We believe the key to achieving enterprise resilience and Critical Third Party risk management, is understanding your application landscape in terms of inter dependencies, SaaS landscape and mapping their criticality level for the business.
When the most Important Business Services are understood, and Severe but Plausible Impacts documented, the required timeframes for important business services resilience & recovery can be decided on.
Its not IF a cyber incident will hit you its when (unfortunately). From our experience the only way to reduce cyber incident Recovery Time (and to stay within agreed Impact Tolerances) is to test / exercise with plausible scenarios.