Identifying, Assessing and Mitigating Vendor Financial Risk

Within third-party risk management programs, financial health is interconnected with other risk domains and must be concurrently monitored with these domains to ensure proper risk mitigation on vendors. Performing adequate financial due diligence and screening can identify long-tail risks that impact a vendor’s overall operations which can lead to downstream issues in other areas of their business.

Your organization should implement a thorough financial health review process on vendors and ensure that the findings are shared amongst other areas of your risk management program. This helps to ensure adequate responses to the risks vendors pose on your organization and continue the maturation of your financial health reviews and third-party risk management program.

How to Identify and Assess Financial Risks and Red Flags

As part of your financial health and review process, your organization may employ in-house subject matter experts, use outsourced resources or a combination of both. Regardless of your approach, having a clearly defined process to review the financial health of vendors and document it can go a long way to mitigate underlying risks that can impact your organization’s operations.

To start, you should work to collect consistent financial information from your vendors by requesting items such as:

• Audited financial statements (which are considered the “gold standard” of a financial health review)
• Internally prepared/unaudited financial statements
• A financial health letter prepared by the management team of the vendor
• A third-party report such as a credit risk or business health overview on the vendor

These documents should be collected on vendors at least on an annual cadence. Incorporating a consistent document collection process (which may be contractually agreed upon between your organization and your vendors) can go a long way to ensure that your financial health reviews are adequate.

From there, your team (at a minimum) should review the three primary financial statements – income statement, balance sheet, cash flow statement – and key metrics and ratios, such as current assets ratio derived from the balance sheet or profitability margins derived from the income statement, within each financial statement to gather information on a vendor’s financial performance and trends. These can be used in tandem with management discussion and analysis on performance from the vendor as well as a vendor’s accompanying commentary and footnotes that either are reviewed/audited by a third-party accounting/audit firm or are directly provided by the vendor’s management team.

During this process, your organization may identify financial health risks and red flags such as declining revenue, lack of profitability, limited liquidity/low cash balances or other risk factors. These other risk factors can include events (such as data breaches) that have led to financial liabilities that the vendor is obligated to pay down or outstanding litigation matters on various business issues a vendor may have. Together with your review on the vendor’s financial performance and metrics, these identified concerns can paint a holistic picture of the vendor’s financial health (whether it is good or poor) and can work hand-in-hand with other risk management activities your team is performing across the rest of your program.

Connected Domino Effect of Poor Financial Health on Vendor Operations

A vendor with red flags across its financial profile or with poor financial health as identified by your organization can lead to downstream impacts on its operations. This is colloquially known as the ‘domino effect,’ which sums up what can happen to a vendor’s business with early concerns in the realm of financial health.

For instance, when a vendor shows signs of declining financial performance, such as decreasing revenue, it can lead to a ‘domino effect’ in other areas of the vendor’s business. Often times to offset the losses in revenue, the vendor may institute staff or cost cuts to salvage profitability or maintain adequate liquidity. With these staff cuts, there may be other risks that arise thereafter, such as the vendor performing poorly against SLAs, increasing application downtime/bugs, potential exposure to data breaches and other new risks that arise due to lower investment and staffing.

Using financial health reviews and monitoring can provide your organization with early signals on vendors that your team can work to mitigate and address in advance of other issues arising. When combined with other areas of your third-party risk management program, the red flags found early in your financial health review process can effectively mitigate future concerns/risks and prevent the impact of the domino effect on a vendor’s holistic business and operating environment.

2 Strategies to Mitigate Vendor Financial Risks

Once your organization implements a consistent financial health review process for your vendors, conducts these reviews on a regular cadence (at a minimum, on an annual basis) and cross-collaborates with the other areas of your third-party risk management program, you should focus a good portion of your time and effort on working to preemptively mitigate the risks that have been identified.

Here are two strategies to consider:

• Request additional information from the vendor. This incremental due diligence may help gather enough intel from the vendor to make your organization comfortable with the vendor’s risk reduction strategy and the steps the vendor has taken to address the identified areas of risk.
• Include language within your vendor contracts that speak directly to financial performance metrics that a vendor must maintain plus financial due diligence requirements must fulfill that fit your third-party risk management program. These can include items such as ensuring the vendor has at least 18 months’ worth of liquidity/capital to sustain its operations (can come in the form of a ‘going concern letter’ from the vendor’s financial auditor or directly from the vendor’s management team) or a contractual obligation that calls for the vendor to provide annual financial statements to your organization to help fulfill your financial due diligence and financial health review processes.

Financial health reviews are a critical component of an organization’s third-party risk management program that coincide with other areas and domains to gather a full, comprehensive risk profile on a vendor. With proper financial due diligence processes, your organization can get ahead of other downstream risks that a vendor may pose to your business and provide you with opportunities to preemptively mitigate and address these risks in an adequate fashion.

It’s always important to start your vendor financial health reviews early and maintain a consistent methodology and documentation for evaluations, as it can go a long way to reduce the magnitude and impact of poor vendor financial health on your team and operations.