09 Jul 2025
by Wayne Scott

Resilience by Design: Building Supply Chain Risk Management From Day One.

Can technology help manage supply chain risk? Yes. Can technology eliminate all supply chain risk? Absolutely not: there are a series of third-party risks in supply chain that cannot be prevented with technology, and it’s crucial that organisations identify and manage these risks. And not just to satisfy the demands of regulators, who’ve responded as supply chain complexity and interconnectivity has increased, by adding compliance components that mean organisations must show they have taken control. 

We’ve seen it happen: a niche vendor goes under, a critical service degrades and is no longer fit for purpose, or a key software supplier gets acquired and priorities shift. Suddenly you’re exposed. These types of failure in the supply chain can impact organisations by damaging their ability to operate, remain compliant and permanently damage their reputation. Not forgetting the wider implications as ripples of disruption impact stability through the supply chain, affecting your company, your customers and potentially your market too. 

The regulations: 3 core supply chain risks 

Across every regulated industry —from finance to healthcare to critical infrastructure—there are three core categories of third-party risk that are named in regulations but are often missed: 

  1. Supplier Failure – The software vendor goes bust, gets acquired, or simply walks away. 

  1. Service Deterioration – The product stagnates, support dries up, or SLAs are quietly downgraded. 

  1. Concentration Risk – You’re too dependent on one supplier, one platform, or one region. 

These are non-cybersecurity risks associated with the use of technology. Things that can happen at any time, that many will experience in their career, but few prepare for. Looking at frameworks like DORA (Digital Operational Resilience Act) that came into force earlier this year, the US Interagency Guidance on Third-Party Relationships: Risk Management, and PRA SS2/21 and you’ll see they all demand robust third-party risk management. 

Resilience by design 

To manage supply chain risk will need to go back to basics: preventive, detective, and corrective controls. And this all should start at the beginning, during the procurement process; in other words, resilience that’s built in from the start. It means assuming failure by default. It means planning for the worst-case scenario—not because you’re pessimistic, but because you’re prepared. 

To that end many of the regulations include stressed exit plans, which refers to the termination of a contract due to service provider failure or insolvency, which is more unforeseen than a non-stressed exit motivated by commercial or strategic reasons. Stressed exit strategies are integral components of a comprehensive third party risk management strategy, ensuring the continuous provision of critical services and mitigating disruption impacts on the institution, its clients, and the broader financial market. 

There are different approaches you can take here, but one that meets all requirements is software escrow and verification. 

How it works:  

  1. Establishing Legal Right – Firstly you need to establish a legal right to access essential information regarding your critical third-party software applications. By using comprehensive contract options, institutions can ensure access to critical data and functionalities, even in the event of supplier failure. Software Escrow Agreements serve as a means to establish this legal right, providing peace of mind by enabling the retrieval of essential data in the event that the original software provider is unavailable. 

  1. Knowledge Transfer – Software Escrow Services offer more than just access provision. They provide financial institutions with the knowledge and expertise required to independently manage critical applications. By providing access to source code and documentation, institutions can learn how the software works and acquire knowledge about how to manage it. This transfer of knowledge mitigates the risks associated with dependency on third-party vendors and enables institutions to adapt quickly to changing circumstances.     

  1. Scenario Testing – Test to assess the resilience of your contingency plans in adverse situations. For compliance with many regulations entities must establish and regularly test comprehensive business continuity plans for insolvency and failure scenarios. Escrow and Verification Services serve as platforms for conducting these tests, enabling institutions to simulate disruptions such as supplier insolvency. By identifying vulnerabilities and refining contingency plans, these services ensure seamless continuity of critical operations, facilitating compliance with regulatory requirements. They also provide proof to regulators that the management of a failed service can either be brought in house or passed to a third party to rebuild.  

Software escrow services are more than a checkbox for compliance; they’re  strategic assets for operational resilience and managing supply-chain risk – a layer of control, built-in. Giving you the confidence that should the worst happen, you’ve got what you need to recover. 

techUK International Policy and Trade Programme activities

techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.

 

 

Upcoming events

17 – 18 September 2025

techUK Delegation to the WTO Public Forum 2025

Geneva, Switzerland
23 – 25 September 2025

techUK Delegation to Washington DC 2025

Washington DC, USA

Latest news and insights 

Learn more and get involved

 

International Policy and Trade updates

Sign-up to get the latest updates and opportunities from our International Policy and Trade programme.

 

Here are the five reasons to join the International Policy and Trade Programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

Meet the team 

Sabina Ciofu

Sabina Ciofu

Associate Director – International, techUK

Daniel Clarke

Daniel Clarke

Policy Manager for International Policy and Trade, techUK

Theophile Maiziere

Theophile Maiziere

Policy Manager - EU, techUK

Lewis Walmesley-Browne

Lewis Walmesley-Browne

Head of Market Access and Consumer Tech, techUK

Tess Newton

Team Assistant, Policy and Public Affairs, techUK

 

Authors

Wayne Scott

GCL Solutions Lead, Escode

Wayne Scott brings a wealth of experience and expertise to his role as Global Regulatory Compliance Solutions Lead at Escode, part of NCC Group. Over the past three decades, he has managed NCC Group’s relationships with global financial services regulators and gained extensive experience in software escrow, cyber security, and big data. In this role, Wayne co-writes NCC Group’s consultation paper responses relating to third-party risk management, supply chain risk, and operational resilience, ensuring that all Escode products exceed global regulatory requirements. 

Wayne's credibility is further solidified by his advisory role with systemic financial institutions and their critical suppliers, focusing on building demonstrably successful stressed exit plans. His direct contributions to recent regulations on operational resilience have had a global impact, influencing regulatory frameworks in the UK, US, Europe, Canada, Switzerland, Australia, Singapore, and India.

Read lessmore