We handle a couple of different ways.
The first is being very selective about which organizations we request financials from, we base off the assessed risk related to operational criticality. The second is we always ask, regardless if the organization is public or private the initial request is the same. That being said, private organizations are much more difficult to obtain information from. All initial requests for financials are for "most recent annual financial statement(s)".
Third, if we get push back on financials we try to be flexible. We find that we often get a flat "no", we come back and try to start a conversation that is centered not around what you won't provide but what you can provide. Fourth, if we ultimately accept alterative information in leu of complete financial statements we document the exception to include the rationale- what we got, why we believe it is sufficient to mitigate risk. Fifth, if we really think the complete financials are necessary to mitigate the risk from the relationship we will write that into the contract as required annual due diligence.
If we get push back on providing complete financials, here is the initial communication we use to try to focus on what can be provided versus what can't:
"If it is the Company's practice not to share a full set of financials, we are happy to work with you to identify alternate documentation that you can provide that will still allow us to complete our required due diligence. Alternate documentation might be something like:
- a copy of just the balance sheet,
- an overview of the key financial metrics and a statement of overall financial health or
- opinion on financial statements from independent accountant.
Please let me know what you can provide for us in lieu of complete financials."
In my experience most companies will work with you if you are flexible. We have had conversations with CFO's to discuss financial position, viewed financials statements without the ability to copy, had conversations with the third party accounting firm who oversee the financial reporting etc. For our organization, I can't stress flexibility enough. The financial information should be more than a due diligence check box, what you request and ultimately agree to accept should truly mitigate or help you understand the risk from the relationship. Flexibility I have found is also key in building partnerships with the individual business units.
If we need to push harder our standard language is:
"Based on your experience working with other banks, you know banking is a highly regulated industry and you may also be familiar with the FDIC's guidance for managing third-party risks (FIL 44-2008). We are accountable for effectively evaluating all third party risk. As such, it is our responsibility to conduct comprehensive due diligence in order to identify, understand and mitigate risk arising from our third party relationships.
One aspect of evaluating third party risk is ensuring that our partners have a financial position sufficient to support their ongoing operations and to provide ongoing uninterrupted services to us in both the short and longer terms. We have found financial statements to be an effective way to evaluate the financial health of the third parties that we do business with consistent with FDIC guidance."
You are definitely not alone in experiencing issues around financial due diligence!
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------
Original Message:
Sent: 03-03-2022 06:29 PM
From: David Medina
Subject: Vendor Financial Health
As we're continuing to mature our TPRM program, we looking at various documents to get from our most critical vendors. One area we know we need to look at is a vendor's financial health. We're trying to figure out which financial reports we should get from those critical vendors.
Also, getting some of those reports will be easier for vendors that are public. However, those that are private may be a little more difficult. Thoughts on how to deal with private companies that will not provide financial reports.
Thank you!