Did one of your critical third-party vendors need Paycheck Protection Program (PPP) funds?
That’s the question everyone is asking since the Small Business Administration (SBA) released the list of businesses that took PPP loans last week. (The Washington Post’s PPP searchable database includes companies that borrowed more than $150,000.)
As many financial institutions know after working day and night to serve customers in need of PPP loans, the $660 billion program is not a free government handout for whoever asks. Its goal was to put emergency funds in the hands of businesses that needed immediate relief to survive.
Borrowers had to certify in good faith that:
To take out a PPP loan, a business had to be on shaky ground and worried it would be unable to operate without a quick infusion of cash.
While this was a lifeline to many small businesses, it’s also a red flag from a vendor management perspective.
Financial risk is a necessary element of vendor due diligence and oversight and specifically mentioned in guidance from the OCC, NCUA, FDIC, and Fed. It doesn’t matter how compliant, effective, or technologically sound a vendor’s product or service is if the company won’t be in business very long. An FI that partners with a financially unsound vendor may find itself suddenly cut off from a critical product or service if that firm goes under.
Needing an emergency loan to ensure ongoing operations says a lot about a company’s financial condition and strength.
It can also say something about a vendor’s business ethics. Remember the headlines earlier this year when PPP loans went to Shake Shack ($10 million), the L.A. Lakers ($4.6 million), Ruth Chris’s Steakhouse ($20 million), and J. Alexander’s ($15.1 million). Many of these companies are publicly traded with access to the capital markets, but they saw the opportunity to borrow money at 1 percent interest—and maybe even have some of the loan forgiven—and took it, exhausting the first round of funding before many small businesses could get approved.
While there are still PPP funds, there is still the question of companies that took the funds not because they needed it for survival, but they saw a chance for free cash and grabbed it—ignoring the requirement of financial necessity.
It raises a risk management question: Is your financial institution comfortable with the potential reputation risk of a vendor that engages in that kind of conduct?
The COVID-19 pandemic has reminded us that third-party vendor risk, including financial and reputation risk, can change at any time. Continuous vendor management is necessary to catch these changes and allow your FI to adjust its third-party risk exposure, if necessary.
When your vendor management program includes ongoing monitoring of critical and second-tier vendors, it gives you the opportunity to proactively address third-party vendor risk and take action to prevent problems. You may need to research new vendors or revisit your business continuity plan to ensure resilience.
Don’t get caught off guard by changes to the critical vendor’s risk profile. Make sure you have the tools to stay on top of vendor monitoring.
And if you’re struggling to keep pace, check out Nvendor. From vendor prescreening to ongoing reviews and continuous cyber monitoring, we can help you uncover vendor vulnerabilities before they become issues.