Downstream suppliers tab of a third-party page in the Vendor Management Workspace and selecting Add. After it’s added the existing third party is now categorized as both a third party and fourth-nth party for the chosen third party and includes all collected information.
    Promote a fourth-nth party to a third party
    If you’re a TPR assessor or manager, you can promote a fourth-nth party record to a third party. After you promote a fourth-nth party to a third party, a third-party record is created and the existing fourth-nth party is identified as a known fourth party.

    For more information on how to promote a fourth-nth party record to a third-party record, see Promote a fourth-nth party to a third party.