TPRM: 10 Elements of a Quality Exit Plan

Exit Planning

A quick search of "exit plan" in today's Bing news feed reveals that Ian Maatsen's father is planning an exit for his son from Chelsea and a spoiler alert regarding a character's exit from long-running teen soap, Hollyoaks (Carter if you're interested).

However, exit plans mean something entirely different for those involved in implementing and managing Operational Resilience, Third-Party Risk Management and DORA.

Exit Planning is a high-value strategy to end/alter the existing delivery mechanism of a supplier arrangement in a stressed scenario. It tells a firm what it must do to maintain the service if the supplier can no longer deliver according to the required service levels.

There are requirements for exit planning in FCA and PRA regulation on Outsourcing and Third-Party Risk Management. Despite the requirements to draft exit plans for material suppliers, in our experience, many firms do not have exit plans in place for even their most critical of suppliers.

Ten elements of a quality exit plan

In many cases, well-crafted exit plans are presented in two parts. The first part of the report is a summary of steps and required actions for management and the second part is often focused on the "workings out", such as the risk assessment which feeds into the first section.

Regardless of how you set out the exit plan, we've listed ten requirements of a quality exit plan.

1. Description of the relationship
Presented in a narrative format, this section provides the context to the plan by describing the relationship to date, outlining key initiatives, any changes, product updates and a general sense of the health of the relationship to date.

It should also include information such as the services or products being delivered, where those are located, the contract duration, contract type, contract expiry date, plus information on where the agreement is stored internally.

2. Roles & Responsibilities

Not surprisingly, this section articulates the roles and responsibilities of individuals on both sides of the relationship and their specific role and responsibility to the supplier arrangement.

It should also include specific contact information for each person including mobile number.

3. Key Activities

This section should describe the individual steps and activities to be undertaken in the event of a stressed exit and how they will be executed, managed and governed.

The activities should also include where the scenario requires mitigation, for example, what is required to ensure continued service from subcontractors, what internal comms are required, what are your contractual rights; who is responsible for said activity and finally a brief description of the activity.

A firm needs to show how this collection of activities has been decided upon. Therefore, rationale and considerations should be documented in part two of the plan or in an appendix.

4. Readiness Assessment Against Key Scenarios

Through a detailed risk analysis (documented in part two of the plan) based on threats from both internal and external sources, the exit plan should outline the moderate and high likelihood risk scenarios which may lead to a stressed exit, document the likely impacts of the scenarios and the associated recovery options.

A high-level analysis and summary should be documented which determines the firm's readiness and capability to respond to the outlined scenarios.

5. Action Summary

This section is dynamic and neatly summarises outstanding actions required to operationalise the exit plan and serves to condense, at a high level, required initiatives and responsible and accountable owners.

6. Orderly Exit

This section will articulate the considerations for an orderly exit (i.e., an exit which is planned) and document how long such a transition is likely to take, and any required actions to support an orderly exit, which would be documented in the action summary.

7. Risk Assessment of Existing Risks

This is an articulation of recent risk events associated with the existing product or service which have been identified or logged by the firm.

It should list the event, the date, a light risk assessment, document any actions associated with such an event and outline guidance on the threshold for invoking a stressed exit, e.g. material data breach causing reputational damage.

8. Stressed exit scenario analysis

This section is where firms will document the more detailed and comprehensive risk analysis feeding the readiness assessment further up in the plan.

Risks should be both internal and external and consider wider market issues and trends as well as more specific ones to the firm. Listed risks should be relevant to the products and services delivered and this section will articulate the scenario, the likelihood, potential contributory factors, the impact and the recovery strategies.

9. Monitoring triggers and impact tolerances

This section establishes monitoring triggers and impact tolerances for those risks leading to medium and high-risk scenarios. These triggers and tolerances will feed up into risk committees and form part of active risk reporting.    

This section should also articulate the timing requirements to draft and potentially enact the exit plan once thresholds are close to breach or have been breached.

10. Scenario testing

This section covers the required scenario tests for firms to understand how prepared they are to respond to, adapt to and recover from a stressed exit. This section will list the stressed exit test scenarios, document when testing should take place and any required regular testing cadence.