Beyond Third Parties: Mapping Fourth-Party Risk and Early-Stage Suppliers – with Layla White (TechPassport) Episode overview Season 2 opens with a practical deep dive into one of the hardest problems in modern third-party risk management: understanding what sits beyond your immediate suppliers. Mike is joined by Layla White, founder of TechPassport, to unpack why fourth- and fifth-party dependencies remain opaque, how early-stage suppliers change the risk profile, and why traditional questionnaires and web-scraping approaches struggle to keep up with today’s supply chains. The conversation blends lived experience from financial services procurement and vendor management with a grounded look at how supply chain mapping actually works in the wild, where outages, cloud concentration, geopolitics, and cyber incidents collide. What you’ll hear in this episode Why fourth- and fifth-party risk is still a blind spot for many organisationsThe limits of questionnaires and AI/web-scraped data for mapping supply chainsHow to identify critical dependencies deeper in the supply chainThe problem of hidden concentration risk (especially with cloud and shared infrastructure)Why small suppliers and early-stage tech firms introduce different resilience risksThe importance of validating supplier-provided data rather than guessing from public sourcesHow outages propagate through unseen dependenciesWhy supply chain risk now stretches beyond cyber into resilience, data, ESG, and modern slaveryWhere regulation is pushing firms to understand and evidence extended dependenciesKey takeaways Supply chain risk is no longer a third-party problem. The real fragility often sits further down the chain.Public signals and scraped data are useful clues, not ground truth. Critical dependencies usually only emerge when suppliers confirm them directly.Concentration risk is rarely obvious until something breaks. Mapping dependencies before an incident is the difference between response and surprise.Early-stage suppliers need structure and support to meet enterprise expectations, not just scrutiny.Effective TPRM is a system of approaches, not a single tool. Questionnaires, live data, mapping, and supplier engagement all have different strengths.Guest bio Layla White is the founder of TechPassport, a platform focused on improving how organisations gather and manage supplier information, map extended supply chains, and engage early-stage technology providers. Layla previously worked in financial services procurement and vendor management, where she experienced first-hand the friction, delays, and blind spots that exist in traditional third-party onboarding and supply chain visibility. Who this episode is for Third-Party Risk and Operational Resilience leadersProcurement and Vendor Management teamsCyber and Cloud risk practitionersRisk, Compliance, and Resilience professionalsAnyone grappling with fourth-party visibility, concentration risk, or supplier onboarding in complex ecosystemsListen to the episode 🎧 Full episode: https://thirdpartytherapy.com Tags / themes TPRM, Fourth-Party Risk, Supply Chain Mapping, Concentration Risk, Operational Resilience, Early-Stage Suppliers, Cloud Dependencies, Cyber Resilience
