top of page
Search

Business Continuity Planning for Vendor Outages

Updated: Jan 31

One of the most valuable lessons I've learned in my career is to "never let a good crisis go to waste." In my operational risk management days, it was all about putting out fires. Expanding into business continuity planning offered a crucial perspective that I find is often still missing: continuous improvement. 


How can we extract valuable lessons from incidents, big or small, even when they happen to someone else? That's where the real magic happens – proactive planning instead of reactive scrambling. And it drives home the point that "this can actually happen to us."


The “It’s Not Our Fault” Problem (And Why Customers Don’t Care)


Take the recent Capital One outage. It seems a power failure at a data center belonging to their third-party vendor, FIS Global, disrupted deposit and payment services for days. While the root cause is still unclear, that's not my focus today. Seeing any organization struggle with this kind of disruption isn't pleasant, but I believe in using these situations to evaluate our own capabilities and identify areas for improvement.


What This Kind of Outage Teaches Us


Third Party Risk Management Needs to Go Beyond Due Diligence 


Many organizations do vendor onboarding “correctly” on paper. They collect documentation, review controls, and check the right boxes.


But here’s the uncomfortable truth: collecting documents does not stop an outage. And it does not guarantee your organization is ready to respond when a critical service provider goes down.


Strong third party risk management includes:


  • Knowing which vendors support your critical processes (including fourth, fifth, and “nth” parties)

  • Mapping dependencies so you’re not guessing during an incident

  • Defining notification expectations (how, when, and who gets alerted)

  • Planning for degraded operations, not just full recovery


Business Continuity Planning Lives or Dies on Communication


In a disruption, communication becomes part of the service. If customers can’t access money, process payments, or use critical systems, silence feels like neglect.


Effective business continuity planning should include a crisis communications approach that is:

  • Proactive: set expectations early, even if details are limited

  • Transparent: say what you know, what you don’t, and when you’ll update again

  • Consistent: customers shouldn’t have to hunt across channels for basic information

  • Timed: commit to an update cadence (and stick to it)


Ask yourself honestly: if your customers were impacted, would they accept one update per day? Would your leadership team?


Empower Your Frontline: 


When systems fail, your frontline absorbs the impact in real time. If call center, branch, support, or customer success teams aren’t equipped with clear guidance, two things happen fast:


  1. customers get conflicting answers

  2. trust erodes


Your business continuity planning should ensure frontline teams have:

  • A simple “what we know / what we’re doing / what customers can do now” script

  • Clear escalation paths

  • Access to the latest approved updates

  • Authority to solve common problems without endless approvals


This is where planning becomes customer experience.


On a sidenote: there were about 12k comments on Facebook, which is not a lot considering the more than 100 million customers Capital One has.  Keep in mind that the focus isn’t so much on Capital One, but how you and your organization would respond to this situation and what your tolerance is when it comes to member or customer impact.

 

A Practical Call to Action: Run a 30-Minute Case Study Meeting This Week


Don't just observe this incident from afar. Schedule a 30-minute meeting with stakeholders in your organization this week and treat the incident as a case study for your own third party risk management and business continuity planning.


  • Operational impact: How would our team be impacted if a key service provider experienced an outage?

  • Customer tolerance: Are our customers/members prepared to hear from us only once a day while they're waiting for their paychecks to post or payments to process?

  • Frontline readiness: Is our frontline ready to answer questions confidently and provide support without guessing?

  • Dependency clarity: Do we truly understand our dependencies on third parties?

  • Notification expectations: Would we be notified promptly in the event of an incident, and do we know who receives that alert?

  • Workarounds: What else should we consider here? What manual processes or alternate paths could we use during downtime?


I've included a 30 Minute Communication Tune Up below to help you facilitate this conversation with a focus on communication, and to capture opportunities for improvement. Don’t let this crisis go to waste!


Want Help Turning This Into an Actual Plan?


If you want support strengthening third party risk management and building a practical, usable business continuity planning program, this is exactly the type of support covered in our operational risk management services.


 

Daniela



Daniela Parker

 




PS: Brian, Glen, and I did an episode on this last year, and I’ve included a link below. 






Comments

Parker Solutions Logo. White_Parker Logo.png
Resources

Privacy Policy

Terms & Conditions 

Cookie Policy 

  • LinkedIn

© 2025 Parker Solutions. All rights reserved.
Parker Solutions provides consulting, coaching, and educational services. Information provided on this site is for general informational purposes only and does not constitute legal, financial, or regulatory advice.

bottom of page