3.7. Exit strategies
Financial institutions may consider identifying, documenting and, to the extent possible, testing exit strategies for their third-party service relationships involving critical services. Exit strategies can cover a range of scenarios, including normal and planned migrations of services and service providers but also adverse events, such as:
- A significant breach, or recurrent breaches, of applicable laws, regulations or contractual terms by a third-party service provider;
- A deterioration in the quality of the services provided by a third-party service provider;
- Weaknesses in the third-party service provider's governance, financial condition, resilience or risk management that have impacted or could reasonably impact the delivery of critical services; and
- Extended disruption to critical services that cannot be managed through other business continuity measures - though exit strategies are unlikely to be a feasible response to short-term severe disruption, which might be best managed through the business continuity tools in the previous section.
Financial institutions may appropriately plan, execute and oversee an exit from a critical service relationship by ensuring that there are appropriate:
- Contractually agreed transitional periods to minimise the risk of disruption;
- Processes to ensure that, where applicable, the financial institutions' logical assets (e.g. data and applications) and physical assets are returned in a cost-effective and timely manner, and in a format that allows them to continue their business operations; and