36 Hours Straight: A Team Story in Financial Services
What Happens at Hour Thirty-Six There is a particular quality of silence that only exists when thirty-six hours of noise suddenly stops. Not peaceful silence. Not relieved silence. The silence of eleven people who have been in the same room since Thursday morning, across four time zones, held together by a shared problem and one very patient coffee machine – and who have just watched the fix land. Nobody moved. Nobody said anything. For a full minute, we just sat with it. The kind of silence that a team earns, not one that settles on them by accident. I have been in enough war rooms to know that the technical resolution is rarely the moment that stays with you. What stays is the human texture of the hours that built toward it. This weekend gave me more of that texture than I expected. — The Situation We were forty-eight hours into what had started as a manageable incident on Thursday morning. I say “manageable” because that is what the first assessment suggested. It was not manageable. It was the kind of problem that presents politely, shakes your hand, and then halfway through the introduction mentions it has brought several cousins. You solve the first layer, and it introduces you to a second. You solve the second, and a third emerges with a quietly baffling root cause that nobody had a clean precedent for. At some point around hour twenty, I stopped asking “how much further?” and started asking “who needs a break and who needs coffee?” Here is the moment I will not forget: it was sometime around 2am on Saturday. One of our engineers – someone who had been heads-down for hours, barely speaking – looked up from their screen and said, flatly, “I don’t actually think this is the problem anymore. I think we’ve been solving the wrong thing.” The room went quiet in a different way. Not the good quiet. The kind where everyone does a rapid internal calculation of how much work that statement might just have invalidated. I felt it too – that brief, cold drop of “please don’t let that be true.” It was true. And saying it out loud was the thing that turned the corner. We had been six hours into a technically correct solution to the wrong diagnosis. The engineer who said it had known for some time, I think – had been sitting with it, testing their own certainty before naming it in a room full of tired, invested people. That moment of honesty, offered quietly and without drama, was worth more than everything that came before it. I have been in transformation programmes where that observation would never have been made aloud. Where the cost of being the person who says “we’ve been solving the wrong thing” is too high – socially, politically, professionally. This weekend, it cost nothing. That is not an accident. That is a culture. — Three Things I Have Carried Out of That Room **The teams that hold together under pressure have usually done the work before the pressure arrives.** There was no team-building exercise that produced what I saw this weekend. There was months of working alongside each other, small acts of reliability, the accumulated evidence that when you say you’ll pick something up, you pick it up. Trust is not built in a crisis. It is *revealed* by one. What the war room showed us was simply what had already been true. **Fatigue is an honesty accelerator.** By hour thirty, the energy required to perform competence – to manage your image, to frame your uncertainty carefully – is simply no longer available. People stop polishing their contributions and start handing each other raw information. The humour gets darker because it stops being a social tool and starts being a genuine release valve. The observations get sharper because there is no bandwidth left for softening them. I have sat in two-hour steering committees where less truth was exchanged than in the last six hours of this incident. Organisations should find this alarming and instructive in equal measure. **The people who show up at 3am are not doing it for the SLA.** This is the insight that sat with me longest, and it is not a comfortable one for anyone who has spent time building incentive frameworks, performance structures, or engagement metrics. The engineer who reframed our diagnosis at 2am was not motivated by a KPI. The colleague who quietly took over so someone else could rest was not making a career calculation. There is a category of professional commitment that exists entirely outside the reward architecture – and the organisations that understand this tend to be the ones that keep their best people. You cannot manufacture it. You can only create conditions where it survives. — What This Means Beyond This Weekend If you lead a team, or a function, or a programme of any meaningful scale, I would ask you one question: would your team tell you at 2am that you have been solving the wrong problem? Not hypothetically. Specifically. In the room. With six hours of work already on the board and an audience of tired, invested colleagues. If the answer is uncertain, that is the work. Not the governance framework. Not the roadmap. The thing that makes transformation either survive contact with reality or quietly collapse under it is whether the people in the room will tell you the true thing when it is inconvenient and late and expensive to hear. Technical incidents are, in a strange way, gifts. They compress months of organisational dynamics into hours. They show you – quickly, clearly, without the usual insulation of process – what your culture actually is. Not what it says it is. What it does when nobody is watching the clock. We updated the runbook. We scheduled the post-mortem. We will find the systemic gaps and we will close them, methodically, the way you are supposed to. But the thing I
