Skip to navigation Skip to main content Skip to footer

A Cost-Benefit Analysis of Software Escrow Verification

Contact Us

“When a business-critical system fails or is interrupted, organizations can face financial losses, customer dissatisfaction and reduction in productivity.” This article in NetMotion points out something that we all inherently know; yet we often don’t take steps to ensure our business-critical systems are protected.

Over the last two years, I’ve published articles on Iron Mountain’s Technology Escrow Services to explain the benefits of protecting business-critical systems in the case of unforeseen circumstances. This post will provide a cost-benefit analysis of performing escrow verification on business-critical applications. (For background on our verification process, read “Why Would You Verify Your Software Escrow Deposit?“)

Verifying your escrow deposit ensures that the source code and other required materials needed to recreate your software are available, here I’ll focus on the justification for spending money upfront to avoid losing a significant amount of money on the back end.

Here are some stats to consider regarding business-critical software. A report by software testing company Tricentis analyzed 606 software fails from 314 companies. These software failures affected 3.6 billion people causing $1.7 trillion in financial losses — a cumulative total of 268 years of downtime. It illustrates the huge number of software failures and vulnerabilities. However, software escrow plus verification lets you take steps to protect your business-critical applications.

Software with the highest instances of failure:

  • On-premises software accounted for 50% of the software failures
  • Mobile/cloud software had the second most issues with 32% of the software failures
  • Embedded software was most reliable (relatively speaking) with 19% of the software failures

Top three reasons for the software failures:

  • Software bugs (55%)
  • Security vulnerabilities (22%)
  • Usability glitches (9%)

Now, let’s consider some of the most popular types of business applications/systems. We’ll look at the business investment and cost of an escrow verification to protect this investment.

Financial Applications: What makes these applications critical, is the data they are responsible for holding, processing, and moving. Most financial application systems are very complicated and tailored to a specific field of economics, regulatory policy, and/or market competition.

According to an article in Forbes, Workday’s 3-year minimum contract starts at $100-$200 per user per/year. “As a result, $800K annual subscription costs are fairly common.”

Enterprise Resource Planning (ERP) Systems: An ERP system is a database that is centralized for various business processes to reduce manual labor and improve workflow. Users have access to real-time data information across the business to measure productivity and profitability.

According to Clients First Business Solutions, large enterprises spend $1 million to $10 million for implementation. If your ERP system costs $1 million, then your annual renewal fee is approximately $100K to $200K.

Cost to Mitigate Risk

Each escrow verification is priced based on the verification level selected, and the specific Statement of Work. Typically, verification is a very small investment to protect applications that are critical to business operations and runs less than 5% of the overall cost of ownership. A Full Usability test confirms that the source code placed in escrow will be fully functional in the event of a release. We run a series of tests to ensure that replicated software runs properly and create a detailed report of these tests, including demonstrations of the functioning software in action. This provides assurance that the escrow account contents can be utilized effectively in the event of a release.

Escrow Test Frequency

The average software development cycle is between 4 and 12 months. This means a new version of a software application is available 1 to 3 times a year. Iron Mountain’s escrow agreements have an average life cycle of 5+ years. Therefore, a beneficiary of an escrow agreement could potentially have rights to 5 to 15 different versions of their business-critical software in the course of one escrow agreement. That’s why it is critical to establish a deposit schedule with your vendor to monitor that application’s development progress and its criticality within the organization.

We tend to see one part of a business start to use an application, and then more of the broader organization begins to leverage it. As a result, within 3 years, the organization’s dependency on that software in the organization grows. Once the application reaches a milestone in the development process, it’s strongly recommended performing a verification test to ensure your escrow account is accurate and includes all the required details.


The price of business-critical solutions is “fair” when you consider the ROI for the improvements these solutions bring to a business operation. But, what’s the impact to the process if you experience an unanticipated disruption? You could have intangible losses, such as productivity disruption, reputation damage, exposure of confidential information, or loss of customer loyalty. Or, this could extend to tangible losses, such as loss of revenue or permanent business failure.

As consumers, we purchase insurance policies to protect the things that matter most to us, such as our house, car, boat, life, etc. So, why wouldn’t you insure your business-critical applications with an escrow agreement and verification services, every single time? Many industries take similar approaches: sports teams require athletes to get a physical prior to signing and a house inspection is required before a mortgage is approved. This approach to verifying the goods — so to speak — is a wise decision.


NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.

Get in touch

Skip to navigation Skip to main content Skip to footer