Third Party Therapy - Layla White - Beyond Third Parties: Mapping Fourth-Party Risk and Early-Stage Suppliers

Beyond Third Parties: Mapping Fourth-Party Risk and Early-Stage Suppliers – with Layla White (TechPassport)

Episode overview

Season 2 opens with a practical deep dive into one of the hardest problems in modern third-party risk management: understanding what sits beyond your immediate suppliers. Mike is joined by Layla White, founder of TechPassport, to unpack why fourth- and fifth-party dependencies remain opaque, how early-stage suppliers change the risk profile, and why traditional questionnaires and web-scraping approaches struggle to keep up with today’s supply chains.

The conversation blends lived experience from financial services procurement and vendor management with a grounded look at how supply chain mapping actually works in the wild, where outages, cloud concentration, geopolitics, and cyber incidents collide.

What you’ll hear in this episode

• Why fourth- and fifth-party risk is still a blind spot for many organisations
• The limits of questionnaires and AI/web-scraped data for mapping supply chains
• How to identify critical dependencies deeper in the supply chain
• The problem of hidden concentration risk (especially with cloud and shared infrastructure)
• Why small suppliers and early-stage tech firms introduce different resilience risks
• The importance of validating supplier-provided data rather than guessing from public sources
• How outages propagate through unseen dependencies
• Why supply chain risk now stretches beyond cyber into resilience, data, ESG, and modern slavery
• Where regulation is pushing firms to understand and evidence extended dependencies

Key takeaways

• Supply chain risk is no longer a third-party problem. The real fragility often sits further down the chain.
• Public signals and scraped data are useful clues, not ground truth. Critical dependencies usually only emerge when suppliers confirm them directly.
• Concentration risk is rarely obvious until something breaks. Mapping dependencies before an incident is the difference between response and surprise.
• Early-stage suppliers need structure and support to meet enterprise expectations, not just scrutiny.
• Effective TPRM is a system of approaches, not a single tool. Questionnaires, live data, mapping, and supplier engagement all have different strengths.

Guest bio

Layla White is the founder of TechPassport, a platform focused on improving how organisations gather and manage supplier information, map extended supply chains, and engage early-stage technology providers. Layla previously worked in financial services procurement and vendor management, where she experienced first-hand the friction, delays, and blind spots that exist in traditional third-party onboarding and supply chain visibility.

Who this episode is for

• Third-Party Risk and Operational Resilience leaders
• Procurement and Vendor Management teams
• Cyber and Cloud risk practitioners
• Risk, Compliance, and Resilience professionals
• Anyone grappling with fourth-party visibility, concentration risk, or supplier onboarding in complex ecosystems

Listen to the episode

🎧 Full episode: https://thirdpartytherapy.com

Tags / themes

TPRM, Fourth-Party Risk, Supply Chain Mapping, Concentration Risk, Operational Resilience, Early-Stage Suppliers, Cloud Dependencies, Cyber Resilience