How do you handle third party risk assessments?
Assessing the risk of vendors and partners is not new. Some organizations have entire teams dedicated to the process. We have a variety of models and methods. You can even – and it’s a bit meta – outsource your third-party risk assessment to a … third party. New services and models are emerging to help us accurately assess the risk of our digital supply chain without losing the benefit of third parties.
What are you assessing in a third party? Why? And how are you improving the process?
Have you started assessing financial health as part of the process?
To learn more about why financial health matters, I spoke with James H. Gellert, Chairman and CEO of Rapid Ratings. He is a career-long entrepreneur and financial markets professional, having held operational roles at global investment banks. Mr. Gellert has run private companies across myriad industries and served in permanent and interim CEO positions at technology and information services companies.
We shared a few conversations about the importance of financial health in assessing risk. It seemed important at the outset. The more we talked, the more I realized it is important – and going to increase in importance over the next few years.
Check out what James shared on why and how security leaders need to consider financial health when assessing security risk:
What is financial health, and why is it important to understand?
I like to think Financial Health is the foundation for building successful long-term business relationships. It is the language for business decisions, regardless of industry, geography, or ownership. Our clients use our Financial Health Ratings to better understand the strength and efficiency of a company and how well positioned it is to weather a storm or take advantage of commercial opportunities. This informs companies in evaluating their suppliers, vendors, customers and other third parties and investors, banks and insurance companies as they evaluate who they’ll invest in, lend to, underwrite and insure. The common denominator here isn’t that people need to take financial risk, but that they are taking business, or commercial, risk. Yes, people want to know if a counterparty relationship can pay their bills, but they also want to know if they can expand when business may be good, whether they are nimble enough to invest in infrastructure, like IT security, and whether they will be well-positioned to continue staying ahead of a curve. Financial Health is the gateway to understanding those companies’ underlying strengths and weaknesses; it provides a universal benchmark for choosing whom to partner with in the short- and long-term.
Financial health is also a leading indicator of risks across all areas of the enterprise. While cyber security is top-of-mind for many risk management professionals, it is still nearly impossible to anticipate a cyber-attack. Likewise, natural disasters or power outages are incalculable – they just happen. On the other hand, monitoring the financial health, more specifically statistical probabilities of default, is well within reach. Financial health then becomes the leading indicator of those other areas of risk because it identifies a company’s financial ability to weather any unforeseen events, to continue investing in state of the art cyber security prevention, etc.
Also, we have to face it, companies that are under financial stress tend to cut corners and delay investments and upgrades in infrastructure, security (cyber and physical) and other areas of their business. Preliminary research we’re conducting now shows that High Risk and Very High Risk FHR names have between a 2-3x greater likelihood of delivering faulty products or having delivery delays. Early warnings of financial health deterioration or stress is an excellent way to head these problems off at the pass.
What sorts of things do you consider when assessing financial health? And how do you assess private companies?
The most important factor for evaluating financial health is the data that goes into the assessment. Is it a primary source of the company’s financial information – i.e. financial statements? Where and how are you getting it? Can you rely on it?
If your financial health assessment relies on payment history or inputs such as how volatile a company’s stock price is, the answer to the last question is most likely no. A company’s payment history is not a primary source of a company’s financial condition and it doesn’t provide enough forward-looking insight. If a company could pay its bills last month, there’s no guarantee that they’ll be able to pay their bills next month or the month after that. Oftentimes many companies are able to pay their bills up to the point of filing for bankruptcy, meaning that payment history does little to measure a company’s financial viability. Moreover, relying on payment history makes you susceptible to false negatives. If a company is late or misses a payment, does it mean they’re on the brink of failing? Probably not. Similarly, market inputs such as stock price or credit default swaps reflect some institutional traders’ market sentiment, which is fickle, and reflects perception, but not always reality. Companies that may be a good investment may not be a good commercial partner in the short- or long-term. While a significant decline or increase in market prices is worth considering, it should not be your primary tool for evaluating financial health.
