Third-Party Business Continuity: How to Assess and Monitor Vendor Resilience

TL;DR:

• Your BCP is only as strong as your weakest vendor — and 49% of financial institutions experienced a vendor-related cyber incident in the past year (Ncontracts 2025 TPRM Survey).
• The 2023 Interagency Guidance on Third-Party Relationships requires business continuity assessment across the entire vendor lifecycle — from due diligence through ongoing monitoring and termination.
• This guide covers what to require contractually, how to assess vendor BCPs during due diligence, and how to build ongoing resilience monitoring that actually catches problems before they become outages.

Your BCP Is Only as Strong as Your Weakest Vendor

On January 16, 2025, a power outage at FIS Global — one of the largest technology providers in financial services — knocked Capital One’s banking services offline for three days. Thousands of customers couldn’t access their accounts, process payments, or receive direct deposits. Capital One restored full service on January 19, but the damage was already done: a class-action lawsuit was filed by January 29, and the incident became a textbook case of third-party business continuity failure.

Capital One didn’t have a power outage. Capital One didn’t have a system failure. Capital One’s vendor had a problem — and Capital One’s customers paid the price.

This is the reality of third-party business continuity: your vendor’s failure is your operational failure. Regulators don’t care that the root cause was outside your four walls. Customers definitely don’t care. And the CrowdStrike outage in July 2024 — which caused an estimated $5.4 billion in losses across Fortune 500 companies, with banking and healthcare hit hardest (per insurer Parametrix) — proved that vendor concentration risk isn’t theoretical. It’s happening quarterly.

Yet most financial institutions are trying to manage this risk with skeleton crews. According to the Ncontracts 2025 Third-Party Risk Management Survey, 73% of respondents have two or fewer full-time employees managing vendor risk — while more than half oversee 300+ vendors. The Ncontracts 2026 survey confirmed the gap hasn’t closed: 63% of TPRM programs still operate with just one or two dedicated staff.

That math doesn’t work. Here’s how to make it work anyway.

What Regulators Actually Expect for Vendor Business Continuity

The 2023 Interagency Guidance

In June 2023, the OCC, Federal Reserve, and FDIC jointly issued the Interagency Guidance on Third-Party Relationships: Risk Management. This replaced the OCC’s standalone OCC Bulletin 2013-29 and harmonized expectations across all three federal banking agencies for the first time.

The guidance explicitly requires banks to evaluate a third party’s business continuity capabilities at multiple stages:

Lifecycle Stage	What to Assess
Planning	Identify which third parties support critical business functions and include them in your BIA
Due Diligence	Review the vendor’s BCP, DRP, pandemic plan, and testing results before signing
Contract Negotiation	Include specific BCP requirements: RTO/RPO commitments, notification timeframes, testing evidence, right to audit
Ongoing Monitoring	Review updated BCPs annually, validate testing results, track incidents
Termination	Ensure continuity of critical services during transition — have a documented exit strategy

FFIEC BCM Booklet — Third-Party Dependencies

The FFIEC Business Continuity Management booklet (revised 2019) wove third-party considerations throughout the entire document rather than confining them to an appendix. Key expectations include:

• Include third-party dependencies in your BIA — map which vendors support each critical business function, and assess the impact if that vendor becomes unavailable
• Require third-party testing — your vendors should participate in your testing exercises, or at minimum provide evidence of their own BCP testing (Section VII.I)
• Address concentration risk — document when multiple critical functions depend on the same vendor or the same vendor’s infrastructure
• Maintain substitutability assessments — for critical vendors, evaluate how quickly you could transition to an alternate provider

EU DORA (For Global Operations)

If your institution operates in or serves EU markets, the Digital Operational Resilience Act (DORA) — applicable since January 17, 2025 — adds requirements specifically targeting third-party ICT providers. DORA requires financial entities to maintain a comprehensive register of all contractual arrangements with ICT third-party service providers and establishes EU-level oversight of “critical ICT third-party providers.” Even U.S.-based institutions should pay attention: if your vendor serves EU-regulated clients, DORA’s requirements may flow down to you contractually.

How to Assess Vendor BCPs During Due Diligence

Not all vendor BCP assessments are created equal. A checklist that asks “Do you have a BCP? Yes/No” is worthless. Here’s what to actually evaluate:

The 7-Point Vendor BCP Assessment

1. Scope and Coverage Does the vendor’s BCP cover the specific services they provide to you — or is it a generic corporate plan that doesn’t address your particular engagement? A cloud provider’s BCP for their corporate offices is irrelevant if you need to know how they recover the data center hosting your core banking platform.

Questions to ask:

• Does the BCP specifically address the services/products provided to our institution?
• Are the systems and infrastructure supporting our engagement explicitly included in recovery procedures?

2. Recovery Objectives What are the vendor’s documented RTO and RPO targets for the services they provide to you? These must align with — or exceed — your own BIA-defined recovery objectives.

