Resilience by Design: Building Supply Chain Risk Management From Day One.

Can technology help manage supply chain risk? Yes. Can technology eliminate all supply chain risk? Absolutely not: there are a series of third-party risks in supply chain that cannot be prevented with technology, and it’s crucial that organisations identify and manage these risks. And not just to satisfy the demands of regulators, who’ve responded as supply chain complexity and interconnectivity has increased, by adding compliance components that mean organisations must show they have taken control. 

We’ve seen it happen: a niche vendor goes under, a critical service degrades and is no longer fit for purpose, or a key software supplier gets acquired and priorities shift. Suddenly you’re exposed. These types of failure in the supply chain can impact organisations by damaging their ability to operate, remain compliant and permanently damage their reputation. Not forgetting the wider implications as ripples of disruption impact stability through the supply chain, affecting your company, your customers and potentially your market too. 

The regulations: 3 core supply chain risks 

Across every regulated industry —from finance to healthcare to critical infrastructure—there are three core categories of third-party risk that are named in regulations but are often missed: 

1. Supplier Failure – The software vendor goes bust, gets acquired, or simply walks away. 

2. Service Deterioration – The product stagnates, support dries up, or SLAs are quietly downgraded. 

3. Concentration Risk – You’re too dependent on one supplier, one platform, or one region. 

These are non-cybersecurity risks associated with the use of technology. Things that can happen at any time, that many will experience in their career, but few prepare for. Looking at frameworks like DORA (Digital Operational Resilience Act) that came into force earlier this year, the US Interagency Guidance on Third-Party Relationships: Risk Management, and PRA SS2/21 and you’ll see they all demand robust third-party risk management. 

Resilience by design 

To manage supply chain risk will need to go back to basics: preventive, detective, and corrective controls. And this all should start at the beginning, during the procurement process; in other words, resilience that’s built in from the start. It means assuming failure by default. It means planning for the worst-case scenario—not because you’re pessimistic, but because you’re prepared. 

To that end many of the regulations include stressed exit plans, which refers to the termination of a contract due to service provider failure or insolvency, which is more unforeseen than a non-stressed exit motivated by commercial or strategic reasons. Stressed exit strategies are integral components of a comprehensive third party risk management strategy, ensuring the continuous provision of critical services and mitigating disruption impacts on the institution, its clients, and the broader financial market. 

There are different approaches you can take here, but one that meets all requirements is software escrow and verification. 

How it works:  

1. Establishing Legal Right – Firstly you need to establish a legal right to access essential information regarding your critical third-party software applications. By using comprehensive contract options, institutions can ensure access to critical data and functionalities, even in the event of supplier failure. Software Escrow Agreements serve as a means to establish this legal right, providing peace of mind by enabling the retrieval of essential data in the event that the original software provider is unavailable. 

2. Knowledge Transfer – Software Escrow Services offer more than just access provision. They provide financial institutions with the knowledge and expertise required to independently manage critical applications. By providing access to source code and documentation, institutions can learn how the software works and acquire knowledge about how to manage it. This transfer of knowledge mitigates the risks associated with dependency on third-party vendors and enables institutions to adapt quickly to changing circumstances.     

3. Scenario Testing – Test to assess the resilience of your contingency plans in adverse situations. For compliance with many regulations entities must establish and regularly test comprehensive business continuity plans for insolvency and failure scenarios. Escrow and Verification Services serve as platforms for conducting these tests, enabling institutions to simulate disruptions such as supplier insolvency. By identifying vulnerabilities and refining contingency plans, these services ensure seamless continuity of critical operations, facilitating compliance with regulatory requirements. They also provide proof to regulators that the management of a failed service can either be brought in house or passed to a third party to rebuild.  

Software escrow services are more than a checkbox for compliance; they’re  strategic assets for operational resilience and managing supply-chain risk – a layer of control, built-in. Giving you the confidence that should the worst happen, you’ve got what you need to recover. 

techUK International Policy and Trade Programme activities

techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.

 

techUK Report - Enabling Growth and Resilience: the UK Tech Sector in an Uncertain World

New techUK report outlines key policy recommendations to boost the UK’s growth through the tech sector amid global challenges, emphasising resilience, trade leadership, and strategic investment.

Read more

 

Upcoming events

17 – 18 September 2025

techUK Delegation to the WTO Public Forum 2025

Geneva, Switzerland

23 – 25 September 2025

techUK Delegation to Washington DC 2025

Washington DC, USA

25 – 30 September 2025

techUK Delegation to Ukraine 2025

Lviv and Kyiv, Ukraine

Latest news and insights 

25 Jul 2025

Global Tech and Trade Policy Update

25 Jul 2025

UK–India Free Trade Agreement: What It Means for the UK Tech Sector

25 Jul 2025

UK and France to focus on tech in Industrial Strategy Partnership

Learn more and get involved

 

International Policy and Trade updates

Sign-up to get the latest updates and opportunities from our International Policy and Trade programme.

