A year after Escode’s landmark study into supplier stability and operational resilience, its latest collaboration with CeFPro to discover how those findings have since impacted on real world action reveals a hard truth.
Many firms believe they are compliant, but far fewer can prove they are ready.
The new research highlights a widening confidence gap. While 51 percent of firms say they feel fully compliant with resilience requirements, only 18 percent express high confidence that their stressed exit plans are complete.
For Julie Antonelli, Vice President of Sales for North America at Escode, the reason is clear.
“Having something documented on paper is quite different from actually running a real-world scenario to validate stressed exit readiness,” she says. “Written policies and compliant documentation are beyond valuable, but regulators now expect actual evidence that an exit could truly operate under stressed conditions.”
That distinction between documentation and demonstration is reshaping operational resilience globally. In Europe, the Digital Operational Resilience Act has introduced mandatory testing, incident reporting, and strict third-party risk management requirements.
In the United States, guidance such as that issued by the Interagency guidance on third party risk management and the FFIEC remains more principles-based, but expectations are moving in the same direction.
Antonelli believes global firms should not aim for the lowest common denominator.
“EU rules like DORA are very strict and mandatory,” she explains. “For global firms operating across regions, it makes sense to meet the tougher standards, so your overall resilience plan and stressed exit strategy are aligned everywhere.”
Alignment, however, is only part of the challenge. Ownership remains a significant weakness.
The research shows the majority (93 percent) of respondents rely heavily on cloud services, yet more than half are unclear on who owns supplier failure and concentration risk.
Legal, procurement, technology, and operational risk teams all have roles to play, but without clear accountability progress stalls.
“There needs to be an identified primary owner,” Antonelli says. “Without that, stressed exit planning remains a concept on paper rather than rehearsed and managed risk.”
The cultural shift required is substantial. For years, resilience programs have often been treated as documentation exercises. Today, regulators expect drills, scenario testing, and continuous validation.
Many firms are still focused on building inventories and conducting assessments rather than testing live exit scenarios.
“The biggest blockers are practical, not intentional,” Antonelli explains. “Firms are doing assessments and building inventories, but that can become a very large and complex project.”
Complexity compounds the problem. Modern third-party ecosystems extend far beyond single vendors. Hosted applications often rely on layered networks of sub-processes and embedded technologies. Each additional layer reduces visibility and increases concentration risk.
“It’s really like an onion,” Antonelli says. “The more we peel it apart, the more layers we find, and that leads to further complexity. Your vendor may rely on third parties, and those parties may rely on others. Visibility becomes limited the further you go.”
This opacity makes proving stressed exit feasibility difficult. Firms do not control many of these environments directly, yet they are expected to demonstrate that an orderly stressed exit is achievable. According to Antonelli, verified escrow arrangements provide a practical solution.
“Working with a neutral escrow agent allows you to hold and validate sensitive materials that vendors may not otherwise share,” she says.
“Through that process, you can confirm what’s deposited is complete and executable in a stressed exit. Regulators want proof. This gives you evidence beyond your own environment.”
Such mechanisms help move organizations from theory to testable readiness, Antonelli insists.
Looking ahead, she emphasizes that firms must pivot from conversation to execution. “We see a lot of organizations having great conversations, and that’s a fantastic start,” she says. “But now it needs to move into practice globally for the business.”
The next six to twelve months will be critical. Resilience must become part of business as usual rather than a regulatory project.
As Antonelli puts it, “The paper is never going to be perfect. When you get into practice, you will identify other areas of risk exposure. The two need to happen in tandem.”
Interested in speaking with our Australian team about escrow and verification?