When Partners Become Liabilities, Rethinking Third-Party Risk
When Partners Become Liabilities – Rethinking Third-Party Risk The Day a Payroll Vendor Brought Us to a Halt It was a routine Friday morning – until it wasn’t. Phones lit up. Systems slowed down. HR couldn’t run payroll. Finance couldn’t close the books. Our third-party payroll vendor had gone offline, caught in the crossfire of a ransomware attack that had nothing to do with us… or so we thought. But regulators didn’t see it that way. To them, it was our responsibility. And they were right. We had outsourced the service, not the risk. Why Third-Party Risk Is Everyone’s Risk Today, financial institutions rely on a complex web of vendors: fintech partners, cloud providers, legal consultants, data processors, offshore support teams – and the list keeps growing. Each one is a node in your ecosystem. Each one can be a vector for operational, reputational, or cyber risk. According to Deloitte, 83% of organizations have experienced a third-party incident in the past three years. And yet, fewer than half conduct deep risk assessments beyond onboarding. That’s not a strategy. That’s a gamble. Lesson 1: More Than a Box to Check I once worked with a firm where vendor risk assessments were essentially a tick-the-box process. “Do they have a SOC 2 report?”“Yes.”“Great, move on.” No one read it. No one asked what systems were in scope. No one noticed the outdated controls in their user access reviews. It wasn’t until a regulator showed up – asking very specific questions about sub-service organizations and data segregation – that the panic set in. We had assumed compliance. We hadn’t verified capability. The fix? We revamped the Third-Party Risk Management (TPRM) lifecycle: Replaced checkbox reviews with risk-tiered due diligence Added on-site assessments for critical vendors Integrated real-time monitoring for ongoing risk awareness The idea wasn’t to make life harder – it was to make it smarter. Lesson 2: Subcontractors Are Still Your Risk Here’s the kicker: the payroll vendor that caused our outage?They weren’t breached. Their subcontractor was. We didn’t even know about the subcontractor. That’s why the OCC’s Third-Party Risk Management Guidelines emphasize “chain-of-responsibility.” If your vendor relies on someone else, you still own the exposure. Now, all our contracts include: Disclosure of all subcontractors Right-to-audit clauses Breach notification timeframes Incident response collaboration expectations It’s not about micromanaging. It’s about governance. Lesson 3: Risk Never Ends at Onboarding Vendor due diligence isn’t a one-and-done task. One of our cloud providers was financially stable when we onboarded them. Two years later, their parent company was in bankruptcy court. Our access was nearly compromised. From that day forward, we implemented ongoing risk monitoring using platforms like: BitSight (for cyber hygiene scoring) ProcessUnity (for TPRM workflow management) LexisNexis (for legal and reputational red flags) Vendor relationships evolve. So must your oversight. Lesson 4: Culture Still Matters Here’s something we often forget: third-party vendors are people too. When the pandemic hit, one of our offshore support vendors struggled with lockdowns and limited internet access. It wasn’t their fault. But we hadn’t planned for it. That’s when we shifted from thinking of vendors as contracts to thinking of them as strategic partners. We began: Hosting joint resilience workshops Aligning KPIs on client outcomes, not just deliverables Sharing incident response plans and testing together Resilience is a team sport. Final Thought: The Chain is Only as Strong as Its Quietest Link Third-party risk isn’t just a function. It’s a philosophy. It’s about asking the hard questions before a regulator does.It’s about looking beyond the glossy onboarding decks and into the operational realities.And above all, it’s about remembering that outsourcing the work doesn’t mean outsourcing the responsibility. About the Author Laksh Vaswani is a senior financial executive, best-selling author, and global risk governance strategist. With over two decades of experience leading transformation, regulatory readiness, and vendor risk management programs across banking and fintech, he has helped organizations balance innovation with resilience. Laksh is the recipient of the International Achievers Award and an advocate for smarter, human-centric compliance. Share this article :