This week’s episode of the Resilient Supply Chain Podcast examines how critical software and cloud dependencies are becoming a supply chain resilience issue. Host Tom Raftery is joined by Wayne Scott, GRC Solutions Lead at Escode, whose work focuses on supplier failure, service deterioration, concentration risk and stressed exit planning. The discussion explores why digital dependency can create operational fragility when organisations assume that outsourcing a service also transfers responsibility. The full episode is available at www.resilientsupplychainpodcast.com

Software as Supply Chain Exposure

The central tension is clear: many organisations treat software as an operational tool, while depending on it as critical infrastructure. That distinction matters. Scott argues that if a provider fails, deteriorates, is acquired, loses key personnel, or can no longer support a service, the customer may still carry the operational risk.

This is not limited to financial services. Software providers often operate horizontally across sectors, meaning the same supplier can sit inside banking, energy, logistics, public services, defence or manufacturing. That creates concentration risk which may be invisible until disruption occurs.

Scott’s analogy is blunt: “It’s like buying a car from a manufacturer and they go out of business and the car disappears.” Few organisations would accept that model in physical assets. Yet many accept it every day with software and cloud services.

Outsourcing Does Not Remove Accountability

A recurring theme is the gap between procurement decisions and long-term resilience. Cost, scale, new features and cloud migration have encouraged firms to concentrate technology dependencies. But Scott warns that many companies “outsource the thinking” along with the service.

That is a governance problem, not merely a technical one. Supplier failure risk often sits awkwardly between procurement, cybersecurity, compliance and operational risk. As a result, it can be deferred, misclassified or absorbed into cyber resilience language without being properly owned.

The strategic implication for supply chain and operations leaders is uncomfortable: third-party risk cannot be reduced to vendor onboarding. It needs ownership, testing, documentation and credible exit planning.

Visibility Fails Below the Surface

The discussion also highlights how firms lose visibility beneath their direct suppliers. Dependency mapping may reveal open-source components, proprietary build tools, missing source code, ownership split across acquired entities, and fourth-party suppliers that were not previously visible.

Scott notes that many organisations assume supply chains extend outward in a linear fashion, when digital supply chains often contract into shared underlying infrastructure. Multiple providers may rely on the same cloud foundation, creating a hidden layer of common exposure. This matters as regulation expands. Frameworks such as the Digital Operational Resilience Act (DORA), critical third-party provider oversight, and wider operational resilience requirements are pushing firms to map, test and manage these dependencies more explicitly.

AI Adds a Further Layer of Supplier Risk

AI is treated not simply as a tool for risk detection, but as a force that may destabilise software markets. Scott argues that rapid AI-driven obsolescence could undermine established providers faster than previous technology shifts. If a critical software supplier loses value, customers or capability, firms may still need to operate that system for 18 months or longer while transitioning.

That creates a practical resilience question: can the organisation keep operating during the gap between supplier deterioration and replacement? The episode’s strategic takeaway is that digital resilience must be governed with the same seriousness as physical supply chain resilience. Leaders need to know which software services are critical, where dependencies sit, what happens if a supplier fails, and whether exit plans are tested rather than assumed. As regulatory pressure increases, resilience will depend less on confidence in large providers and more on evidence, accountability and operational execution.