What to Say in Tenders About IT & Systems Resilience

🧠 Blog 4 of 7 in our Cyber Resilience series for social care providers

💡 When commissioners ask about business continuity or IT resilience, they’re not simply checking whether you have gone digital. They are assessing whether your service can withstand disruption, protect sensitive data, and continue delivering safe care under pressure.

This is where robust cyber security and resilience planning must sit alongside your digital care planning systems. Writing “We use Birdie” or “We use a secure system” is not evidence. Commissioners want structured assurance, practical safeguards, and proof of tested continuity.

This links closely to wider work on technology, data and digital care systems in social care.

🎯 Why IT & Systems Resilience Scores Matter

Questions about IT resilience typically sit within:

• Business continuity sections
• Information governance questions
• Data protection compliance
• Service safety and risk management
• Digital maturity assessments

Weak answers suggest passive reliance on suppliers. Strong answers demonstrate active governance, leadership oversight, and operational preparedness.

🧩 1. System Security — Go Beyond Naming the Platform

It is appropriate to name your system (e.g. Birdie, Nourish, CarePlanner). However, evaluators expect more than branding.

Strengthen your answer by describing:

• Data encryption (in transit and at rest)
• Role-based access controls
• User authentication (multi-factor authentication where enabled)
• Device security requirements
• Supplier compliance certifications (e.g. ISO27001)
• Data hosting location and GDPR alignment

This shifts your narrative from “we use a system” to “we understand and govern our system.”

📋 2. Staff Awareness and Safe Practice

Technology alone does not prevent breaches. Your answer should demonstrate behavioural controls and cultural awareness.

• Mandatory cyber awareness training at induction
• Annual refresher training and recorded compliance rates
• Phishing awareness and reporting protocols
• Password management standards
• Clear internal escalation pathways for suspected incidents

Commissioners want assurance that staff understand risk — not just that systems exist.

💾 3. Data Backups and Recovery Capability

This is one of the most critical scoring areas.

Your response should confirm:

• Frequency of automated backups
• Secure off-site or cloud-based storage arrangements
• Encryption of backup files
• Defined recovery time objectives (RTO)
• Evidence of periodic recovery testing

Link backups directly to safe care continuity — for example, ensuring medication records, risk assessments, and rota information remain recoverable.

📝 4. Manual Protocols and Continuity Testing

Even the strongest digital systems can fail. Commissioners expect a fallback plan that protects people immediately.

This may include:

• Paper MAR charts stored securely
• Printed contingency contact lists
• Manual rota coordination processes
• Temporary paper care note recording
• Incident communication plans

Crucially, confirm that these processes have been tested through tabletop exercises or simulated outages. Untested plans weaken credibility.

🤝 5. Shared Responsibility with Your Supplier

Even when a supplier hosts your digital platform, your organisation retains responsibility for governance and continuity.

Demonstrate oversight by explaining:

• How supplier performance and uptime are monitored
• How outages are escalated internally
• How communication with families and commissioners is managed during incidents
• How data remains accessible in emergencies
• How contractual arrangements define controller/processor responsibilities

This reassures evaluators that you are not passively dependent on external infrastructure.

📊 6. Governance and Board-Level Oversight

High-scoring answers demonstrate leadership engagement.

• Cyber risk included on the organisational risk register
• Regular board or senior management review
• Incident trend monitoring
• Audit findings and improvement actions
• Cyber insurance review (where applicable)

Linking IT resilience to governance strengthens your Regulation 17 (Good Governance) narrative.

📣 Pro Tip: Use a Real Example

Where possible, include a brief anonymised example:

“During a temporary internet outage in 2025, we activated our manual continuity plan. Paper MAR charts were implemented within 30 minutes, families were notified proactively, and a post-incident review led to enhanced mobile hotspot backups.”

This shows lived experience, learning culture, and proactive improvement — all of which strengthen tender scoring.

🧾 Avoid Common Weaknesses

• Over-reliance on supplier assurances
• Generic GDPR statements without process detail
• No reference to testing or audits
• Failure to link IT resilience to care continuity
• No evidence of leadership oversight

Precision and specificity distinguish average answers from excellent ones.

📚 Explore the Full Cyber Resilience Blog Series:

• 🔒 1. Your System Provider Isn’t Your Shield: Why Cyber Risk Still Falls on You
• ⚠️ 2. What Happens If You Ignore the Cyber Risk in Social Care?
• 🏗️ 3. How to Build Cyber Resilience into Your Service
• 🧾 4. What to Say in Tenders About IT & Systems Resilience
• 🚀 5. Cyber Resilience: Staying One Step Ahead in Social Care
• 🖥️ 6. Digital Resilience in Social Care: Why You Can’t Afford System Failures
• 📉 7. Cybersecurity in Social Care: Why It’s a Business Continuity Issue