Third Party Therapy - Layla White - Beyond Third Parties: Mapping Fourth-Party Risk and Early-Stage Suppliers
Third Party Therapy
Risks from uncontrolled scaling of small suppliers
Mike and Layla discuss how small POC vendors can scale quickly inside enterprises, creating support and resilience risks.
Beyond Third Parties: Mapping Fourth-Party Risk and Early-Stage Suppliers – with Layla White (TechPassport)
Episode overview
Season 2 opens with a practical deep dive into one of the hardest problems in modern third-party risk management: understanding what sits beyond your immediate suppliers. Mike is joined by Layla White, founder of TechPassport, to unpack why fourth- and fifth-party dependencies remain opaque, how early-stage suppliers change the risk profile, and why traditional questionnaires and web-scraping approaches struggle to keep up with today’s supply chains.
The conversation blends lived experience from financial services procurement and vendor management with a grounded look at how supply chain mapping actually works in the wild, where outages, cloud concentration, geopolitics, and cyber incidents collide.
What you’ll hear in this episode
- Why fourth- and fifth-party risk is still a blind spot for many organisations
- The limits of questionnaires and AI/web-scraped data for mapping supply chains
- How to identify critical dependencies deeper in the supply chain
- The problem of hidden concentration risk (especially with cloud and shared infrastructure)
- Why small suppliers and early-stage tech firms introduce different resilience risks
- The importance of validating supplier-provided data rather than guessing from public sources
- How outages propagate through unseen dependencies
- Why supply chain risk now stretches beyond cyber into resilience, data, ESG, and modern slavery
- Where regulation is pushing firms to understand and evidence extended dependencies
Key takeaways
- Supply chain risk is no longer a third-party problem. The real fragility often sits further down the chain.
- Public signals and scraped data are useful clues, not ground truth. Critical dependencies usually only emerge when suppliers confirm them directly.
- Concentration risk is rarely obvious until something breaks. Mapping dependencies before an incident is the difference between response and surprise.
- Early-stage suppliers need structure and support to meet enterprise expectations, not just scrutiny.
- Effective TPRM is a system of approaches, not a single tool. Questionnaires, live data, mapping, and supplier engagement all have different strengths.
Guest bio
Layla White is the founder of TechPassport, a platform focused on improving how organisations gather and manage supplier information, map extended supply chains, and engage early-stage technology providers. Layla previously worked in financial services procurement and vendor management, where she experienced first-hand the friction, delays, and blind spots that exist in traditional third-party onboarding and supply chain visibility.
Who this episode is for
- Third-Party Risk and Operational Resilience leaders
- Procurement and Vendor Management teams
- Cyber and Cloud risk practitioners
- Risk, Compliance, and Resilience professionals
- Anyone grappling with fourth-party visibility, concentration risk, or supplier onboarding in complex ecosystems
Listen to the episode
🎧 Full episode: https://thirdpartytherapy.com
Tags / themes
TPRM, Fourth-Party Risk, Supply Chain Mapping, Concentration Risk, Operational Resilience, Early-Stage Suppliers, Cloud Dependencies, Cyber Resilience
The AI-powered Podcast Player
