Risk Management

Considering the Cloud

Companies that want to adopt cloud computing have a host of choices to make and concerns to address.
Keith ButtonFebruary 26, 2015

See the companion piece to this magazine feature, What Does the Cloud Really Cost?

The cloud computing bandwagon continues to pick up speed, with software-as-a-service (SaaS) arrangements now outselling licensed software. Moreover, cloud computing is winning corporate converts to infrastructure-as-a-service (IaaS), which offers virtual hardware, storage capacity, network connections, and so on; and platform-as-a-service (PaaS), which enables users to build software applications over the Internet.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

It’s not surprising that so many companies have migrated to the cloud, given its promise of cost savings, increased flexibility, and greater ease of use. But they still face choices among public, private, and hybrid public-private cloud arrangements. Moreover, there are a number of cost-benefit considerations and risks to address. And for certain applications, on-premises software may still be the best bet.

Cloud Scenarios
Typically, when a company considers moving an application to a SaaS arrangement, the catalyst is a hardware or software upgrade, says Kevin Surovcik, a managing director and IT adviser at Grant Thornton. The company may be running an old version of its on-premises application, “and they hit a point where they’ve got to do a forced upgrade because they’re on a version that’s running out of support,” he says. When the cost of an upgrade approaches the cost of a replacement system, the discussion turns to considering all of the available options, including cloud offerings.

15Feb_SRCloud_p41 cloud computingAs a company considers the business case for moving software or IT infrastructure to the cloud, it may decide to stop short of a full public cloud arrangement. Instead, it may opt for a private cloud, where it is the only tenant and owns the software license; or a hybrid private-public cloud approach.

A private cloud may be suitable if it provides the savings sought by the company, and if the business has a predictable IT load and is “running a very tight IT shop,” says Mark Peacock, IT transformation practice leader at the Hackett Group. But if a company has applications that are “bursty” (characterized by big spikes of usage) or wants to focus its resources elsewhere, it may want to consider the hybrid approach or migrate to a full public cloud arrangement.

A key factor spurring companies to seriously consider moving to the public cloud, whether via SaaS or IaaS, is price competition among cloud providers.

“If you look at the cost per storage, or the cost per [million instructions per second] or CPU cycle, there’s a price war going on between Microsoft, Google, and Amazon Web Services,” Peacock says. He notes that some private-cloud clients have compared costs and as a result are moving some applications to the public cloud.

The Ascendance of SaaS
SaaS is now the most dominant form of software arrangement in the market for customer relationship management, supply chain management, payroll benefits, time and attendance, and ERP software, according to Gartner.

In 2000, 93% of software deals were in licensed software, while SaaS deals were virtually nonexistent, according to Gartner. Last year, licensed software accounted for just 37% of software deals, compared with 52% for SaaS and 10% for subscription software (typically hosted by a vendor that rents it on a monthly basis). By 2020, Gartner predicts, just 16% of software deals will be licensed.

For smaller companies, the market percentages “skew tremendously” in favor of SaaS, because it’s easier and advantageous for them to move to SaaS models, says John Lovelock, Gartner research vice president. Also, the replacement cycle is much faster for SaaS — typically two to three years, compared with five to nine years for licensed software.

cloud computing 15Feb_SRCloud_p42aThe applications that companies are seeking SaaS arrangements for tend to be “edge” applications — peripheral apps that may “lightly interface” with a company’s core ERP backbone, Peacock says. Such applications include, for example, Concur for travel and entertainment expense management, Salesforce.com for customer relationship management, and SuccessFactors for human capital management. Edge applications “tend to be the less customized applications,” says Peacock, making them easier to change over to SaaS.

Beyond edge applications, companies look next to IaaS and PaaS offerings, such as Savvis, Rackspace, Microsoft Azure, and Amazon Web Services, says Peacock.

ERP Resistance
ERP systems, on the other hand, are last on the list of IT items to be sent to the cloud, says Jim O’Connor, a principal at the Hackett Group. According to the group’s research on the issue, finance executives list integration of applications, data stewardship, and data governance as bigger priorities than extending or replacing ERP with cloud-based applications.

