Concentration Risk Is No Longer a Theoretical ProblemĀ 

Concentration risk is no longer a background governance issue. It is now a front-and-centreĀ regulatory expectation.Ā 

AsĀ organisationsĀ deepen their reliance on third-party software, SaaS platforms, hyperscale cloud providers and AI systems, operational resilience increasingly depends on a small number of technology suppliers. When one of those suppliers fails, withdraws support, becomes insolvent, or suffers a major outage, the consequences can be immediate and systemic.Ā 

Concentration risk is not about how many vendors sit on a spreadsheetĀ orĀ traffic light coding. It is about dependency depth, switching friction, and whether yourĀ organisationĀ can continueĀ operatingĀ when a critical third party is suddenly unavailable.Ā 

And regulators are no longer satisfied with assurances.Ā Ā 

Ā 

Regulators Are Asking for Proof, Not PromisesĀ 

In its 2026 priorities letter, the Bank of England made clear that firms must not rely solely on third-party assurances. Institutions are expected to understand their dependency chains and prepare for disruption, including scenarios where a supplier fails or becomes insolvent.Ā 

That expectation sits alongside the PRAā€™s Operational Resilience framework (SS1/21), which requires firms to:Ā 

ā€œDemonstrate their ability to remain within their impact tolerances through severe but plausible disruption scenarios.ā€Ā 

Similarly, under the EUā€™s Digital Operational Resilience Act (DORA), firms must:Ā 

ā€œTest the resilience of ICT systems and toolsā€ andĀ demonstrateĀ that they canĀ maintainĀ critical orĀ important functionsĀ during disruption.Ā 

In the United States, FFIEC guidance requires institutions to:Ā 

ā€œTest the institutionā€™s ability to recover from disruptionsā€ and ā€œdemonstrate that critical operations can be resumed within established recovery time objectives.ā€Ā 

AcrossĀ jurisdictions, the language is consistent:Ā identify, test,Ā demonstrate, evidence.Ā 

The word regulators increasingly care about isĀ prove.Ā 

An SLA is not proof. A resilience statement is not proof. A contract clause is not proof.Ā 

Executable continuity is.Ā 

Ā 

The Tick-Box Software Escrow Era Is OverĀ 

Historically, software escrow was often implemented as a contractual safeguard.Ā It provided theoretical access to source code if a vendor became insolvent. For many years, that was sufficientĀ due to the hosting andĀ licensingĀ model deployed.Ā 

But concentration risk today is multi-layered. It is not just about insolvency. It may involve:Ā 

  • Withdrawal of supportĀ 
  • Cloud provider outagesĀ 
  • Cyber incidentsĀ 
  • AI system failuresĀ 
  • Vendor acquisition or strategic pivotĀ 

Access to source code alone does not guarantee recoverability.Ā 

Even where software escrow materials include code, documentation and build artefacts, a practical challenge remains: knowledge. In a live incident, does the beneficiary possess the internal expertise required to redeploy and operate that system in a short, regulated recovery window?Ā 

Having the materials isĀ not the same asĀ having the capability.Ā 

Ā 

When the Cloud FailsĀ 

Consider a further layer of concentration risk. What if the software vendor relies entirely on a single cloud provider such as Azure, and that cloud region suffers a prolonged outage?Ā 

If your recovery strategy depends on redeploying into the same cloud environment, even a duplicate environment may not solve the problem. Concentration risk can sit not only with the software vendor, but with the underlyingĀ hyperscaler.Ā 

True resilience requires optionality across infrastructure layers.Ā 

Ā 

Modern SaaS Escrow as an Operational ControlĀ 

Modern software escrowĀ  and SaaS escrow frameworks address theĀ evolution in risk. As well as code storage, a fit for purpose software or SaaS escrow agreement today can include:Ā 

  • Source codeĀ 
  • API information or third-party dependenciesĀ 
  • Deployment artefacts and configurationsĀ 
  • Infrastructure-as-code and CI/CD pipelinesĀ 
  • Documentation and build instructionsĀ 
  • AI models, weights, inferenceĀ pipelinesĀ and training components (whereĀ appropriate)Ā 
  • Access credentials to production cloud environmentsĀ 
  • RedundantĀ replicaĀ fall back cloud environmentsĀ 
  • Tested recovery planĀ 

The agreements should incorporate independent verification and testing aligned to stressed exit planning. But ifĀ Ā your organisation does not have the necessary expertise to deploy and manage the new environment, even this may not be enough to ensure continuity.Ā 

Ā 

The Role of Managed ContinuityĀ 

When looking beyond theoretical access toĀ critical assets orĀ third-partyĀ IP, a managed service model becomes increasingly relevant.Ā 

Under such an arrangement, a software escrow provider can step in, beyond passive holding of materials. With appropriate agreements and investment in testing, the software escrow agent can:Ā 

  • Work withĀ the vendor to replicate the solution onĀ the sameĀ orĀ anĀ alternative cloud environmentĀ whereĀ feasibleĀ 
  • Operate the application on behalf of the client during transitionĀ 
  • Bridge the skills and knowledge gapĀ 
  • Maintain serviceĀ availabilityĀ while longer-term remediation occursĀ 

Critically, this may include structured knowledge sharing between the vendor and the software escrow provider in advance, reducing reliance on undocumented tribal knowledge. As well as an option not to release any IP but deliver a service during interruptions or supplier failure on an interim basis. In a failure event, time matters. Regulators measure impact tolerances in hours and days, not months and compliance teams need to evaluate options and controls.Ā 

Ā 

Concentration Risk Cannot Be Eliminated ā€“ But It Can Be ControlledĀ 

Adding more vendors is not always realistic. Specialist software providers often dominate niche markets.Ā HyperscalersĀ underpin entire ecosystems.Ā 

The question is not how to remove concentration risk entirely. It is how to reduce its operational impact.Ā 

Modern software and SaaS escrow,Ā particularlyĀ whenĀ supported by verification and managed continuity options,Ā provides enforceable control in a scenario where assurances alone collapse.Ā 

For boards, risk committees and technology leaders, the issue is no longer whether a third-party agreement exists. It is whether continuity can beĀ evidencedĀ under stress.Ā 

Because in todayā€™s regulatory environment, the difference between a theoretical safeguard and a tested recovery mechanism is the difference between compliance and failure.Ā