Third-party scenarios expose weaknesses that internal exercising systematically misses.

• Internal-only exercise design: Scenario libraries are built around internal failure modes. Third-party failures-the most statistically common source of disruption-are rarely designed in as primary triggers.

• Assumed availability: Continuity plans assume key suppliers will be available to support recovery. Few plans account for the scenario where the supplier itself is the casualty and therefore unavailable to assist.

• No tested communications or escalation path: When a critical supplier fails, do your teams know who to call, what contractual rights you have, and how to invoke incident escalation with that supplier? These paths are rarely exercised until they are needed.

• Regulators are moving fast: From the UK's Operational Resilience rules to DORA, NIS2, and supply chain laws across Europe, the expectation is clear: you are accountable for your supply chain whether it be onboarding, on-going management through to exit. 

We design and facilitate third-party scenario exercises across three formats, scaled to your maturity, regulatory obligations, and the criticality of the supplier being tested.

• Tabletop exercises: Structured facilitated sessions in which a key supplier failure is the scenario trigger. Participants work through detection, decision-making, escalation, contractual invocation, and recovery-identifying gaps in plans, roles, and communication paths without operational impact. We design scenario narratives that are realistic and sector-relevant: a managed SOC provider suffering a ransomware attack; a payments processor experiencing extended downtime; a cloud platform withdrawing a critical service.

• Functional exercises: Higher-intensity exercises that test actual processes and systems in response to a simulated third-party failure. Teams execute real steps-invoking supplier SLAs, standing up contingency arrangements, communicating with customers-within a controlled exercise environment. We design the inject sequence, facilitate, observe, and debrief.

• Adversarial scenarios: For organisations with higher maturity, we design adversarial scenarios in which a supplier relationship is the attack vector: a compromised third-party credential used to access your systems, a malicious update pushed through a managed software provider, a social engineering attack routed via your outsourced service desk. These scenarios test detection and response capability where the threat originates externally.

• Post-exercise reporting: Every exercise produces a structured debrief report: findings ranked by severity, specific plan gaps identified, recommended remediation, and an exercise log suitable for regulatory review. Reports are written to be presentable to your board, your risk committee, and your regulator.

• Find the gaps before regulators or events do: Exercises surface plan weaknesses, role ambiguities, and untested escalation paths in a controlled environment-not during a live incident.

• Regulatory-grade exercise logs: Every exercise produces documentation suitable for FCA, PRA, or DORA review-evidencing that important business services have been tested against third-party scenarios.

• Realistic, sector-relevant scenarios: We design scenarios based on what actually happens in your sector-not generic templates-so findings are directly applicable to your risk profile.

• Integrated with your wider resilience programme: Exercise findings feed directly into plan updates, supplier contract reviews, and concentration risk remediation-closing the loop with your operational resilience framework.