The only way to get full transparency into a company’s financial health is through the figures in their financial statements. Financial statements don’t take market sentiments into account, meaning they provide a consistent framework for evaluating all third parties, including private companies. In fact, it emphasizes the importance of building a strong relationship with your third parties. The better your relationship, the easier it will be to convince your third parties of the value of transparency and sharing financials. When analyzed properly, financial statements can be highly predictive, enabling you to make forward-looking risk management decisions. For private companies, we’re able to analyze them the same ways as publics. Regardless of being public or private, all of the reports and portfolio analytics tools are available to clients. The only difference is how we obtain the data.. We’re able to assess based on filing data from public companies and we solicit the financials from private companies on behalf of our clients who work with them.
Since financial health shifts over time, do we need to go back and reevaluate partners? How do you handle that?
Absolutely. The bankruptcy of Brazilian telecom giant, Oi, this past summer provides a perfect illustration of why you need to evaluate third parties beyond just the onboarding stage. If you were in the process of evaluating Oi as a potential partner at the beginning of 2014, you would’ve been pleased with their FHR of 73, Low Risk. However, if you didn’t continue to monitor Oi, then you would’ve failed to see any of the warning signs for the company’s bankruptcy just two years later. By the end of 2014, Oi dropped 18 points to an FHR of 55, medium risk. At the end of 2015, Oi had dropped 19 more points to an FHR of 36, entering High Risk, and continued to drop until its bankruptcy filing. For reference, of the 274 industrial firms we rate that defaulted between 2011 and 2015, 94% of defaulters filed for bankruptcy with an FHR below 40. The average FHRs at default, 12 months prior, and 36 months prior were 25, 32, and 42, respectively, demonstrating clear early warnings in the ratings trends leading up to default.
Continuously monitoring Oi, even annually, would’ve clearly demonstrated the company’s gradual deterioration into High Risk. This is where having certain contingency plans in place for your third parties would help. For instance, if a company has been deteriorating for four straight quarters or falls into High Risk, then the issue would get pushed up to senior management and/or you would start engaging in more detailed conversations to further evaluate the company’s financial viability. You might also begin to assess the third party more frequently to avoid any costly surprises. This might sound like a lot of work, but it simply reinforces the importance of having a financial health assessment process in place that is automated and scalable.
You brought up the realization that the extended credit cycle we’ve experienced is likely to end. Why is that important to consider when evaluating financial health?
In the past 5-7 years, we’ve seen a huge increase in activity in the fixed income universe. Low interest rates have spurred record bond issuance around the global capital markets and the search for yield by institutional investors has seen them go lower and lower down the credit spectrum, enabling even the weakest of companies to raise money. Despite the financial crisis, outstanding bond volume in the global fixed income market is double now what there was in 2007. A concerning result here is that many weak companies have been able to mask their problems that otherwise would have been exposed in a more “normal” credit environment. So, if you look at the investment grade bond, high yield bond and bank loan markets globally, there is an increasingly high amount of debt to be refinanced in the coming years as a result of such robust activity in these markets over the past handful of years. Since companies have been able to issue new debt and refinance debt with ease, that day of reckoning will come where market conditions aren’t as conducive but companies need to refinance. If market conditions aren’t as conducive, and they likely will not be, many companies are going to struggle with refinancing their debt. If you don’t have a firm grasp on your third parties’ financial health and whether they are positioned well to attract capital when it’s not as readily available, you’re flying blind. In that case, disruptions caused by a failed supplier or other third party, or their cyber breach from under investing in technology, become your fault. Then, you’re not talking about a disruption in business; you’re talking about keeping your job.
What steps does a security leader need to take to consider financial health when evaluating third party risk?
The impact of a disruption to your third-party ecosystem will likely be felt across your entire business. Risk management is not the responsibility of one group. Rather, it is an enterprise effort. It requires collaboration amongst cross-functional teams such as procurement, finance, legal, technology, compliance, manufacturing, and others. In order for these departments to work as one cohesive unit, they need a common language to share information. Financial health is therefore not only a common language for business-to-business conversations with your third parties, but it is also a common language for internal discussion. It creates continuity on the flow of information across departments, enabling greater alignment, coordination, and cooperation for a successful enterprise risk management program.