Minimizing Risk in Vendor Onboarding

Why it's essential to consider the potential challenges and risks associated with third party suppliers.

Choose the content you want

Get business inspiration and practical tips straight to your inbox 

Choosing the right solution: key considerations

Third-party software applications can be critical to the day-to-day operations of your business. But with lots of software vendors and solutions available to choose from, how do you ensure the solution supports your business needs without creating a weakness in your operational resilience?

Here are some steps to build into your procurement process

When evaluating potential software solutions, consider factors such as onboarding deadlines and the potential impacts of delays, the resources required to implement the software, and maintenance and additional license costs.

Are cloud-based or on-premise software the best fit for your organisation? Each option has its benefits and drawbacks, and it's important to weigh these factors against your organisation's specific needs. We delve deeper into the pros and cons of each option in our guide.

By incorporating these considerations, you can help ensure the third-party software solution you select supports your business needs. 

Assess third-party supplier risk

When procuring a new solution, plan for the unexpected. To evaluate your solutions efficiently, you should consider the following:

1.     Complete a risk assessment

Would your business function effectively if the application suddenly became unavailable? What would happen if the software supplier was involved in a legal dispute or went out of business?

According to research by Deloitte, third-party failures could cost a company as much as £783m per incident. It's also important to assess whether your team has the necessary skills to rebuild the solution internally if required.

2.     Does the software comply with regulations that apply to your business?

For example, third-party risk management or regulations such as PRA SS2/21 or the Digital Operational Resilience Act (DORA).

If something unexpected happened to your third-party software supplier, do you have a plan in place to avoid disruption that meets the regulators’ requirements?

3.     How is the application hosted, and where is your data stored?

In the case of cloud-based applications, note that cloud service providers (CSPs) aren't responsible for your application and data. As an end-user, you're responsible for backing up and restoring the data you store in their services. To learn more about how to protect cloud-based applications, download our guide.

Protect your software with a business continuity plan

Without the in-house expertise to rebuild or support an application, businesses can be left without access to critical software for prolonged periods of time in the event of vendor failure.

A business continuity plan mitigates this risk and details who’s responsible for providing continued access to your application.

As part of your Business Continuity plan, consider implementing a software escrow agreement. A Software Escrow Agreement is a tri-party arrangement with mutually agreed terms between you, the software supplier, and an independent Escrow service provider.

Under the Software Escrow Agreement, the supplier periodically deposits a copy of the software source code and associated materials for secure storage. In the event of a release, you can use the Escrow deposit to maintain the software, working from the source code in-house or with another supplier.

Neil Bellamy, the bank's Head of Technology, Media, Telecoms and Services says:

“The venture capital investor Marc Andreessen once said that ‘software will eat the world’. While it may not be as dramatic for your business, software applications can still be mission critical. This guide by our partners at NCC provides clear, practical information to help you consider the risks and plan accordingly.”

By following the steps in this guide, you can be confident that you have followed a procurement process with demonstrable business continuity planning.

For more information, visit NCC Group Software Resilience

For more cyber insights, see our Cyber Security hub

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top