Insolvency of supplier(s) of critical services to the public sector

Impact 5
4
upper risk error bar
3
2
upper likelihood error bar
risk indicator
lower likelihood error bar
1
lower impact error bar
1
2
3
4
5
Likelihood
Impact & Likelihood
Impact key
5 Catastrophic
4 Significant
3 Moderate
2 Limited
1 Minor
Likelihood key
5 >25%
4 5-25%
3 1-5%
2 0.2-1%
1 <0.2%

Background

There is a risk that a major supplier of critical services to public sectors could suffer insolvency. The types of critical service impacted may vary, and include (but are not limited to) IT services, banking facilities or medical sterilisation services. Any insolvency of a critical supplier could also lead to the disruption of essential public sector services. A number of risk management activities mitigate the risk of insolvency or its impacts, including ongoing commercial capability building across government and the requirement for corporate resolution plans for suppliers of the most critical contracts across government.

Scenario

The reasonable worst-case scenario of this risk is based on the insolvency of a supplier of critical IT services supporting operational systems or back office processes integral to critical national services across the country, such as emergency services communication systems, court services and customs/ immigration services and systems. Potential significant impact upon critical service operational delivery, such as lack of ability of emergency services to effectively operate, shutdown or slowdown of immigration systems resulting in reduction of UK border capacity. Ongoing projects likely to incur delays and increased costs. Strategic and political consequences are likely, such as job losses and reputational impacts for the government. Impact dependent on the nature, size and geography of service and supplier.

Key assumptions

This scenario assumes that reasonable recovery measures are in place at customers, including government departments, but that these are not sufficient to entirely mitigate the risks associated with loss of service.

Variations

Insolvencies may create secondary risks to critical national infrastructure (CNI) targets, such as cyber attacks. These may require more specialised capability and intervention to manage the risk.

Response capability requirements

Continued training on the Sourcing Playbook, the government guidance on making insourcing and outsourcing decisions, and delivering public services in partnership with the private and third sectors. This should be complemented by building commercial, financial and operational capability across government, bolstering effective contract and supplier management. Specialist capability is required to manage distress and contingency plans, such as back- up operations. Central capability in corporate finance (restructuring, insolvency, etc) and in the planning and provision of digital services and data would be required to manage the wide-ranging risks across the government portfolio. Risk mitigations, such as government intervention, should be enabled through controlled and evidenced assessment procedures and relevant legislation.

Recovery

With reasonable recovery plans in place, recovery of systems could be instantaneous or take as long as weeks, depending on the type of services and the supplier’s role. Recovery of services could be hampered by backlogs as a result of outages and further work generated by the adoption of short-term manual processes.