TPRM’s Wish List for Third and Fourth Party Risk Management
- Lisa Kalscheur & Sasha Tuel
- Jan 6
- 3 min read
At recent industry conferences globally – and in 1:1 conversations with TPRM leaders at financial institutions – we’ve heard an urgent need to identify risk not just from suppliers, but from the suppliers of the suppliers.
Fourth and sometimes even fifth-party risk management is both a rising concern and a 2026 imperative.
Today’s TPRM leaders understand the need for foresight, but are stuck with reactive, backward-looking systems. Current systems can’t connect the dots to map their third-, fourth-, and fifth-parties – let alone uncover emerging risks. The predominant narratives from 2025 highlight the urgency:
$581M in insurance losses from the recent half-day AWS outage. Short-lived events can still generate systemic impact when concentration risk is hidden.
63% of organizations in the US report higher than expected supply chain losses. Losses are increasingly driven by indirect dependencies, not primary vendors alone.
£32.7M in estimated direct losses on NHS pathology provider Synnovis, which also saw attackers exfiltrate and publish patient data from more than 300M NHS patient interactions, disrupting services across multiple London hospitals.
TPRM Leaders Know What They Need
When we talk to TPRM leaders in person, the recurring questions are:
“What’s my exposure when 25% of my vendors rely on Amazon? or NVIDIA? Or Maersk?” - Managing Director, TPRM, Global Systemically Important Bank (G-SIB)
“What effect do tariffs have on my vendors’ supplier networks overseas?” - Head of Operational Resilience & Supply Chain Risk, Multinational Financial Institution
“Which companies we’re invested in can’t deliver to their customers unless their own vendors deliver to them?” - Head of Credit Risk & Portfolio Monitoring, Global Commercial Bank
Across these conversations, the message has been consistent: risk is no longer linear, and it's no longer confined to named vendors.
Traditional TPRM Approaches Are Insufficient
The challenge isn’t vendor due diligence – it’s interdependency, concentration, and propagation.
Traditional TPRM approaches struggle to show how risk accumulates across shared providers, geographies, and critical infrastructure before something breaks.
From those same conversations, a clear set of needs is emerging:
Interdependency + concentration mapping across third-, fourth-, and fifth-party relationships to spot single points of failure.
360° ecosystem view, spanning FMIs, brokers, exchanges, and shared infrastructure – not siloed vendor lists.
Forward-looking, predictive visibility, so teams can get away from backward-looking incident reviews and focus on early signals when “things start to wobble.”
Deep explainability + regulator-ready traceability, with traceable source links and defensible next-best actions.
These needs highlight a broader industry mandate across risk governance.
Our CEO, Nosa Omoigui, recently explored these same themes in Forbes, emphasizing how today’s interconnected risk landscape demands proactive insight, defensible AI reasoning, and visibility across the full ecosystem of dependencies. It’s the same shift that TPRM leaders described to us: moving from past-looking reviews to continuous, transparent oversight.
And that’s exactly where Weave.AI comes in.
Weave.AI continuously ingests, normalizes, and contextualizes data from financial, regulatory, and operational domains – building the industry’s most comprehensive dataset for TPRM benchmarking and alerting.
Rather than stopping at vendor-level risk scores, Weave.AI enables TPRM teams to:
Understand how external shocks propagate through supplier and counterparty ecosystems
Detect early signals of emerging risk, before they become incidents
Produce traceable, regulator-ready insights grounded in verifiable source evidence
The result is a shift from reactive vendor oversight to forward-looking ecosystem intelligence – giving TPRM leaders the foresight, defensibility, and confidence required to govern risk in an increasingly interconnected world.