Uncover and Mitigate Third-Party Risks

Blog Image
4 min read


Third parties have become an integral part of any business operation. However, the threats and issues arising from third-party engagements require enterprises to gain an in-depth understanding of their entire global third-party ecosystem. Failing to curb third-party risks can lead to severe reputational damage and loss of stakeholder and customer trust, but assessing third parties can be resource intensive. On the other hand, establishing a robust and automated program to continuously monitor and assess third parties enables organizations to detect and alleviate risks stemming from non-compliance, unethical practices, financial risks including supplier bankruptcy or business disruption, exposure to Tier 2 suppliers, legal issues, and access to confidential data.

By leveraging leading financial health analytics providers for a deep analysis of the financial viability of third parties, and by adopting robust technology, organizations can simplify the process of third-party risk management and catch early signs of risk exposure.

Recently, MetricStream hosted a webinar on the topic, where experts James H. Gellert, Chairman & CEO at RapidRatings, and Swapnil Srivastav, Manager, Marketing at MetricStream, provided some key insights into the best practices that can help organizations effectively identify and mitigate third-party risks.

In the course of the webinar, several interesting audience questions were addressed. I have highlighted some of the insightful ones below:

Q1: Do you have different metrics or methodologies to understand the financial health of private companies vs. public companies?

James: “To understand a company’s financial health, RapidRatings uses a proprietary quantitative system that looks directly at the company’s financial statements to determine its short-term financial health (12 months ahead) and the long-term core health (3 years ahead).  So, whether you’re looking at private companies or public companies, we’re evaluating them all through the same methodology. That is really the key because for many organizations, private companies make up over 70% of their third-party relationships, meaning they need a metric to evaluate their entire third-party ecosystem consistently. Given that our system requires financial statements as its only input for computing the financial health, we’re able to compare companies on an apples-to-apples basis, regardless of ownership, company size, industry, or geography.  So, part of the premise is to be able to provide a single common language that is repeated every time we are re-rating a company, whether quarterly or annually, and to give back a consistent measure irrespective of whether a company is public or private.”

Q2: How do your Financial Health Ratings account for companies that operate in different industries?

James: “The financial profile of a technology start-up will look very different than that of an auto manufacturer or a retail company.  Depending on the industry, there are different triggers that will affect a company’s growth or long-term and short-term risks in different ways, and our system accounts for these nuances for 24 individual industry models. RapidRatings applies 73 different financial and operating ratios to over 25 elements of a company’s financial statement. This data that is used to calibrate the system is about 9 million company years of data. So, a significant amount of econometric analysis is needed to be able to look at the companies in different industries, and to be able to provide a financial health rating that accounts for the nuances and idiosyncrasies in each of those industries, regardless of whether we’re dealing with a software company or a logistics company. That’s again very much part of the premise that in order for people to be able to use financial health, and to use it in as robust a way as possible, it is important to have a common signal for each risk management process in an individual company that is replicable and scalable – it’s very much a part of the thesis behind the Financial Health System™ that we have.”

Q3: What happens when a private company doesn’t want to release their financials to you?

James: “Yes, there are certainly some groups that are reluctant, and often, the fact that they don’t want to disclose their financials is, in itself, valuable information. We have lots of clients who will take different actions on a company that does not disclose information, and chooses to opt out of this program. Some of the actions are to discontinue the business, or to not award future business, or to reduce business and to be more hedged in in terms of the long-term and short-term nature of association with such a vendor. Organizations basically begin to reduce the potential risks by taking action on the very fact that a third-party does not disclose financial information.”

For more details about Rapid Rating and their offerings, click here.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.