View Only
  • 1.  Vendor Financial Health

    Posted 03-03-2022 06:29 PM
    As we're continuing to mature our TPRM program, we looking at various documents to get from our most critical vendors. One area we know we need to look at is a vendor's financial health. We're trying to figure out which financial reports we should get from those critical vendors.

    Also, getting some of those reports will be easier for vendors that are public. However, those that are private may be a little more difficult. Thoughts on how to deal with private companies that will not provide financial reports.

    Thank you!

  • 2.  RE: Vendor Financial Health

    Posted 03-04-2022 08:59 AM
    We handle a couple of different ways. 

    The first is being very selective about which organizations we request financials from, we base off the assessed risk related to operational criticality.  The second is we always ask, regardless if the organization is public or private the initial request is the same.  That being said, private organizations are much more difficult to obtain information from.  All initial requests for financials are for "most recent annual financial statement(s)".

    Third, if we get push back on financials we try to be flexible.  We find that we often get a flat "no", we come back and try to start a conversation that is centered not around what you won't provide but what you can provide.  Fourth, if we ultimately accept alterative information in leu of complete financial statements we document the exception to include the rationale- what we got, why we believe it is sufficient to mitigate risk.  Fifth, if we really think the complete financials are necessary to mitigate the risk from the relationship we will write that into the contract as required annual due diligence. 

    If we get push back on providing complete financials, here is the initial communication we use to try to focus on what can be provided versus what can't: 

    "If it is the Company's practice not to share a full set of financials, we are happy to work with you to identify alternate documentation that you can provide that will still allow us to complete our required due diligence.  Alternate documentation might be something like:

    • a copy of just the balance sheet,
    • an overview of the key financial metrics and a statement of overall financial health or
    • opinion on financial statements from independent accountant.

    Please let me know what you can provide for us in lieu of complete financials."

    In my experience most companies will work with you if you are flexible.  We have had conversations with CFO's to discuss financial position, viewed financials statements without the ability to copy, had conversations with the third party accounting firm who oversee the financial reporting etc.  For our organization, I can't stress flexibility enough.  The financial information should be more than a due diligence check box, what you request and ultimately agree to accept should truly mitigate or help you understand the risk from the relationship.  Flexibility I have found is also key in building partnerships with the individual business units.

    If we need to push harder our standard language is:

    "Based on your experience working with other banks, you know banking is a highly regulated industry and you may also be familiar with the FDIC's guidance for managing third-party risks (FIL 44-2008).  We are accountable for effectively evaluating all third party risk.  As such, it is our responsibility to conduct comprehensive due diligence in order to identify, understand and mitigate risk arising from our third party relationships. 

    One aspect of evaluating third party risk is ensuring that our partners have a financial position sufficient to support their ongoing operations and to provide ongoing uninterrupted services to us in both the short and longer terms.  We have found financial statements to be an effective way to evaluate the financial health of the third parties that we do business with consistent with FDIC guidance."

    You are definitely not alone in experiencing issues around financial due diligence!

    Shelly Chase
    AVP Operational Risk

  • 3.  RE: Vendor Financial Health

    Posted 03-04-2022 09:53 AM
    Good Morning,

    Just seeing your post. So the first thing I would say is the obvious, where you irregardless of public or private, secure the key financial statements from your potential vendors: Notably, Income statement, Balance Sheet and Statement of Cash flows. You also want to do some independent research to see if there has been any major fines, litigation or breach with the organization within the last 3 years.

    As you have already noted getting the financials from a public company is much easier than securing from a private vendor. In more times than not you will get push back from the private vendor; when that occurs stay flexible and inquire what financials or reports can they provide.

    My suggestion would be to ask for a independent report from a reputable CPA firm, it could be a recent yearend audit report, a soc report SSAE18, a balance sheet, some sort or dashboard or metric and they've used to report results to other investors etc.

    Due know that it is typical to get push back from private vendors, but remember that if you're considering bringing them on board to fill a void that your organization can't fulfill then you need to get comfort around there numbers, financials, policies and procedures etc. Remember, they potentially will be an extention of your organization based on the potential service they provide for you.

    Hope this helps! I'd be curious to find out if anyone else had thoughts in this space.



  • 4.  RE: Vendor Financial Health

    This message was posted by a user wishing to remain anonymous
    Posted 03-04-2022 01:05 PM
    This message was posted by a user wishing to remain anonymous

    We ended up trying internal SMEs but it was a challenge as they had other primary responsibilities so we decided to partner with Rapid Ratings. We like this for publicly held company reviews and if you can obtain privately held and put verbiage in your contracts that audits are done by you or your designess, we are able to upload them for a review by Rapid Ratings as well. Otherwise we work with the internal SME (much less volume on their plates now) and they  will review other information available via the internet or Bradstreet and Dun etc. and determine based on the services if we can be comfortable using the vendor for the specific services provided.  We also make it very clear upfront and in contracts that we require this so if the company balks at the provision of this and we have other options who will provide and are in good standing, they may not be selected as a partner. ​Good Luck!