Skip to content
When the Lights Go Out: Vendor Continuity and Resilience
Third-Party Risk Management

When the Lights Go Out: Vendor Continuity and Resilience

William C Hord
William C HordChief Strategy Officer - ERM Pilot

ERM Pilot | Third-Party Risk Management Series, Part 3 of 3 by William Hord - Chief Strategy Officer


Business continuity planning at most financial institutions addresses internal failures reasonably well. There are plans for branch closures, data center outages, and staff unavailability. What many programs address inadequately — and what regulators are increasingly scrutinizing — is what happens when the failure originates with a vendor, not within the institution itself.

The OCC's Spring 2025 Semiannual Risk Perspective notes that "recent disruptions highlight the importance of operational resilience" — and in multiple recent cases, those disruptions traced directly to vendor failures, not institutional ones.

The Scope of the Problem

The FFIEC's Business Continuity Management Booklet (2019) made a significant conceptual shift: it moved from "business continuity planning" to "business continuity management" — a broader framing that explicitly incorporates third-party dependencies into the resilience equation. Under the BCM framework, an institution's resilience is only as strong as the resilience of its critical vendors, because operational continuity depends on services those vendors provide.

The NCUA's 2026 Supervisory Priorities specifically flag payment systems vendors as a focus area, noting that the complexity of payment networks "introduces the potential for added operational and security risk exposures." Credit unions that rely on third-party payment processors need to understand what happens to their payment operations if that processor experiences a significant outage — and their business continuity plans need to reflect that analysis.

What Examiner Expectations Look Like

The 2023 Joint Interagency Guidance on Third-Party Relationships requires that vendor contracts include provisions addressing business continuity and disaster recovery. Specifically, institutions should negotiate:

— Recovery time objectives and recovery point objectives that are consistent with the institution's own RTOs and RPOs for the functions the vendor supports — Notification requirements: if the vendor experiences a significant incident, how quickly must they notify the institution, and through what channel? — Right to review: institutions should be able to review vendor BCP/DR plans — not just be assured they exist — Redundancy and contingency: what alternative arrangements does the vendor have if their primary systems fail?

Examiners will ask for evidence that these provisions exist in contracts, that the institution has reviewed vendor BCP documentation, and that the institution has tested its own response to vendor failures — not just internal failures.

Testing Vendor Failure Scenarios

The Federal Reserve, OCC, and FDIC have all encouraged what the FDIC describes as "sound practices" for operational resilience — including adversarial scenarios that go beyond traditional IT recovery tests. Tabletop exercises that simulate a critical vendor failure are a direct application of this guidance.

A vendor failure tabletop should test: How does the institution learn about the vendor outage? Who is the escalation chain internally? What is the decision protocol for activating contingency arrangements? What communication goes to members or customers, and who approves it? How long can the institution operate using backup processes before the vendor failure becomes unmanageable?

CISA's resilience frameworks provide additional structure for these exercises, with particular attention to the detection-to-response timeline and the coordination across internal and external stakeholders that real incidents require.

Redundancy as a Structural Solution

For the most critical vendor dependencies, redundancy is the ultimate mitigation. Dual-sourcing a critical service — maintaining two vendors capable of providing it — is expensive and operationally complex. But for vendors whose failure would prevent the institution from processing payments, accessing core banking data, or meeting member needs, the cost of redundancy may be lower than the cost of an extended outage.

Institutions that cannot justify full redundancy should at minimum negotiate contractual RTOs that are realistic, test those RTOs through tabletop and simulation exercises, and document their contingency operating procedures for the period between a vendor failure and vendor recovery.

Connecting Vendor Continuity to BCP

The FFIEC's BCM Booklet is explicit: vendor dependencies should be incorporated into Business Impact Analyses. When an institution identifies critical business processes, it should trace the vendor dependencies that support each process — and those vendor dependencies should appear in the corresponding recovery plans.

This is the integration point between TPRM and BCM. Institutions that treat them as separate programs often find gaps at exactly this junction: the BCP assumes vendor availability that the TPRM program knows is not guaranteed.


ERM Pilot's Navigator links vendor risk directly to business continuity planning — so your BCPs reflect your actual vendor dependencies. Start a free trial at ermpilot.com.

Article References —

1. Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System. Interagency Guidance on Third-Party Relationships: Risk Management. OCC Bulletin 2023-17; FDIC FIL-29-2023; Federal Reserve SR 23-4. June 6, 2023. Available at: https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html

2. Federal Financial Institutions Examination Council. Business Continuity Management. IT Examination Handbook. Washington, D.C.: FFIEC, November 2019. Available at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management

3. Federal Financial Institutions Examination Council. 'Financial Regulators Revise Business Continuity Management Booklet to Stress to Examiners the Value of Resilience to Avoid Disruptions to Operations.' Press Release, November 14, 2019. Available at: https://www.ffiec.gov/news/press-releases/2019/pr-11-14

4. Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2025. Washington, D.C.: OCC. Available at: https://www.occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-spring-2025.pdf

5. National Credit Union Administration. NCUA's 2026 Supervisory Priorities. Letter to Credit Unions, January 14, 2026. Available at: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ncuas-2026-supervisory-priorities


Ready to transform your risk management?

Discover how ERM Pilot can streamline your compliance, automate workflows, and provide real-time insights for your organization.

Stay Updated on ERM Pilot

Join our newsletter to receive the latest news, feature updates, and expert insights on all things risk related.

We respect your privacy. Unsubscribe at any time.