Questions to ask:

• What is the RTO for restoring our specific services?
• What is the RPO — how much data could we lose in a worst-case scenario?
• How do these compare to our contractual SLAs?

Your BIA Classification	Your RTO Target	Vendor RTO Required
Essential/Critical	≤ 4 hours	≤ 2 hours (buffer for coordination)
Important	≤ 24 hours	≤ 12 hours
Deferred/Non-critical	≤ 72 hours	≤ 48 hours

3. Testing Evidence The single most important indicator of BCP quality. A plan that’s never been tested is a plan that won’t work.

What to request:

• Most recent BCP/DRP test results (full test report, not just a summary)
• Test frequency — annually is the minimum; critical vendors should test semi-annually
• Test type — tabletop exercises are a start, but for critical vendors you want evidence of simulation or full failover tests
• Identified gaps and remediation status from the most recent test

4. Geographic and Infrastructure Resilience Where are the vendor’s primary and backup facilities? Are they in the same geographic region (exposed to the same disasters)? Do they rely on a single data center, or do they have active-active or warm standby configurations?

5. Supply Chain Dependencies (Fourth-Party Risk) Your vendor has vendors too. If your core banking provider depends on a single cloud provider, and that cloud provider has an outage (hello, CrowdStrike), your vendor’s BCP is only as strong as their vendor’s resilience.

Questions to ask:

• Who are your critical subcontractors/subservice organizations for the services you provide us?
• Do you assess their BCPs?
• Will you notify us of material changes to your subcontractor relationships?

6. Communication and Notification Protocols How will the vendor notify you during a disruption? What’s the escalation path? The Capital One/FIS incident showed that inconsistent and delayed customer communication compounds the operational damage.

What to require:

• Designated incident contact and escalation path
• Notification within a defined timeframe (1-2 hours for critical vendors)
• Status update cadence during active incidents
• Post-incident root cause analysis within 30 days

7. Pandemic and Remote Work Capabilities Post-COVID, this should be standard — but verify it. Can the vendor maintain service delivery with a fully remote workforce? What happens if a key person is unavailable?

Red Flags That Should Kill a Vendor Engagement

• “We don’t share our BCP for security reasons” — a legitimate vendor will share relevant sections under NDA. Refusal to share anything is a dealbreaker for critical services.
• BCP hasn’t been updated in 2+ years
• No evidence of testing — ever
• RTO/RPO targets significantly exceed your requirements with no path to alignment
• Single point of failure in infrastructure (one data center, one region, one cloud provider)

What to Require Contractually

Your contract is where BCP expectations become enforceable. Don’t rely on handshake agreements or “we’ll figure it out.” Every critical vendor contract should include:

Essential Contract Provisions

Provision	Why It Matters
RTO/RPO commitments	Ties recovery objectives to your BIA requirements — gives you recourse if they miss targets
Notification timeframe	Specify 1-2 hours for critical service disruptions — not “as soon as practicable”
Right to audit	Access to review their BCP, test results, and incident response procedures
Annual testing evidence	Contractual obligation to share BCP test results annually (or more frequently)
Subcontractor notification	Require advance notice of material changes to their critical subcontractors
Exit/transition support	Define the vendor’s obligations to support a transition if the relationship terminates — including data return, parallel operation, and knowledge transfer
Financial penalties	Service credits or other remedies for failing to meet RTO/RPO commitments
Participation in your exercises	For critical vendors: require participation in your annual tabletop exercise

Sample Contract Language

Here’s language you can adapt for your vendor agreements:

“Vendor shall maintain and test a business continuity plan and disaster recovery plan at least annually. Vendor shall provide [Institution] with a summary of test results, including identified gaps and remediation plans, within thirty (30) days of each test. Vendor’s recovery time objective for Services shall not exceed [X] hours, and recovery point objective shall not exceed [X] hours. Vendor shall notify [Institution] of any event that may materially impact the delivery of Services within two (2) hours of becoming aware of such event.”

Building Ongoing Resilience Monitoring

Assessment at onboarding isn’t enough. Vendors change. Their infrastructure changes. Their subcontractors change. Here’s how to monitor vendor resilience continuously:

Annual Review Cycle

Every critical vendor should go through a formal annual BCP review. At minimum:

1. Request updated BCP/DRP documentation — compare against the prior year’s version for material changes
2. Review latest test results — look for recurring gaps that haven’t been remediated
3. Validate RTO/RPO alignment — has your own BIA changed? Do the vendor’s targets still meet your needs?
4. Check subcontractor changes — has the vendor changed any critical subservice organizations?
5. Review incident history — any disruptions in the past 12 months? What happened, how long did recovery take, what changed as a result?