Unlike edge applications, ERP systems tend to be highly customized. “Over the years, they’ve tended to accumulate customization or configurations in a way that really map what a specific company is doing, and that’s almost antithetical to what the cloud asks you for,” says O’Connor.

Manufacturers in particular have been hesitant to adopt ERP SaaS solutions, mainly because the ERP applications are so ingrained into their operations, says Surovcik of Grant Thornton. The level of software customization they require and the integration of ERP systems with manufacturing technology make it difficult for most cloud providers to compete with on-premises solutions, he says.

But Surovcik adds that manufacturers are “more than willing” to look to the cloud for services such as hosting back-up operations.

15Feb_SRCloud_p42bMeanwhile, companies in certain highly regulated industries have been avoiding cloud arrangements, says Surovcik, because of onerous compliance requirements. For example, the federal Health Insurance Portability and Accountability Act of 1996 requires certain companies and organizations in the health care sector to document and maintain control over anyone who has computer administrative access to patient data, which would apply to employees of cloud service providers.

Similarly, the U.S. Food and Drug Administration requires manufacturers of medical devices, pharmaceutical companies, and other businesses it regulates to adhere to certain standards about data recovery and access that would be controlled by a cloud provider.

Capex vs. Opex
In addition to evaluating cost savings and return on investment, one factor to consider in moving software or IT infrastructure to a cloud arrangement is a company’s view of capital expenses versus operating expenses, according to Peacock.

A company whose performance is measured by return on assets deployed is more apt to move assets off the balance sheet, which makes cloud arrangements more attractive, Peacock says. By contrast, regulated companies, such as utilities, are not interested in trimming fixed assets, which go into their base rate calculations. As a result, they may be more likely to hold on to their data centers and other IT infrastructure, but build out private clouds within those data centers to reduce operating expenses, Peacock says.

15Feb_SRCloud_p43aStart-up companies, with their limited capital budgets and uncertainty about scaling their business, are overwhelmingly likely to adopt SaaS versions of business process applications, Surovcik says. “It becomes a fairly easy decision for those companies,” he says. Why spend $250,000 or $500,000 on a financial or customer service system, he asks, if they can get the same functionality from a cloud-based provider for a fraction of the cost?

“It’s just becoming a rare instance when we’re seeing companies spend capital on servers and data center infrastructure,” says Surovcik. Cloud adoption is “approaching 100% in the upstart world, when a company is building a product or service that will be reliant on technology infrastructure. They’re using infrastructure-as-a-service and platform-as-a-service models.”

Cloud adoption really appeals to a company when it starts to focus on digital business, Gartner’s Lovelock says. “That’s when their need for massive-scale offsite computing is going to really start. Digital means coordinating with multiple partners in an open environment at large scale. It’s about making pennies from thousands of transactions, rather than making thousands of dollars from a few transactions.”

Only the Shadow Knows
Beyond financial considerations, companies should also study the cloud’s potential impact on staff productivity; security and privacy issues; and interdependencies, or how the cloud application will work with other applications, says O’Connor of the Hackett Group. CFOs also have to consider the business risks involved in dealing with the cloud service provider, data ownership and control issues, and the fate of the data when and if the cloud agreement ends.

15Feb_SRCloud_p43bLovelock also says the risk of lower-level SaaS deals doesn’t get enough attention, with many cloud arrangements made by employees without the knowledge or control of CFOs or chief information officers. Such arrangements are examples of so-called “shadow cloud services,” or “shadow IT.”

A sales department, for example, might buy Salesforce.com or Evernote. Other employees might buy CRM tracking software or executive compensation SaaS. The purchases can be hidden from the CFO in a department’s operating expenses, says Lovelock. CFOs should be aware of the accumulated risk that these deals can represent.

“There are terms and conditions and complexities within these SaaS deals that may not be addressed if the organization is signing these contracts without due diligence,” says Lovelock. “What happens if your SaaS company goes out of business? What happens to your data when the contract runs out? How do you import/export? Where are your costs; where are your data recoveries?”

Keith Button is a writer based in New York.