contact

When Partners Become Liabilities — Rethinking Third-Party Risk

The Day a Payroll Vendor Brought Us to a Halt

It was a routine Friday morning—until it wasn’t.

Phones lit up. Systems slowed down. HR couldn’t run payroll. Finance couldn’t close the books. Our third-party payroll vendor had gone offline, caught in the crossfire of a ransomware attack that had nothing to do with us… or so we thought.

But regulators didn’t see it that way.

To them, it was our responsibility. And they were right.

We had outsourced the service, not the risk.

Why Third-Party Risk Is Everyone’s Risk

Today, financial institutions rely on a complex web of vendors: fintech partners, cloud providers, legal consultants, data processors, offshore support teams—and the list keeps growing.

Each one is a node in your ecosystem. Each one can be a vector for operational, reputational, or cyber risk.

According to Deloitte, 83% of organizations have experienced a third-party incident in the past three years. And yet, fewer than half conduct deep risk assessments beyond onboarding.

That’s not a strategy. That’s a gamble.

Lesson 1: More Than a Box to Check

I once worked with a firm where vendor risk assessments were essentially a tick-the-box process.

“Do they have a SOC 2 report?”
“Yes.”
“Great, move on.”

No one read it. No one asked what systems were in scope. No one noticed the outdated controls in their user access reviews.

It wasn’t until a regulator showed up—asking very specific questions about sub-service organizations and data segregation—that the panic set in.

We had assumed compliance. We hadn’t verified capability.

The fix? We revamped the Third-Party Risk Management (TPRM) lifecycle:

  • Replaced checkbox reviews with risk-tiered due diligence
  • Added on-site assessments for critical vendors
  • Integrated real-time monitoring for ongoing risk awareness

The idea wasn’t to make life harder—it was to make it smarter.

Lesson 2: Subcontractors Are Still Your Risk

Here’s the kicker: the payroll vendor that caused our outage?
They weren’t breached. Their subcontractor was.

We didn’t even know about the subcontractor.

That’s why the OCC’s Third-Party Risk Management Guidelines emphasize “chain-of-responsibility.” If your vendor relies on someone else, you still own the exposure.

Now, all our contracts include:

  • Disclosure of all subcontractors
  • Right-to-audit clauses
  • Breach notification timeframes
  • Incident response collaboration expectations

It’s not about micromanaging. It’s about governance.

Lesson 3: Risk Never Ends at Onboarding

Vendor due diligence isn’t a one-and-done task.

One of our cloud providers was financially stable when we onboarded them. Two years later, their parent company was in bankruptcy court. Our access was nearly compromised.

From that day forward, we implemented ongoing risk monitoring using platforms like:

  • BitSight (for cyber hygiene scoring)
  • ProcessUnity (for TPRM workflow management)
  • LexisNexis (for legal and reputational red flags)

Vendor relationships evolve. So must your oversight.

Lesson 4: Culture Still Matters

Here’s something we often forget: third-party vendors are people too.

When the pandemic hit, one of our offshore support vendors struggled with lockdowns and limited internet access. It wasn’t their fault. But we hadn’t planned for it.

That’s when we shifted from thinking of vendors as contracts to thinking of them as strategic partners. We began:

  • Hosting joint resilience workshops
  • Aligning KPIs on client outcomes, not just deliverables
  • Sharing incident response plans and testing together

Resilience is a team sport.

Final Thought: The Chain is Only as Strong as Its Quietest Link

Third-party risk isn’t just a function. It’s a philosophy.

It’s about asking the hard questions before a regulator does.
It’s about looking beyond the glossy onboarding decks and into the operational realities.
And above all, it’s about remembering that outsourcing the work doesn’t mean outsourcing the responsibility.

About the Author

Laksh Vaswani is a senior financial executive, best-selling author, and global risk governance strategist. With over two decades of experience leading transformation, regulatory readiness, and vendor risk management programs across banking and fintech, he has helped organizations balance innovation with resilience. Laksh is the recipient of the International Achievers Award and an advocate for smarter, human-centric compliance.

Share this article :