We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring tasks we will request specific reports be provided from our critical ranked vendors. The report requests will vary based on the which risk factor makes the vendor critical. For example a vendor ranked critical for the exchange of PPI or PHI will be asked to provide a SOC 2 - Type 2 report that covers the services provided. A vendor that provided financial related guidance or services would be asked to provide a SOC 1 report.
The struggle we have as an organization is not having the personnel to support some of these "document" reviews, in particular financial reviews. With that said, here are my questions.
When doing existing vendor oversight and monitoring tasks, do you routinely request the vendor to provided audited financials? If yes, are there specific risk factors that trigger the request for financials? Are there any vendor specific characteristics where you would not request financials?
Who or what position(s) in your organization reviews the financials?
What areas are specifically targeted when conducting a financial review?
Thank you for providing your input, feedback and best practices suggestions.
Hello Mark and welcome to the wonderful world of Vendor Management!
I'll try to answer your questions with our practices below:
We try to obtain and review financials for all of our vendors during initial due diligence and when they are due for periodic review and risk assessment; Criticals, High and Moderate-High risk rated annually; Moderates every 2 years; Low-Moderate and Low every 3 years. There are exceptions to that. We do not require financials for non-IT vendors such as cleaning contractors, grounds keepers, and service contractors, i.e. HVAC etc. Also, you will find that some privately held companies will not provide financial statements at all or will give you very brief and essentially useless summary reports. For those vendors you should note that as an increased risk factor. For vendors whose financial review reveals significant issues, we will do ongoing monitoring of their business health (Venminder partners with ArgoRisk to provide clients with an excellent monitoring tool). The determination to conduct this ongoing monitoring is made by our internal Subject Matter Experts; which brings us to your next question:
We task our CFO and/or CEO/President (former CFO) with reviewing financial statements. They are truly the experts in that area. We also utilize Venminder's Financial Analysis service. We will provide Venminder's report to our SME's to review as well as the actual financials. In some cases, like now with the pandemic crisis, our financial gurus do not have the time to do our vendor reviews. In those cases we rely on Venminder's FA's, and any report that returns a rating lower than Satisfactory, we will add them to the ArgosRisk monitoring service. In fact we have the majority of our vendors, especially the most important ones on that service.
The areas our SME's want to review are Income Statement, Balance Sheet, and Cash Flow. Venminder's analysis focuses on these areas as well.
In closing, some additional thoughts: Your vendors financial heath is a very important consideration in your Vendor Management Program. Whenever possible get a financial statement for your reviews/assessments. Occasionally, a new vendor will be willing to give you an audited financial statement as part of the initial due diligence, but not on an ongoing basis. Make sure youu get an SLA in your contract requiring them to provide it on request. If they give it to you once, they should be willing to continue to provide it. The initial contracting phase is when you have the most leverage to get what you need.
Also, for publicly traded companies, you can get their annual or quarterly SEC filings, either from their public website or from SEC directly. When you get those 10K or 10Q reports give them a good read yourself while your financial guys are crunching the numbers. The opening sections of those reports have a lot of valuable insight into the company's operation and especially the risks that they themselves have identified in their business. You'll find a lot of information there that won't be in the SOC reports or policy statements.
Michael Weaver, CRVPM III
Vendor Management Specialist / Information Security