As a CFO overseeing your organisation’s transition to Cloud computing, how can you ensure your cloud initiatives delivers on its promises over the medium and long term? Focusing on the short term is the comparatively easy part. Enterprise Risk Management is often one of the key accountabilities for the CFO, and an uncontrolled shift to the cloud could expose you and your organisation to unacceptable risks.
You could, on the other hand, take your chances and strike it lucky, should none of the risks materialize. In this article, I will be focusing on the implementation of mission critical, enterprise Software as a Service (SaaS) cloud, as it is this layer that contains the greatest opacity, complexity and risk. Most of these points, however, are equally applicable to the Platform and Infrastructure as a Service layers.
There are a range of influences at play in performing effective due diligence in buying enterprise cloud services which would depend on factors such as your business model, industry, regulatory mandates and so on. In this article I will focus on five key factors, these being: 1. Cloud market volatility, 2. Lack of legal precedence, 3. Opacity of the offering, 4. Legislative and regulatory maturity, 5. Your contract with the cloud provider.
Let’s look at these in turn:
Volatility: Cloud entrants are appearing almost on a daily basis. In the mix are those that are credible, well resourced and professional, others less so. Some are offering conventional hosting and managed services offerings with a ‘pay-as-you-go’ wrapper that appears cloud-like. Others are new entrants that were ‘born cloud’ in which case they do not suffer the pains and challenges of transforming their legacy business models and support processes to the cloud paradigm. This volatility is leading to uncertainty, which leads to concerns about risk. Case in point being the eighth annual KPMG 2012 Audit Institute Report which identified “IT Risk and Emerging Technologies” as the second-highest concern for audit committees, which is unprecedented in the history of the report.
Cloud is sometimes seen as outsourcing on steroids. Not only are you handing IT control to your provider, you also may have the challenges of identifying where your data is located, and what security measures are in place to protect it. How do you perform due diligence on your provider’s viability if they are new entrants to the market and are backed by impatient startup capital that is expecting positive returns in the short term? Are you concerned about the potentially complex nest of providers that sit behind your provider’s cloud offering? In the event that your provider ceases to exist, can they offer you protection in the form of escrow if you are purchasing SaaS services, for example? Know your exit strategy at the start.
Legal precedence: To date, there are few legal precedents available to help shape the cloud decision-making landscape. If your cloud footprint is critical to your business, gloss over the terms in your contract at your peril.
You should develop an effective listening strategy for the latest court decisions within the legal jurisdictions in which you and your major customers operate. Take on board any lessons learned from these early court decisions. This will help you avoid the pitfalls that other predecessors may have encountered. Cloud providers should be doing the same.
Opacity over the offering: According to Gartner Predicts 2012: Cloud Services Brokerage Will Bring New Benefits and Planning Challenges , “Cloud consumers should budget for additional integration costs which can range from 10 per cent to 30 per cent— and sometimes as high as 50 per cent — of the total cost of cloud IT projects.” This rings true in those that have attempted the implementation of enterprise cloud solutions, especially in the case of Software as a Service (SaaS), as it is this layer that contains the most complexity when it comes to integrating the solution with other systems, be they cloud or otherwise.
The emergence of the cloud brokerage services is intended to help simplify the complexity of the cloud for the user. The Cloud Broker is a role defined by the US National Institute of Standards and Technology’s Cloud Reference Architecture as, “The Cloud Broker acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well.” Problem is that this adds another layer of abstraction between you and the organisation together with the people actually delivering the services, which not only adds cost but also adds another layer of opacity when it comes to performing deep due diligence. Think of the cloud Broker as your “IT Department in the Cloud!"
Legislative and regulatory maturity: The legal profession, auditors, legislators and regulators are still coming to grips with cloud in its various forms.
APRA’s new standards that came into effect on July 1, 2012 (CPS231 in particular) refer to appropriate risk management processes. Many of the standards are dated. Two such examples of such standards are AS/ISO 31000 (Risk management), where the current revision is dated 2009, and AS/ISO 27001 (Information security management systems), where the current revision is dated 2006.
To cite another example, the wording contained in the current Office of the Australian Information Commissioner’s National Privacy Principles (NPPs) is deliberately non specific. The word ‘reasonable’ is used in the NPPs to describe measures and controls that should be applied in the implementation of privacy controls. While the intention is clear, the interpretation of ‘reasonable’ is fertile grounds for contention on individual cases.
Navigating the complexities associated with the legislation and regulations that can influence your and, in turn, your provider’s cloud ecosystem can be daunting, especially if operating across multiple legal and international jurisdictions. To illustrate this point, The US National Institute of Standards and Technology (NIST) defines the role of the Cloud Auditor as, "Audits are performed to verify conformance to standards" (Section 2.4). Problem is that there are no universally adopted ‘standards’ for cloud computing at this stage, although there are a number of bodies (mostly sponsored by interested vendors) attempting to define such standards.
The key is to keep up to date with your regulatory and industry compliance environments as they relate to cloud.
Finally, let’s look at the contract. In the public cloud model, the contract between your organisation and your cloud provider takes centre stage. Your contract should be balanced, and reflect appropriate penalties and protections in the event of non performance by your cloud provider. This may be easier said than done. You may just not have the commercial leverage to negotiate variations to the cloud provider’s standardised contract. If the contract terms are mostly favorable to the cloud provider, yet the commercial benefits appear compelling to your organisation, it may be worth pricing in risk to your business case and then reassess your position.
There are swathes of considerations that relate to a cloud contract review, and it is beyond the scope of this article to cover these in any detail. In order to do this justice, I will be offering a series of valuable pointers to help you, as a CFO, assess the balance and appropriateness of your cloud provider’s contract, in a later article.
We are slowly seeing a maturing of the discussions around cloud for the enterprise, however, as the research firm Gartner rightly points out, there are still a few years to go before cloud hits mainstream adoption for the enterprise. Until then, effective and rigorous procurement due diligence should be your default position for your important systems. The reality, however, is that this costs time and money, and short term commercial imperatives when combined with the apparent compelling offer by a cloud provider may well trump due diligence in many commercial organisations. As a CFO with accountability for enterprise risk, what are your strategies to withstand this sort of pressure?
Rob Livingstone is Principal of Rob Livingstone Advisory Pty Limited and a Fellow at University of Technology, Sydney