In our first blog in this series, we outlined the latest PRA requirements that financial software customers must meet in order to improve their resilience to disruption from third-party vendors.
But for firms to ensure long term operational resilience and manage compliance, they’ll be looking to do more than simply understanding the new regulations. Many firms will be changing their entire approach to compliance, including structural changes to operations and introducing new processes.
This will undoubtedly impact what they expect from their ISV partners, as they look for assurance around the availability of their critical applications and support in following resilience best practices.
Best practices being embraced by finance firms:
Awareness
More firms are bringing the issue of third-party risk management to the board and strategic level to raise awareness. This will increase the amount of time and resources dedicated to having appropriate strategies, systems and controls in place to manage the risks.
Develop
Firms are then working to define consistent assessment criteria to categorise the materiality of third-parties based upon the role they perform in supporting important business services. This may also include developing an on-boarding procurement policy that requires all parts of the business to follow a process for new third-party software providers.
Review
Firms are also assessing the risks of all outsourcing arrangements irrespective of their materiality. This includes reviewing their current third-party software portfolio with recommended risk assessment tools or working with an independent specialist to assess potential risks associated with extensive reliance on one service provider (concentration risks).
Test
Finally, many firms are assessing the fault tolerance of all applications they would deem ‘business critical’. Post assessment, they may follow a repeatable schedule of Software Escrow Verification tests to ensure the knowledge and guidance needed to manage and maintain the application is available should the business need it.
This combination of new PRA regulations and increased awareness of third-party risk means ISVs in the UK finance space must take a proactive approach to instilling confidence in the firms they support. This includes ISVs demonstrating to customers that they understand the criticality of their applications, and incorporating solutions that minimize disruption and enhance resilience.
ISVs can enhance their software offerings with complementary Software Resilience solutions such as Escrow Agreements and Verification Services. Such measures give financial software customers full peace of mind that – should the ISV be unable to continue service – the firm will have the necessary materials and knowledge to quickly get the application back up and running.
The assurance and confidence enabled by this proactive approach to resilience from ISVs brings further benefits such as a more competitive software offering and entrance into other highly regulated markets.