Third-party software applications can be critical to the day-to-day operations of your business. But with lots of software vendors and solutions available to choose from, how do you ensure the solution supports your business needs without creating a weakness in your operational resilience?
When scoping out a new solution, it's essential to consider the potential challenges and risks associated with third-party suppliers. To mitigate these risks, we recommend incorporating the following steps into your procurement process:
When evaluating potential software solutions, it's important to consider factors such as onboarding deadlines and the potential impacts of delays, the resources required to implement the software, and maintenance and additional license costs.
You should also consider whether cloud-based or on-premise software is the best fit for your organisation. Each option has its benefits and drawbacks, and it's important to weigh these factors against your organisation's specific needs. We delve deeper into the pros and cons of each option in our guide.
When procuring a new solution, it’s important to plan for the unexpected. To evaluate your solutions efficiently, you should consider the following:
Would your business function effectively if the application suddenly became unavailable? What would happen if the software supplier was involved in a legal dispute or went out of business?
Consider the impacts on your business. According to research by Deloitte, third-party failures can cost companies as much as £783 million per incident. It's also important to assess whether your team has the necessary skills to rebuild the solution internally if required.
For example, third-party risk management or regulations such as PRA SS2/21 or the Digital Operational Resilience Act (DORA).
If something unexpected happened to your third-party software supplier, do you have a plan in place to avoid disruption that meets the regulators’ requirements?
In the case of cloud-based applications, it's important to note that cloud service providers (CSPs) aren't responsible for your application and data. As an end-user, you're responsible for backing up and restoring the data you store in their services.
Without the in-house expertise to rebuild or support an application, businesses can be left without access to critical software for prolonged periods of time in the event of vendor failure. A business continuity plan mitigates this risk and details who’s responsible for providing continued access to your application.
As part of your Business Continuity plan, implement a Software Escrow Agreement.
A Software Escrow Agreement is a simple, effective tri-party arrangement with mutually agreed terms between you, the software supplier, and an independent Escrow service provider, such as Escode. Under the Software Escrow Agreement, the supplier periodically deposits a copy of the software source code and associated materials for secure storage. In the event of a release, you can use the Escrow deposit to maintain the software, working from the source code in-house or with another supplier.
From selecting a supplier to onboarding your new application, our guide provides best practice advice for assessing and managing the risks associated with third-party software vendors at each stage of the software procurement process.
What's inside: