Survey of finance professionals uncovers critical gaps in supplier management practices
A new global report has revealed significant gaps in supplier management practices among financial institutions. The Supplier Stability in Operational Resilience Report highlights that over 32% of the organisations surveyed are unclear about who is responsible for mitigating the risks of supplier failure, service deterioration, and concentration risk for Software as a Service (SaaS) solutions.
This comes at a time of increasing reliance on external tech providers for daily operations. Recent high-profile IT collapses have underscored the vulnerabilities within the system, demonstrating the high-stakes risks associated with single points of failure.
The report was commissioned by Escode, a global leader in software escrow solutions, with research undertaken by CefPro.
When asked about their understanding of responsibilities around supplier management, respondents described these as “poorly defined.” This lack of clarity raises the likelihood of inconsistencies across jurisdictions and organisations, creating critical gaps in risk management practices.
While 70.1% of respondents reported mitigating risks through standard supplier management processes, only 14.3% have established in-depth risk management procedures, such as third-party escrow agreements. These findings are particularly concerning given the tighter regulations both financial and technology institutions face regarding third-party supplier risk management in their digital operations.
The European Union’s Digital Operational Resilience Act (DORA) exemplifies stringent regulatory measures, mandating stressed exit plans in all ICT third-party licence agreements to prevent supplier failure. Additionally, as organisations prepare for the Bank of England’s SS221 regulation, which takes effect in March 2025, many are facing the challenge of aligning with two significant regulatory frameworks simultaneously.
Wayne Scott, regulatory compliance solutions lead at Escode, stated: “The findings of the Supplier Stability in Operational Resilience Report illuminate a key issue affecting both the tech and financial sectors, where greater clarity and collaboration are essential. Tech companies cannot afford to be blindsided by their customers’ regulatory changes, which can leave them unprepared for compliance demands.”
He added, “With only three months remaining until DORA’s implementation, the time for companies to act is now. Both tech and financial organisations must evaluate the new legislation’s implications for their business and supplier relationships. Establishing a consensus among leaders on regulatory responsibilities and organisational actions is crucial to implementing best practices for supplier risk management, thereby safeguarding against significant disruptions.”
Andreas Simou, managing director at CeFPro, emphasised: “The risk of supplier failure for financial institutions is considerable. Recent incidents, such as the inability of 500,000 members of Australian superannuation fund UniSuper to access their accounts due to a Google Cloud misconfiguration, highlight the severe impacts of supply chain failures. With half of our respondents lacking confidence in meeting regulatory compliance demands around third-party risk management, the need for collaborative action is clear.”
The Supplier Stability in Operational Resilience Report draws from a survey of 107 respondents within financial institutions across the UK, North America, and Europe, supplemented by expert interviews. Download the report here.