At TD Bank, Continuous Vendor Monitoring Stops Third-Party Failures From Hitting CX

Third-party vendor risk used to sit in procurement. Today it lives inside every customer interaction. When vendors fail, the customer experience fails with them. Contact center automation, real-time personalization, and AI-driven service delivery all depend on ecosystems the host organization doesn't fully control. CIOs and CTOs now rank AI-driven vendor risk on par with core cybersecurity threats, yet most organizations are still running governance models built for a world where vendor relationships moved slowly and contracts were enough.

Rohit Hajela is the Group Manager of Technology Vendor Management at TD Bank, where he has delivered over $2 billion in cumulative technology procurement savings. He also created the OSFI/OCC-aligned Technology Vendor Management Certificate, a practical training program for procurement, risk, and compliance teams navigating AI-era vendor relationships. He believes the orga
nizations best positioned to protect their customer experience are the ones that have stopped treating vendor oversight as a back-office function.

"Customer experience is no longer defined only by what you control internally. It is shaped by the entire external ecosystem behind your service, and when a third party fails, the customer experiences that as your failure," says Hajela. For him, that accountability is not a legal technicality. It is the operational reality that makes vendor governance a customer experience function, not just a compliance one.

The gap between vendor contract and vendor accountability is where customer experience is won or lost. Most organizations have signed agreements in place. Far fewer have the governance infrastructure to know when something in that ecosystem is quietly going wrong. An external outage can easily derail call center performance and stall modern customer motions. Mature organizations centralize vendor oversight continuously, but many still operate with fragmented or incomplete programs that leave them unable to respond until a customer already feels the impact.

• Your brand, their bug: "When third-party failure becomes customer pain, the responsibility lies with the organization itself because customers don't know who your third-party vendors or fourth-party contractors are," explains Hajela. "You must make sure all vendors are complying with rules, regulations, and compliance requirements to provide a smoother experience for end customers. The responsibility 100 percent lies with the organization." Consumers typically don't see the deep web of contractors powering their services, so the host organization takes the blame. Because of that, rules and regulations serve as the operational safety net: demanding updated SOC 2 reports, enforcing SLA requirements, and ensuring any vendor with access to organizational data has no unresolved findings.

• Signed, sealed, scattered: "There are still lots of organizations out there that do not have a fully functional third-party risk management (TPRM) program or vendor management team, and those organizations are not prepared," notes Hajela. "Some have bits and pieces of procurement and are just dealing with contracts, with no ongoing monitoring happening after the contract is signed. Some organizations do have vendor management teams that take care of ongoing monitoring, but it's scattered, not centralized." The gap in maturity is not binary. Some organizations have no vendor function at all. Others have procurement teams handling contracts but no ongoing monitoring. Others have monitoring but no centralization. For customer-facing operations, each stage carries a different kind of exposure: from a vendor outage that takes down an AI-powered service channel to a compliance gap that surfaces only after a customer data incident.

The first step is knowing which vendors actually matter. Risk-based governance only works if the people inside the organization actually follow it. Getting teams to adopt a new evaluation mindset requires a cultural shift, and when leadership champions the approach, TPRM transforms from a roadblock into a strategic function that drives competitive advantage and successful delivery.

• Price tags, red flags: "If someone is buying a $10 gadget, we need to understand if that causes serious risk to the organization. What information are we sharing with the vendor?" says Hajela. "Instead of a dollar-spend-based evaluation, we need to shift the focus from spend to risk and evaluate the risk involved, irrespective of whether it's a $10 gadget or a $10 million gadget." Evaluating risk rather than spend allows an organization to properly scrutinize low-cost AI tools without bogging down low-risk purchases in unnecessary review.

• Top-down or teardown: "In terms of implementation, it needs to be a top-down approach. The seriousness of a TPRM program needs to flow from the top," says Hajela. "Leaders should get together and socialize why the TPRM program is necessary and what the benefits are. You can make endless policies, but if people aren't following them, it's a fail." Without that organizational buy-in, vendor engagement proceeds without oversight, and the governance function that was meant to protect the business quietly becomes optional.

Vendors are no longer static infrastructure. A vendor silently pushing an AI update fundamentally alters a company's risk profile, and external shocks such as bankruptcy filings, regional conflicts, or cybersecurity events can destabilize a relationship overnight. Forward-thinking organizations are responding by shifting from periodic reviews to continuous, real-time monitoring that catches both kinds of change before they reach the customer.

• Silent but algorithmic: "A lot of vendors are suddenly deploying AI-based solutions. That is a fundamental change in how they deliver their solution, and that risk needs to be captured," explains Hajela. "We need to understand how they are building their model. Are there bias risks? Are there hallucination risks involved? Your model risk team needs to review this change and verify that the model is safe." For many organizations, that starts with model risk review: understanding how a vendor built their AI, what data it was trained on, and whether the governance structure around it satisfies internal and regulatory standards.

• Geopolitics and glitches: "There are services you can subscribe to that deliver real-time vendor risk alerts. Based on each alert, you can decide whether it materially affects your operations and take action," adds Hajela. "Some services even deliver real-time alerts on cybersecurity threats impacting your vendor. You need to know that immediately. This is how you continuously monitor the vendor relationship and assess emerging risks." Subscribing to a real-time awareness service is only half the equation. The other half is building the internal judgment to know which alerts materially affect operations and move fast when they do.

The organizations that get this right share one trait: they started before the crisis. Building a mature TPRM function takes time, and the pace of AI-driven vendor change is not slowing down. "It's not a switch you can turn on overnight so that vendor risk is suddenly treated equally to internal risk," says Hajela. "With the speed at which we are going right now, there will be no time for people to react. Waking up after a disaster is the worst way to wake up."

The alternative is to treat the work as a competitive investment rather than a compliance burden. Organizations that build tight governance around their most critical vendors, the ten or twenty that business continuity genuinely depends on, gain something beyond risk reduction. Those vendors become innovation partners, helping build the capabilities that make the organization stand out. "Your success depends on their success," Hajela notes. "Once you work closely with your third-party vendors, they are the ones who can help you build those capabilities which make your organization stand out and build a competitive advantage in the marketplace."