Due Diligence and Ongoing Monitoring

Our organization invested in a Fund that provides capital to start-ups that develop technology specifically for our industry.

We are starting to use some of these start-ups as vendors. 

When performing initial due diligence, we've been getting pushback on financial statements - since they are start-ups, they hesitate to provide financial statements - "we're a start-up - our financials look bad."  Our Business Owners say "the Fund we invested in invested in them so they're good."

For the first few, we focused on news, other investors, and the reputation of the start-up's principals to get a better feel for the company in general. Senior Management formally accepted the risk.  Now that these start-ups are coming through more frequently, we want to re-visit our approach on the lack of financial information.  

Any tips or suggestions?

It's still prudent to request and review financials. Assure the vendor, you are aware they are a start up, however financial viability is just one overall component of the overall due diligence process.  Enhance your program to include the residual risk of the financials in your overall analysis. And augment the risk with mitigating controls that brings the overall residual risk within your organizations risk appetite. For example, you can mitigate some of the risk in contract terms and business processes to ensure you can meet the financial and resiliency risk appetite for your organization. Think through what could go wrong if they become insolvent.  Do you have accurate language for use of code/software etc. Have you set up payment terms to begin upon "go live" instead of contract execution? Think about mitigating controls: a documented exit and contingency plan to address the risk of insolvency for the vendor as one example. 

Hope this helps.