ICT third-party management
DORA exit plan: from supplier dependency to operational resilience
How to assess exit risk, measure substitutability and demonstrate a credible transition plan to the supervisor — an operational cheat sheet.

An exit plan does not merely show you can leave a provider. It shows the organisation can keep operating if the provider disappears.
That is what supervisors challenge — far more than a generic contractual paragraph.

The supervisor’s three questions
- How dependent are we on this provider?
- Can we replace them?
- How long can we survive without them?
What you are really measuring
Exit risk is not contract termination. It is the inability to continue activities if the provider becomes unavailable.
Probability × Impact × Substitutability
Substitutability — the central concept
Assess four dimensions: technical, operational, contractual, market. High exit risk usually means low substitutability and high dependency.
Preparation levels
| Exit risk | Expected preparation |
|---|---|
| Low | Initial — strategy, target option, rough cost/time |
| Moderate | Advanced — documented transition plan, governance, milestones |
| High | Demonstrated — tests run, results documented, plan kept current |
Classic trap: naming an alternative without proving migration is feasible in acceptable time.
Five elements of a credible transition plan
Governance · mobilisable resources · migration plan · critical dependencies · success criteria.
Unplanned exit
Supervisors care most about sudden loss of access: bankruptcy, major cyberattack, regulatory suspension, critical subcontractor failure. Does the plan still work with no notice?
Golden rule
An exit plan does not prove you can leave a provider. It proves you can keep operating despite their disappearance.
See also: TPRM lifecycle · Article 30 clauses.
Axenia’s role. Axenia links critical third parties, contracts, functions and exit plans on one foundation — so substitutability and readiness are demonstrable, not asserted.
