How Can the Finance Sector Ensure Supply Chain Resilience?

  • Simon Fieldhouse, global managing director – Software Resilience at NCC Group

  • 27.10.2021 02:30 pm
  • #IT #cloud

In the aftermath of the Covid-19 pandemic, the financial IT landscape is more complex than ever, and continuing to change as organisations onboard new software at pace to adapt to a new way of working.  These rapid changes can come with new challenges and a whole host of new suppliers, partners and regulators to manage. 

According to 3D Hub, in the past decade, only 50% of companies have taken any measures to build supply chain resilience, despite two-thirds of them experiencing disruption. With the events of the last year, it’s now more crucial than ever for finance businesses to think about that potential weak supplier link and ensure operational resilience for themselves and their customers.

The problems associated with rapid technological change could include a heightened risk of IT failure, due to the introduction of new systems and new, untested suppliers and increased downtime of business critical applications – both of , which are a major concern in a sector where customer trust is paramount and downtime could mean financial loss . 

Mitigating this risk will only become more important – according to the Bank of England, 40-90% of banks’ workloads globally could be hosted on public cloud or software-as-a-service within a decade. With the scale of IT estates increasing rapidly, it is important for firms to ensure that they have measures and plans in place to maintain resilience and remain compliant with changing regulations.

The new regulatory landscape

Recently there have been huge regulatory developments affecting finance organisations around the world. In addition to the Prudential Regulation Authority’s Consultation Paper on ‘Outsourcing and third-party risk management’, the European Commission has also published its draft Digital Operational Resilience Act (DORA). 

In the UK, these new government operational resilience regulations outline that financial sector organisations must be liable for their own regulatory compliance, ensuring that outsourcers have processes in place to anticipate and deal with potential disruption. The new regulations aim to complement the PRA’s previous policy proposals on operational resilience; facilitate greater resilience in the adopting of ever-changing technologies such as the cloud; implement new guidelines on outsourcing arrangements; and to consider European guidelines on outsourcing to cloud service providers. Europe’s DORA regulations are similar to the UK regulations, and focus on risk management, incident reporting, third-party risk and information sharing.

How can businesses build their supply chain resilience?

Organisations need to assess the resilience of their supply chain in line with these new regulations. This means categorising outsourcers on their criticality, financial stability, and concentration risk. The main ways to do this are: 

  • Business continuity plans

Business continuity plans need to be created and retained for every outsourcing agreement in an organisation. These ensure a firm can anticipate and respond to software failure, ensuring that innovations and business systems are safeguard.

Putting together a business continuity plan involves assessing the resilience of all business-critical applications to disruption, and then carrying out scheduled verification tests to ensure that the plan is effective in case of any disruption. 

  • Storing business-critical applications in escrow

A software escrow agreement – an arrangement between a customer, software supplier, and escrow provider – is a way of storing the source code of important business applications securely. This means that the software for business-critical applications can be retrieved and restored, ensuring peace of mind in advance of any event that has the potential to impact availability, such as a ransomware attack, or a merger or acquisition.

  • Exit management plans (EMPs)

Another way to build supply chain resilience is to create an exit strategy which will ensure business continuity in the case of a firm exiting an outsourcing agreement. Most business contracts are designed to come to an end at some point, and so EMPs should be designed to deal with this inevitability and minimise any disruption. 

Looking forward

Protecting business-critical services is especially important for the financial sector, in which the loss of these services could cause significant reputational damage and reduce customer trust. 

Implementing measures that ensure ongoing operational resilience will become increasingly important as technology adoption intensifies and regulations continue to change and evolve, helping organisations to stay prepared for any disruption. 

By ensuring that they are compliant with government operational resilience regulations and have robust business continuity plans in place, firms will maintain supply chain resilience and be better equipped to run smoothly in a turbulent financial and technological climate.


Other Blogs