The rules have changed, so has the risk.

Firms considering exit planning only because of SS2/21 are solving the wrong problem. Regulatory compliance is the floor, not the ceiling. The real question is whether your organisation could withstand the loss of a critical supplier.

The gap between contractual exit provisions and genuine exit capability is one of the most consistent findings across third-party risk reviews.

• Concentration without a plan: Critical functions are outsourced to single providers with no documented fallback. The organisation is aware of the concentration risk but has never translated it into a tested exit capability.

• Contractual exit rights that are practically un-exercisable: Contracts contain exit clauses-notice periods, transition assistance obligations, data return provisions-but no assessment has been made of whether those provisions are executable within the timeframes specified, or under adverse conditions.

• Data portability and lock-in: Data held by a supplier may not be in a transferable format. Proprietary platforms create de facto lock-in that makes exit prohibitively expensive or technically impractical, regardless of what the contract says.

• No identified alternative: Exit plans that say ‘we would retender the service’ without a credible alternative provider analysis, market assessment, or transition timescale are not plans-they are aspirations.

• Untested transition capability: Transition steps exist on paper but have never been rehearsed. Key personnel do not know their role in an exit. The operational steps required to stand up a new provider or insource a function have not been walked through.

• Regulators are moving fast: From the UK's Operational Resilience rules to DORA, NIS2, and supply chain laws across Europe, the expectation is clear: you are accountable for your supply chain whether it be onboarding, on-going management through to exit.  

Most firms have an exit plan. Few have one that would survive the moment it's needed, untested assumptions, missing arrangements, contracts that don't compel supplier cooperation, and no realistic view of what execution would take.

Our Exit Planning services give you an honest, evidence-based view of where you stand, from the plan on paper to the readiness to execute it, and a clear path to something defensible.

We approach exit planning as an operational discipline, not a documentation exercise. Our work covers four stages:

1. Scope - Exit capability assessment: We review your current exit plans (or establish their absence) across your critical and important supplier relationships. We assess contractual provisions, practical executability, data portability, identified alternatives, and transition timescales-producing a rated view of exit readiness for each material relationship.

2. Build - Exit strategy development: For relationships where exit capability is inadequate, we develop exit strategies: documenting the exit triggers, the decision governance path, the operational steps, the responsible owners, the alternative provider landscape, and the transition timeline. Strategies are calibrated to the nature of the relationship-a managed IT services exit looks different from a data processing exit or a software platform migration.

3. Validate - Contractual and commercial review: We work alongside your legal and commercial teams to identify where contract terms create practical barriers to exit-inadequate transition assistance obligations, data return provisions that do not reflect the actual data estate, or notice periods incompatible with realistic transition timescales-and advise on remediation at the next contract review.

4. Transition - Exit rehearsal and maintenance: We design and facilitate exit rehearsal exercises-tabletop scenarios in which an involuntary exit is the trigger-to test whether your plan is executable under pressure. We also build maintenance cadences so exit plans are reviewed and updated as supplier relationships, technology estates, and regulatory requirements evolve.

Right-sized to the risk. Not the firm.

Not all firms are investment banks. Regulators expect assurance activity scaled to the nature and materiality of the arrangement, not a one-size-fits-all programme designed for a FTSE 20. We calibrate every engagement to what is expected from a firm your size.

• Genuine exit capability, not paper compliance: An exit plan you can actually execute-tested, maintained, and calibrated to the real complexity of exiting each material relationship.

• Regulatory evidence: Documented exit strategies, assessment outputs, and exercise logs meeting FCA, PRA, and DORA requirements for material outsourcing-ready for supervisory review.

• Reduced lock-in and concentration risk: By making exit capability a standing operational requirement, you create commercial leverage with suppliers and reduce the long-term risk of being unable to leave a failing relationship.

• Connected to your resilience programme: Exit planning outputs feed directly into operational resilience impact tolerances, business continuity plans, and supply chain maturity frameworks-not a standalone compliance artefact.