 

Here are the five reasons to join the International Policy and Trade Programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

Meet the team 

Sabina Ciofu

Associate Director – International, techUK

×

Sabina Ciofu

Associate Director – International, techUK

Sabina Ciofu is Associate Director – International, running the International Policy and Trade Programme at techUK.

Based in Brussels, she leads our EU policy and engagement. She is also our lead on international trade policy, with a focus on digital trade chapter in FTAs, regulatory cooperation as well as broader engagement with the G7, G20, WTO and OECD.

As a transatlanticist at heart, Sabina is a GMF Marshall Memorial fellow and issue-lead on the EU-US Trade and Technology Council, within DigitalEurope.

Previously, she worked as Policy Advisor to a Member of the European Parliament for almost a decade, where she specialised in tech regulation, international trade and EU-US relations.

Sabina loves building communities and bringing people together. She is the founder of the Gentlewomen’s Club and co-organiser of the Young Professionals in Digital Policy. Previously, as a member of the World Economic Forum’s Global Shapers Community, she led several youth civic engagement and gender equality projects.

She sits on the Advisory Board of the University College London European Institute, Café Transatlantique, a network of women in transatlantic technology policy and The Nine, Brussels’ first members-only club designed for women.

Sabina holds an MA in War Studies from King’s College London and a BA in Classics from the University of Cambridge.

Email:

[email protected]

Phone:

+32 473 323 280

Website:

www.techuk.org

Daniel Clarke

Policy Manager for International Policy and Trade, techUK

×

Daniel Clarke

Policy Manager for International Policy and Trade, techUK

Dan joined techUK as a Policy Manager for International Policy and Trade in March 2023.

Before techUK, Dan worked for data and consulting company GlobalData as an analyst of tech and geopolitics. He has also worked in public affairs, political polling, and has written freelance for the New Statesman and Investment Monitor.

Dan has a degree in MSc International Public Policy from University College London, and a BA Geography degree from the University of Sussex.

Outside of work, Dan is a big fan of football, cooking, going to see live music, and reading about international affairs. 

Email:

[email protected]

Theophile Maiziere

Policy Manager - EU, techUK

×

Theophile Maiziere

Policy Manager - EU, techUK

Theo joined techUK in 2024 as EU Policy Manager. Based in Brussels, he works on our EU policy and engagement.

Theo is an experienced policy adviser who has helped connect EU and non-EU decision makers.

Prior to techUK, Theo worked at the EU delegation to Australia, the Israeli trade mission to the EU, and the City of London Corporation’s Brussels office. In his role, Theo ensures that techUK members are well-informed about EU policy, its origins, and its implications, while also facilitating valuable input to Brussels-based decision-makers.

Theo holds and LLM in International and European law, and an MA in European Studies, both from the University of Amsterdam. 

Email:

[email protected]

Website:

www.techuk.org

LinkedIn:

linkedin.com/in/théophile-maiziere-a32772111

Lewis Walmesley-Browne

Head of Market Access and Consumer Tech, techUK

×

Lewis Walmesley-Browne

Head of Market Access and Consumer Tech, techUK

Lewis' programmes cover a range of policy areas within Market Access (international trade regulation, sanctions and export controls, technical standards and product compliance, supply chains) and Consumer Tech (media and broadcast policy, consumer electronics, and connected home technology).

Prior to joining techUK, Lewis worked in government affairs and policy roles for international trade associations in Southeast Asia including the American Malaysian Chamber of Commerce and the European Chamber of Commerce in Cambodia.

He holds an undergraduate degree in Social and Political Sciences from the University of Cambridge and an MSc in Public Policy & Management from SOAS University of London.

Email:

[email protected]

LinkedIn:

https://www.linkedin.com/in/lewis-walmesley-browne/

Tess Newton

Team Assistant, Policy and Public Affairs, techUK

×

Tess Newton

Team Assistant, Policy and Public Affairs, techUK

Tess joined techUK as an Policy and Public Affairs Team Assistant in November of 2024. In this role, she supports areas such as administration, member communications and media content.

Before joining the Team, she gained experience working as an Intern in both campaign support for MPs and Councilors during the 2024 Local and General Election, and working for the Casimir Pulaski Foundation on defence and international secuirty. She has worked for multiple charities, on issues such as the climate crisis, educational inequality and Violence Against Women and Girls (VAWG). In 2023, Tess obtained her Bachelors of Arts in Politics and International Relations from the University of Nottingham.

Email:

[email protected]

LinkedIn:

https://www.linkedin.com/in/tess-newton-8ab444239/