Most regulated firms have supplier exit plans. They are typically well-structured documents: transition steps set out in sequence, alternative providers named, contractual exit rights referenced, timelines stated. In many cases, they run to dozens of pages.
The problem is not the plans. The problem is that the plans describe a world in which the exit is managed, consensual, and cooperative. The supplier provides adequate notice. The alternative provider is ready to onboard. Data transfers happen to contracted timelines. The transition period is orderly.
That world is not the one regulators are testing against. And the gap between what the plan describes and what an unplanned, stressed supplier exit actually looks like is where most firms are currently exposed.
What Regulators Are Actually Asking
The regulatory framework governing supplier exit planning involves three overlapping obligations that, taken together, have moved the standard materially beyond documentation.
PRA SS2/21 requires firms to develop, maintain, and test exit plans for every material outsourcing arrangement. The PRA is explicit that testing must assess operational and financial feasibility, and that stressed exit scenarios, where a supplier fails, enters financial difficulty, or delivers materially degraded service, must be specifically addressed. Testing is not optional and is not satisfied by a document review. It requires a structured assessment of whether the plan would actually work under the conditions it describes.
FCA SYSC 15A, read alongside Cloud Outsourcing Guidance FG15/5, requires that exit plans are understood, documented, and fully tested. The FCA expects firms to know how they will transition to an alternative provider while maintaining continuity of their Important Business Services, to have contractual provisions requiring supplier cooperation on transition, and to have tested the practical mechanics of data removal and return on exit.
The FCA's October 2024 observations following the CrowdStrike incident are the clearest recent statement of the supervisory standard. The FCA identified two specific risk areas: weak exit strategies and the inability to stand up alternative arrangements at pace. Those are not general concerns about framework adequacy. They are specific findings about the gap between documented plans and executable capability.
For firms with EU-regulated entities or material EU-facing operations, DORA Article 28 adds a further layer. DORA requires exit strategies for each ICT service supporting critical or important functions, a mandatory adequate transition period embedded in contractual arrangements, and testing where dependency or lack of substitutability elevates the risk of a disorderly exit. The ESA Joint Paper on DORA implementation is explicit that testing is expected precisely where a failed exit would be most damaging.
Why Documented Plans Do Not Satisfy the Standard
A 40-page exit plan drafted in 2023 and never walked through is not evidence of exit feasibility. It is documentation of intent.
The distinction matters because the assumptions that underpin a documented plan are rarely challenged until the plan is tested. Testing forces questions to the surface that documentation simply cannot answer.
The alternative provider named in the plan may not have the current capacity to onboard within the transition timeline assumed. Markets change, providers consolidate, and contractual terms shift. A plan that named a viable alternative in 2022 may not describe a viable alternative today.
The data portability requirements in the plan may not be reflected in the current contract with the supplier. Contractual provisions for data return, system access during transition, and cooperation obligations are frequently more limited than the exit plan assumes, and those limits only become visible when the contract is reviewed against the plan's requirements under test conditions.
The people named as responsible for managing the transition may have changed. Key individuals who understood the supplier relationship and the technical dependencies at the time the plan was written may have left the firm, moved to different roles, or simply never been briefed on the plan at all.
The technology dependencies mapped when the plan was written may have evolved substantially. If the firm has migrated systems, added integrations, or changed its operational architecture since the plan was last updated, the dependency structure the plan describes may no longer reflect reality.
None of these gaps are visible from the document itself. Every one of them surfaces through testing.
What a Realistic Stressed Exit Test Looks Like
Testing against an unrealistically manageable scenario produces unrealistically reassuring results. The PRA's emphasis on severe but plausible scenarios in SS1/21 applies with equal force to supplier exit testing under SS2/21. Supervisors recognise the difference between a test designed to find genuine weaknesses and one designed to confirm a plan's assumptions.
A realistic stressed exit scenario for a material supplier incorporates conditions that reflect how an actual exit would occur under pressure. The onset is without advance warning: the supplier does not provide a structured notice period, and the firm is required to make an activation decision in real time without certainty about whether the disruption is temporary or terminal. The timing is adverse: the disruption occurs during a high-volume processing period or at a point where the firm cannot defer the decision or absorb the impact in a low-risk window.
