Skip to navigation Skip to main content Skip to footer

02 February 2024

3 Steps to Manage Risk When Procuring New Software



Third-party software applications can be critical to the day-to-day operations of your business. But with lots of software vendors and solutions available to choose from, how do you ensure the solution supports your business needs without creating a weakness in your operational resilience?

When scoping out a new solution, it's essential to consider the potential challenges and risks associated with third-party suppliers. To mitigate these risks, we recommend incorporating the following steps into your procurement process:

1. Choosing the right solution: key considerations

When evaluating potential software solutions, it's important to consider factors such as onboarding deadlines and the potential impacts of delays, the resources required to implement the software, and maintenance and additional license costs.

You should also consider whether cloud-based or on-premise software is the best fit for your organisation. Each option has its benefits and drawbacks, and it's important to weigh these factors against your organisation's specific needs. We delve deeper into the pros and cons of each option in our guide.

By incorporating these considerations, you can help ensure the third-party software solution you select supports your business needs. 

2. Assess third-party supplier risk

When procuring a new solution, it’s important to plan for the unexpected. To evaluate your solutions efficiently, you should consider the following:

  • First, complete a risk assessment.

Would your business function effectively if the application suddenly became unavailable? What would happen if the software supplier was involved in a legal dispute or went out of business?

Consider the impacts on your business. According to research by Deloitte, third-party failures can cost companies as much as £783 million per incident. It's also important to assess whether your team has the necessary skills to rebuild the solution internally if required.

  • Does the software comply with regulations that apply to your business?

For example, third-party risk management or regulations such as PRA SS2/21 or the Digital Operational Resilience Act (DORA).

If something unexpected happened to your third-party software supplier, do you have a plan in place to avoid disruption that meets the regulators’ requirements?

  • How is the application hosted, and where is your data stored?

In the case of cloud-based applications, it's important to note that cloud service providers (CSPs) aren't responsible for your application and data. As an end-user, you're responsible for backing up and restoring the data you store in their services. 


3. Protect your software with a business continuity plan

Without the in-house expertise to rebuild or support an application, businesses can be left without access to critical software for prolonged periods of time in the event of vendor failure. A business continuity plan mitigates this risk and details who’s responsible for providing continued access to your application.

As part of your Business Continuity plan, implement a software escrow agreement.

A Software Escrow Agreement is a simple, effective tri-party arrangement with mutually agreed terms between you, the software supplier, and an independent Escrow service provider, such as NCC Group. Under the Software Escrow Agreement, the supplier periodically deposits a copy of the software source code and associated materials for secure storage. In the event of a release, you can use the Escrow deposit to maintain the software, working from the source code in-house or with another supplier.


Guide to protecting new software investments

From selecting a supplier to onboarding your new application, our guide provides best practice advice for assessing and managing the risks associated with third-party software vendors at each stage of the software procurement process.

What's inside:

  • Key things to consider when procuring a new software application
  • How to assess and manage third-party risk at each stage of the software procurement process
  • How to protect your new software investment

Get your guide

Interested in learning more about our Software Escrow Services?

Skip to navigation Skip to main content Skip to footer