Third-party risk Q&A

Assessing vendor resilience in a volatile market

If a critical vendor shows signs of financial distress, what’s your plan?

In the wake of recent events in the financial services industry and broader markets, banks are re-evaluating their third parties for signs of questionable financial health. A third-party vendor that isn’t financially sound can disrupt banking operations and affect the bank’s own resilience.

In this Q&A, Jill Czerwinski, Crowe principal and third-party risk services leader, answers questions about current challenges and potential solutions when developing a model for an effective financial health assessment process.

Planning, building, or running

Get help with any stage of your third-party risk program.

Explore services

Many banks and financial services companies today have thousands of vendors. How should they decide which vendors require a financial health screen?

Jill Czerwinski: We challenge banks to start by looking at two criteria to determine whether the organization needs to monitor the financial health of a third-party vendor.

First, the bank should ask if the failure of the third-party vendor would affect the bank’s own resiliency, perhaps because the vendor provides a critical service or product that can’t be replaced quickly or easily.

Second, the bank should ask whether financial hardship of the third party might force cost-cutting that could affect the quality, risk, and delivery of services from the third party.

For example, you might be concerned if a third party that interacts with customers isn’t profitable. That lack of profitability might make the vendor more likely to cut costs, perhaps by scaling back the quantity and level of experience of their personnel resources. And that cost-cutting could directly affect customer service.

Once the bank determines which third parties it needs to assess and monitor, what should that process of assessing vendor financial health look like?

Jill Czerwinski: There are two options for assessing financial health of a third party. The organization can develop an internal model or use an outsourced model to quantify what it expects to see from a financially healthy company.

But it’s important to remember that as the economy goes through fluctuations, what is deemed acceptable in terms of financial health might change. The organization has to decide whether it will rely on internal credit risk professionals to maintain the model or outsource the maintenance of the model.

OK, so let's assume a bank wants to rely at least in part on internal models for assessing vendor financial health. What should go into that process?

Jill Czerwinski: We typically recommend that banks start by profiling the third party. This process would start with determining whether the company is public or private as well as domestic or international. A private, global company can often introduce a lot more complexity and risk considerations than a public, domestic company.

We also look at the ownership structure, as in determining if the third party is a subsidiary of a larger company. Maybe you’re evaluating a small company that looks risky on paper, but it’s actually a key subsidiary of a very profitable larger company.

All these factors require consideration. Once we have a profile of the company, we can apply the right screening of the financial statements.

Once you profile the company, what do you do next?

Jill Czerwinski: We often think about this process in terms of the ghosts in Charles Dickens’s story, “A Christmas Carol.” We consider the past, present, and future of the third party’s financial performance.

Let’s follow Dickens and start with the past. What are you looking for there?

Jill Czerwinski: We request financial statements for the past three years to look at the third party’s historical performance. How has it performed in the past three years? Does it have income, and has revenue grown? Was there significant financial activity in the past 12 months – transactions, mergers, acquisitions – anything notable that can help us draw conclusions about financial health?

What about the present? How would you assess that?

Jill Czerwinski: We try to get a snapshot of the vendor’s financial health right now. To build that snapshot, we look at its current liquidity in terms of its access to cash. We look at any loans or other liabilities on the books that might affect how the company operates, and we also examine key ratios related to the balance sheet and income statement that can help us figure out how strong the company is today – without any consideration for potential future volatility. This gives us a good sense of short-term financial projections.

Finally, we look at predictions of future performance.

That seems like the most challenging element. You’re trying to predict the future based on past and present performance, but is that possible?

Jill Czerwinski: It is challenging, and of course we can’t truly predict the future, but there are things we can look at to make highly educated guesses about how the company might look in the future. For instance, is there any pending M&A activity? What about any pending litigation, recalls, quality issues, news events, or short-term supply chain impacts?

We also look at how reliant the vendor is on a small number of accounts or a particular market segment. For example, if the vendor serves a relatively small number of banks, will its financials change if its clients merge or even fail?

When we combine and aggregate all those past, present, and future elements, we can determine how risky this relationship is and how risky it is likely to be going forward, and then we can create a financial health risk treatment plan.

A risk treatment plan. That sounds almost medical.

Jill Czerwinski: Yes, assessing a vendor’s financial health is very much like a medical exam. Like a doctor, an organization uses a variety of information to create a picture of the vendor’s health, and then the organization must make a judgment call on whether to intervene and take preventive action.

Ultimately, just as in medicine, your organization must set guidelines for the types of warning signs that should trigger action.

OK, and how should the organization respond when those warning signs come up?

Jill Czerwinski: Minimally, you want to have a backup provider screened and ready to engage if needed. And ultimately, you might decide that the risk of a resiliency event is too great and opt for a third party with a stronger financial health profile.

The organization also might want to have more frequent “checkups” to monitor the third party’s financial health for change. In many organizations, the business unit that owns the relationship will interact with the third party quarterly to discuss performance and risk. Then, those relationship owners can report back with any changes, good or bad, regarding the financial health of the third party.

Now that you’ve explained the basics, can you explain how Crowe helps clients assess and monitor financial health?

Jill Czerwinski: Crowe helps clients plan, build, and run their third-party risk programs. First, we can help deploy a framework and policy for monitoring vendor financial health and resilience. We provide a rubric that helps organizations choose what to consider within and outside their risk tolerance.

Based on those considerations, we can write policies and procedures accordingly and help organizations design an action plan that outlines how they can respond to signs of failing financial health in a vendor.

For clients looking for additional help, Crowe is a preferred partner of RapidRatings, a technology firm that provides software to assess third-party financials against a proprietary assessment methodology. This software as a service option is a great solution for clients looking for an “easy button” answer to the assessment portion of third-party risk management.

Finally, Crowe provides a service to facilitate the financial health assessment process on an ongoing basis. This service includes gathering, assessing, and writing remediation plans for third parties.

Bottom line – if this is an area your organization is struggling with, we’re here to help.

Searching for the right technology to help manage third-party risk?

Our specialists put together a checklist that can help.

Get the checklist

Related insights

Article

What does the new interagency guidance mean for TPRM programs?

Article

Fourth-party risk is daunting – make it manageable in 3 steps

Article

7 questions bank boards should ask about third-party risk

Article

What does the new interagency guidance mean for TPRM programs?

Article

Fourth-party risk is daunting – make it manageable in 3 steps

Article

7 questions bank boards should ask about third-party risk

Let's work together to build resilience and confidence

Crowe employs a global team of hundreds of specialists who focus on third-party risk management. If you need help with vendor financial health assessments or any other area, let’s talk today.

Explore services

Jill M. Czerwinski

Principal, Third-Party Risk Leader

+1 630 575 4317

Profile

mail 

Explore services