Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Do you have any third party risk horror stories?

    Posted 10-16-2019 08:41 AM

    Hi Everyone,

    In light of Halloween upcoming, I'd love to kick off a thread and ask you if you have any scary stories or lessons learned that you could share with the group?

    While we don't want to name names, we all would love to hear your third party risk stories that keep you up late at night or if you've run across any vendors out there that gave you some scary nightmares!

    (feel free to share anonymously by hitting the anonymous checkbox before you post!)

    - Brittany



  • 2.  RE: Do you have any third party risk horror stories?

    This message was posted by a user wishing to remain anonymous
    Posted 10-16-2019 10:02 AM
    This message was posted by a user wishing to remain anonymous

    ​A few years ago we had an examiner draw our attention to the SOC report of one of our third party vendors.  This third party is a large company and a very well known entity for the service that they provide and the SOC report was filled findings.  The third party's response was essentially a nicely worded version of "we're a huge company and this is how we do things, if you don't do business with us we won't even notice the lost revenue."  Needless to say, we parted ways with this company. 

    Lesson learned, just because a company is large and well-known does not mean that everything behind the scenes is as it should be.  Looking back we had a few issues with them, but the biggest red flag was how difficult they were to work with on what I would consider simple items like assistance with reports or providing us with due diligence documents.
    Original Message


  • 3.  RE: Do you have any third party risk horror stories?

    This message was posted by a user wishing to remain anonymous
    Posted 10-16-2019 12:39 PM
    This message was posted by a user wishing to remain anonymous

    Because there is pending litigation, I am posting this anonymously.  Our scary story and big lesson learned, ironically, is when we were building out our Third Party Risk Management function. We thought that a vendor hosted Vendor Management system was our panacea (vs our home grown in-house developed process). The vendor is known in the industry and was trying to get into the vendor management space. Knowing that we will be the first of a handful of banks, we jumped right in and not only licensed the platform, but all of the bells-and-whistle add-on modules (due diligence, risk assessment, contracting). 

    Unfortunately, needless to say, the software took longer to develop than anticipated, there were turnover in the vendor's development team, we asked for some customizations...long story short, it took a year and still no working application. By now all of our licenses were up for renewal. Vendor would not waive fees despite not having a working product. 

    Our lessons learned was to always perform due diligence regardless of how well known the vendor is AND only have licensing fees start upon a functioning product. We now require this in every contract where there is software development or if implementation is required.  If we purchase separate add-on modules, all modules may have licensing fees starting at different times, depending on when they go live. 


    Original Message