Operational resilience

Operational resilience has become a critical priority in the financial sector, particularly for the procurement of digital services and solutions. Some recent examples of market and IT disruptions have demonstrated how a service interruption, whether caused by technical failures, cyber-attacks, or supplier shortcomings, can significantly affect both a financial institution and the wider industry. Regulatory frameworks such as the EBA Guidelines on material outsourcing, PRA SS 2/21 Outsourcing and third-party risk management, and the Digital Operational Resilience Act (DORA) have established comprehensive requirements for operational resilience. However, we are now seeing that these principles are increasingly being adopted across other regulated industries, reflecting a broader recognition that operational resilience is fundamental to business sustainability.

This article examines the key contractual considerations that organisations must address when engaging with suppliers, whilst recognising that effective operational resilience requires a collaborative approach that balances the interests of both parties. From our experience, successful operational resilience strategies recognise that suppliers and customers share common interests in maintaining service continuity and managing risks effectively.

Audit rights

Ensuring appropriate audit rights is essential for maintaining oversight of supplier operations and compliance. However, the implementation of these rights must be proportionate and practical. Contracts should therefore include:

• Structured audit frameworks that provide clear processes for conducting audits whilst minimising unnecessary disruption to supplier operations;
• Risk-based audit approaches that focus each party’s resources on the most critical areas; and
• Collaborative remediation processes that enable suppliers to address identified issues within reasonable timeframes and with appropriate support.

Suppliers generally understand the need for audit rights but require certainty around audit scope, frequency, and timing to manage their operational commitments effectively. They are willing to provide comprehensive access when audits are well-structured and focus on real risk management rather than compliance box-ticking.

Service levels

Effective operational resilience requires clear, measurable service level that reflect both business requirements and operational realities, which should include:

• Tiered service levels that differentiate between critical and non-critical services, allowing for appropriate resource allocation and response prioritisation;
• Performance metrics that account for the dependencies on different service components; and
• Effective yet flexible remediation mechanisms that enable suppliers to address service level breaches through various means, including service credits, performance improvement plans, or alternative service delivery methods.

Both parties would therefore benefit from a collaborative approach to service level design that reflects the full-service environment, including dependencies on third-party infrastructure and the customer's own systems.

Sub-contracting

Modern service delivery often involves complex supply chains that require careful management to maintain operational resilience. Effective sub-contracting frameworks should:

• Clearly define each party’s obligations and require sub-contractors to meet the same resilience standards as the supplier;
• Allow for proportionate oversight mechanisms and reporting mechanisms that provide appropriate visibility into sub-contractor performance whilst recognising the supplier's primary responsibility for service delivery; and
• Address remedial actions if sub-contractors fail to meet these requirements.

From an operational point of view, suppliers require flexibility to manage their supply chains effectively, including the ability to change sub-contractors when necessary for commercial or operational reasons. Suppliers are generally willing to provide appropriate oversight and transparency regarding sub-contracting arrangements, if the customers recognise that excessive sub-contracting requirements can limit operational flexibility and increase costs.

Business Continuity and Disaster Recovery (BCDR) planning

BCDR planning is the backbone of operational resilience and requires preparation for different disruption scenarios. Effective BCDR planning should encompass:

• Comprehensive risk assessment that identifies potential disruption scenarios and their likely impact on service delivery, considering both internal and external risk factors;
• Multi-layered recovery strategies that provide various options for service restoration, alternative service delivery methods, and manual workarounds where appropriate;
• Regular testing of BCDR plans using realistic disruption scenarios; and
• Ongoing improvements to BCDR plans using insights from tests and actual events.

BCDR success depends on collaboration between suppliers and customers, particularly where services involve customer data or system integrations. Suppliers provide BCDR information and testing support, but customers must engage meaningfully and accept that disaster recovery has practical limitations in complex technology settings.

Exit assistance

Well-planned exit strategies that cover both stressed and non-stressed exit scenarios protect against service disruption whilst recognising the commercial interests of all parties. Comprehensive exit provisions should include:

• Phased transition planning that allows for orderly service migration whilst maintaining operational continuity throughout the transition period;
• Comprehensive data and knowledge transfer that ensures the receiving party has access to all necessary information, documentation, and expertise required for service continuity; and
• Reasonable cost allocation between the parties.

Whilst the suppliers understand the importance of exit assistance but require provisions that are commercially reasonable and operationally feasible. This approach ensures that suppliers can provide meaningful exit assistance which benefits both parties.

Conclusion

In conclusion, by ensuring that contracts incorporate proportional and meaningful audit rights, clearly defined service levels, robust BCDR planning, practical exit assistance and balanced sub-contracting oversight through effective partnership, organisations can build supplier relationships that enhance rather than compromise their operational resilience. This balanced approach recognises that operational resilience is not about eliminating all risks, but about managing risks intelligently whilst maintaining the flexibility and innovation that drive business success.

The future of operational resilience lies not in increasingly prescriptive contractual requirements, but in adaptive frameworks that can evolve with changing circumstances whilst maintaining focus on the fundamental objective: ensuring that critical business services remain available when they are needed most.

Looking ahead, several important regulatory developments are emerging that will significantly impact operational resilience frameworks. The UK's proposed critical third party regime will extend direct regulatory oversight to systemically important technology providers, creating new obligations for both financial firms and their critical suppliers. Additionally, the European Banking Authority's ongoing consultation on operational resilience guidelines will bring further standardisation across EU jurisdictions, which highlights the importance of flexible contractual arrangements that can adapt to changing regulatory requirements.

If you would like to discuss any of the updates discussed above, please get in touch with one of the TLT team members below.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2025. Specific advice should be sought for specific cases. For more information see our terms & conditions.