Useful Checklist for Organizations: Do You Need an Escrow Arrangement?

It seems logical, but not all organizations have a clear policy in place regarding the use of escrow arrangements. Various criteria can objectively determine whether an escrow arrangement is necessary for a particular software application or environment. In this blog, we provide these criteria to help you make an informed decision. Of course, each organization applies its own risk analysis methodology, complete with its criteria and weighting for confidentiality, integrity, and availability. The key is to make deliberate choices, and the checklist below can assist you. Have further questions after reading it? Don’t hesitate to contact us.

The Checklist with Assessment Criteria

Financial  

• Evaluate the total investment costs in the software, including development, licenses, training, hardware, hosting, maintenance, and management.

Analyse Vendor  

• Assess the stability of the software vendor by considering the following:
  Company Age: Organizations younger than five years statistically have a higher risk of bankruptcy. Company Size: What is the scale of the organization? Financial Health: Analyze financial statements or review credit bureau ratings.
• Existing Vendors: How has the collaboration been so far?

Software Usage/Deployment

• Does the software support a core business process? Note: Without further software development or availability, your organization may face (relatively) rapid disruptions, posing risks to operations.
• Even if the software isn’t critical to a core process, has there been significant investment in it (e.g., licenses, staff training, hardware)?
• Is the software hosted internally or externally?
• How significant is the dependency?How frequently is the software updated? (Frequent updates suggest higher dependency.)
• Does the vendor also provide hosting (e.g., SaaS/Cloud services)?
• How replaceable is the software? (Is it commodity software or highly specialized?)
• Is the software custom-made? (Custom software is typically harder to replace.)

Regulatory Requirements

• Requirements from regulators, such as ACM, AFM, and DNB, regarding ICT management and continuity can often be addressed through an escrow arrangement.

Additional Considerations

• Social Responsibility: Consider the company’s duty of care toward customers and society.
• Reputational Risk: Even failure of a simple, non-critical app can lead to negative publicity or perception issues.

Want to Learn More?

If you’d like more information about the points briefly outlined in this blog, get in touch with us. We’ll provide a comprehensive explanation of the how and why behind a robust escrow arrangement.