Trigger-Based Reviews

Don’t wait for the annual cycle when something changes. Trigger an immediate review when:

• The vendor reports a service disruption or security incident
• The vendor undergoes a merger, acquisition, or leadership change
• Your own BIA is updated and the vendor supports a newly classified critical function
• The vendor changes its primary data center, cloud provider, or infrastructure
• Industry events highlight new risks (e.g., a major outage at a shared provider)

Concentration Risk Dashboard

Build a simple concentration risk view. Map your critical functions to vendors, and your vendors to their infrastructure:

Critical Function	Primary Vendor	Vendor’s Cloud/Infra	Backup Vendor	Concentration Risk
Core Banking	Vendor A	AWS us-east-1	None	HIGH — single vendor, single region
Payment Processing	Vendor B	Multi-region	Vendor C (dormant)	MEDIUM — backup exists but untested
Customer Communications	Vendor D	Azure	Vendor E (active)	LOW — active dual-vendor model

If multiple critical functions depend on the same vendor — or the same vendor’s infrastructure — that’s concentration risk. Document it, escalate it, and have a plan for what happens when that single point of failure fails.

The 90-Day Vendor Resilience Implementation Roadmap

Days 1-30: Foundation

Owner: TPRM Lead or Compliance Officer

• Inventory all vendors that support critical business functions (cross-reference with your BIA)
• Classify vendors into risk tiers (critical, high, moderate, low) based on the business function they support
• For critical vendors: request current BCP/DRP documentation and most recent test results
• Identify contracts expiring in the next 12 months — prioritize adding BCP provisions at renewal

Deliverable: Critical vendor inventory with BCP assessment status

Days 31-60: Assessment and Gaps

Owner: TPRM Lead, with input from IT and business line owners

• Complete the 7-point BCP assessment for all critical vendors
• Flag vendors with red flags (no BCP, no testing, misaligned RTOs)
• Draft standard BCP contract addendum language for upcoming renewals
• Build concentration risk dashboard
• Begin remediation conversations with vendors who have gaps

Deliverable: Vendor BCP gap report and contract addendum template

Days 61-90: Integration and Testing

Owner: TPRM Lead and BCP Program Owner

• Integrate vendor BCP assessments into your annual BCP review cycle
• Include at least one critical vendor in your next tabletop exercise
• Establish trigger-based review criteria and assign monitoring responsibilities
• Present concentration risk findings and vendor BCP gap report to senior management or board
• Set calendar for annual vendor BCP reviews

Deliverable: Integrated vendor resilience monitoring program, board report on concentration risk

So What? Why This Matters Right Now

The regulatory trajectory is clear: vendor resilience is no longer a nice-to-have appendix item. The 2023 Interagency Guidance made it a core lifecycle expectation. DORA made it law in Europe. The FFIEC BCM booklet integrated it throughout the examination handbook.

And the real-world incidents keep coming. Capital One’s three-day outage from FIS. The $5.4 billion CrowdStrike impact. These aren’t edge cases — they’re the new normal in an industry where critical functions are increasingly outsourced.

The institutions that come through these disruptions intact are the ones that assessed vendor BCPs before signing the contract, required specific recovery commitments, tested those commitments with their vendors, and monitored for changes.

The ones that don’t? They end up on the wrong end of a class-action lawsuit, explaining to their board and their regulator why they didn’t know their critical vendor had a single point of failure.

Don’t build your vendor BCP program from scratch. The Business Continuity & Disaster Recovery Kit includes BIA templates, crisis communication templates, and BCP testing frameworks that cover third-party dependencies out of the box. Pair it with the Third-Party Risk Management Kit for complete vendor lifecycle coverage.

FAQ

How often should we assess vendor business continuity plans?

At minimum, annually for all critical and high-risk vendors. Review the updated BCP documentation, latest test results, subcontractor changes, and incident history. For critical vendors, also conduct trigger-based reviews whenever there’s a material change — vendor disruption, merger/acquisition, infrastructure change, or a revision to your own BIA. The 2023 Interagency Guidance and FFIEC BCM booklet both expect ongoing monitoring, not just point-in-time assessment.

What should we do if a critical vendor refuses to share their BCP?

This is a significant red flag. Start by offering to review under NDA or accept a SOC 2 Type II report that covers business continuity controls as an alternative. If the vendor still refuses to provide any evidence of business continuity planning, escalate internally: document the gap, present the risk to senior management, and begin evaluating alternative providers. For truly critical services, a vendor’s refusal to demonstrate resilience capability should be a contract non-renewal trigger — not something you accept and hope for the best.

How do we handle fourth-party (subcontractor) business continuity risk?

Require your vendors to disclose their critical subcontractors and provide advance notification of material changes. Include contractual language requiring vendors to assess the BCPs of subservice organizations that support your services. For the highest-risk scenarios — where your vendor relies on a single subcontractor for your critical service — request the subcontractor’s BCP information directly or require your vendor to include subcontractor recovery in their own testing exercises. The FFIEC BCM booklet specifically addresses this chain of dependency and expects institutions to understand their full supply chain for critical services.