Root cause ambiguity is part of the scenario. The firm cannot immediately determine whether to activate the exit plan or wait for recovery, which replicates the actual decision environment of a real incident and tests whether the decision-making framework in the plan is fit for purpose under uncertainty. Transition friction is built in: the alternative provider requires a longer onboarding period than the plan assumed, data portability is slower than contracted, and regulatory notification obligations under FCA SYSC 15A are triggered by the impact tolerance breach before the transition is complete.
The firm is required to manage concurrent pressures simultaneously: client communications, internal escalation, regulatory notification, and active transition at the same time, without sequential decision-making. This is the standard against which a mid-afternoon supplier failure on a Tuesday would be managed. The exit plan should be able to support that.
For ICT third parties specifically, the scenario should additionally test data recovery and integrity, system failover assumptions, and whether the recovery time objectives stated in the plan are achievable given the firm's actual infrastructure dependencies, not the dependencies that existed when the plan was written.
The Evidence Set That Demonstrates Tested Capability
Passing through a tested exit programme is necessary but not sufficient on its own. The evidence produced by the programme is what creates the regulatory defensibility. Supervisors examining supplier exit capability are looking for a specific set of documentation that together demonstrates the firm's programme is proportionate, structured, and actively managed.
A supplier risk assessment and tiering rationale, documenting how each material outsourcing arrangement was assessed for substitutability, operational dependency, concentration risk, and data classification, is the foundation. It demonstrates that the firm has approached exit testing with proportionality rather than uniformity, and that the testing tier allocated to each supplier reflects the actual risk that supplier represents.
Current, version-controlled exit plans for each in-scope supplier, incorporating documented termination triggers, viable exit options with financial feasibility estimates, and a transition plan that reflects the firm's current operating model, sit alongside the tiering rationale. Plans drafted before a technology migration or a change in alternative provider availability, and not subsequently updated, do not meet this standard.
Pre-approved test plans for each tested supplier, with defined objectives and participant responsibilities, establish the methodology baseline. Post-test reports documenting scope, findings, feasibility assessments, and execution gaps identified create the contemporaneous test record. A remediation log connecting findings to owners, target dates, and completion status demonstrates active management of identified weaknesses. Board or governance reporting confirming that testing outcomes were presented, reviewed, and that any material gaps generated a remediation decision closes the governance trail.
This is the evidence set that supports a supervisory review. A documented plan that has never been walked through produces none of it.
The Governance Dimension
There is a dimension to supplier exit testing that sits above the operational and regulatory compliance case. Testing demonstrates to boards and to regulators that senior management has genuinely interrogated the firm's exit readiness, not simply commissioned documentation and received a report confirming it exists.
That distinction matters directly under the Senior Managers and Certification Regime. The SMF24 who holds personal accountability for operational resilience must be able to demonstrate active oversight of the firm's supplier exit capability, not passive assurance that plans are on file. A testing programme with a board-reported outcomes record creates that demonstration. A documented plan that has never been reviewed under test conditions does not.
The CrowdStrike incident and the FCA's subsequent observations have made the governance expectation concrete. Firms whose boards can demonstrate they reviewed tested exit capability in the year prior to a major third-party disruption are in a materially different position, both commercially and reputationally, than those whose boards were relying on undocumented assurances that plans existed.
Starting the Process
For most firms, the most practical first step is a structured assessment of the current exit plan position across the material outsourcing portfolio: mapping what plans exist, identifying the gap between documentation and execution, tiering the supplier population by risk, and producing a prioritised testing roadmap.
That is the scope of FourthLine's Supplier Exit Testing Diagnostic: a fixed-fee, 4 to 6 week engagement that produces a supplier dependency map, an annotated exit plan gap register distinguishing documentation gaps from genuine execution gaps, a risk-based tiering of the supplier portfolio, and a full programme proposal for firms that want to proceed to live testing.
For firms that have already completed a diagnostic or have a clear view of their supplier risk profile, the Full Testing Programme moves directly to exit plan development, scenario design, live facilitated testing, and regulatory evidence pack production.
Both configurations are available as standalone programmes or integrated within the Annual Resilience Retainer for firms where third-party risk management is a persistent programme priority.