Report reveals gaps in supplier management for SaaS firms

A recent global report has identified significant gaps in supplier management practices amongst financial institutions, particularly concerning Software as a Service (SaaS) solutions.

The "Supplier Stability in Operational Resilience Report" indicates that over 32% of organisations surveyed are uncertain about who holds the responsibility for mitigating risks such as supplier failure, service deterioration, and concentration risk. This uncertainty places these organisations at increased risk, particularly in light of recent high-profile IT collapses that have highlighted vulnerabilities within the system.

The research was commissioned by Escode, a company focusing on software escrow solutions, and conducted by CefPro. Respondents expressed concerns about poorly defined responsibilities regarding supplier management, potentially leading to inconsistencies across different jurisdictions and organisations.

While a majority of 70.1% of respondents reported addressing risks through standard supplier management processes, only 14.3% have established more robust procedures including third-party escrow agreements. This finding is particularly concerning against the backdrop of tightening regulations for both financial and technology institutions in managing third-party supplier risks.

The European Union's Digital Operational Resilience Act (DORA) serves as an example of rigorous regulatory measures, requiring stressed exit plans in all ICT third-party license agreements to prevent supplier failures. Additionally, organisations are gearing up for the simultaneous challenge of complying with the Bank of England's SS221 regulation, effective from March 2025.

Wayne Scott, Regulatory Compliance Solutions Lead at Escode, commented: "The findings of the Supplier Stability in Operational Resilience Report illuminate a key issue affecting both the tech and financial sectors, where greater clarity and collaboration are essential. Tech companies cannot afford to be blindsided by their customers' regulatory changes, which can leave them unprepared for compliance demands."

He further stated, "With only three months remaining until DORA's implementation, the time for companies to act is now. Both tech and financial organisations must evaluate the new legislation's implications for their business and supplier relationships. Establishing a consensus among leaders on regulatory responsibilities and organisational actions is crucial to implementing best practices for supplier risk management, thereby safeguarding against significant disruptions."

Andreas Simou, Managing Director at CeFPro, highlighted: "The risk of supplier failure for financial institutions is considerable. Recent incidents, such as the inability of 500,000 members of Australian superannuation fund UniSuper to access their accounts due to a Google Cloud misconfiguration, highlight the severe impacts of supply chain failures. With half of our respondents lacking confidence in meeting regulatory compliance demands around third-party risk management, the need for collaborative action is clear."

The report's findings are based on a survey of 107 financial institutions across the UK, North America, and Europe, enriched with expert interviews on the subject of operational resilience in supplier relationships.