CFOs and CIOs: How can you mitigate concerns when moving to the cloud?

Contents

Review: How do you know when to reach for the clouds? 3 Identify business objectives and use of technology to meet objectives 4 How can cloud computing help reshape business objectives? 5 From a risk perspective, is there data that is too sensitive for the cloud? 6

What cloud service contract attributes deserve extra attention 9

Navigating the clouds with altimeters and instruments 10

CFOs and CIOs How can you mitigate concerns when moving to the cloud ? 3

1 Deloitte CFO Center — Four Faces of the CFO

As many companies move some (or most) of their data to the cloud, many CFOs and CIOs grapple with the decision of what data to move and when to move that data. They have to weigh the relative benefits and costs of moving to the cloud. They also have to consider specific risks such as security and application risks, and process complexity and the degree of customization required.

Different industries and organizations will likely have varying propensities to put their data in the cloud. While information technology investments generally require a business case, the organizations that have a high propen-sity for using cloud computing technology will likely need to make a different business case not to use cloud. In other words, decision makers will likely have to selectively discourage on-premises information technology investments.

Cloud computing technology and SaaS applications can become a welcoming platform for innovation and the strategic use of technology for driving business value. This second whitepaper in our CFO Program series on cloud computing, “How can you mitigate concerns when moving to the cloud” provides additional perspective to help CFOs and CIOs make decisions around what to place into the cloud, and how to structure the relationship with the cloud

Review: “How do you know when to reach for the clouds?”

service provider, and how to manage risks while operating in a cloud computing environment. It identifies potential deal breakers and enablers CFOs and CIOs should consider in this migration. The Four Faces of the CFO1 can offer insights to answer the question “How can you mitigate concerns when moving to the cloud?”

Financefunction

Threshold performance

Leading edge

Execution

EfficiencyContro

l

Perfo

rman

ce

Catalyst Strategist

OperatorSteward

Four Faces of the CFO

4

There is an inter-relationship between business objectives, information, and technology. Organizations often find that defining business objectives and gathering the needed information to address those business objectives is only part of the solution. The organization should also make effective use of technology. It is a symbiotic relationship; technology should be used in accordance with the busi-nesses objectives, but the business objectives should be informed by the technology.

Imagine an organization that would like to engage in a more robust customer relationship management (CRM) initiative. The current on-premises system is over 10 years old and most of the time is spent just keeping the on-premises system running. The current IT staff do not have sufficient additional time to add new features to the system, and the current hardware environment does not have much additional capacity. This is a time in which current technological alternatives in the form of cloud

Identify business objectives and use of technology to meet objectives

computing can inform the business objective of improving the CRM environment. Rather than needing additional hardware, time to write new code, and perhaps the need to hire additional IT staff, the organization can use a cloud-based CRM environment. There is no extra cost for computers nor staff; rather the service is purchased. However, there are multiple issues that should be examined before an organization embarks on such an endeavor.

In a cloud computing environment, the organization obtains a service that might be cost prohibitive had that organization developed that service on its own. However, when examining the total cost of ownership (TCO) for a cloud service, the CFO and CIO should include consider-ation for increased risk, compliance and governance costs.

A SaaS or cloud application will likely provide new capabili-ties and agility for the organization at a lower price point than could be accomplished internally, but the TCO should include consideration for risk monitoring and compliance costs. Increases in capacity and flexibility usually come at a cost requiring new trade-offs between cost / flexibility / capacity and relative risk. If there is too much risk (e.g., potential for exposure of confidential data), the organiza-tion will likely not want to avail itself to the technology. Alternatively, if the benefits exceed the potential risks, the organization will likely want to use the new tech-nology. The “risk appetite” of the organization may also differentiate the organization that uses these resources. Two virtually identical firms, when faced with the same choice, may choose different outcomes because one firm has a more conservative risk profile while the other has a more aggressive risk profile. Both firms have made valid decisions based upon their respective risk tolerances.

Financefunction

Threshold performance

Leading edge

Execution

EfficiencyContro

l

Perfo

rman

ce

Catalyst Strategist

OperatorSteward

Finafunction

Threperfor

Leadin

Execution

EfficiencyContro

l

Catalyst

OperatorSteward

CFOs and CIOs How can you mitigate concerns when moving to the cloud ? 5

As organizations consider cloud computing technology to meet their business objectives, there is an opportunity to redefine or advance objectives given the capabilities of cloud computing.

Some CIOs have identified cloud computing as a platform that elevates the value that information technology brings to the organization. Through the relative ease of creating new applications, and the ability for functional business employees to request or even create SaaS applications that help them meet their business objectives, cloud computing has strengthened the culture and functional ownership of how technology can further enable meeting business objectives. While introducing new technology can present risks to the organization, there is also a (potentially greater) possible risk of not allowing the technology that employees and functional leaders recognize will likely help them be effective. The organization risks being left behind from a technology perspective as well as an employee engagement and business capability perspective.

•“Cloud information tends to be easier to share.”

•“IT needs to provide easy to use tools, and to support mobility.”

•“This is a significant transition of how we think about IT."

•“In some cases, there are dramatic cost advantages.”

•“We feel there is a temporary cost to support the transition.”

•“A big concern is availability to the application; if I don't have access to cloud, I can't do anything.”

How can cloud computing help reshape business objectives?

CIOs and CFOs have found that cloud computing has opened the door to internal innovation. This has resulted in positive collaborative and motivational impacts to their organizations2. From a catalyst perspective, cloud computing can help move the dial on employee engagement and cross-business collaboration. From a risk perspective, organizations should consider the risks of adopting cloud technology, and the risk of not adopting cloud technology, given the availability of the technology, and the implications on the organizational values.

Financefunction

Threshold performance

Leading edge

Execution

EfficiencyContro

l

Perfo

rman

ce

Catalyst Strategist

OperatorSteward

ancefunction

esholddormance

ng edge

EfficiencyContro

l

Perfo

rman

ce

Strategist

OperatorSteward

2 Based on interviews conducted as part of Deloitte’s CFO Program Fellows & Scholars initiative, which connects Deloitte practitioners (“Fellows”) and professors from universities (“Scholars”) to develop CFO relevant insights and research.

6

Governance and compliance

Capabilities that support monitoring and validation of alignment with firm policies, establishing a governance model to determine compliance with regulations, establishing up-time targets conformity, proactively evaluating service demand and scaling to meet changes, monitoring service levels throughout the service lifecycle, and addressing poor performance.

Risk, privacy and security management

Capabilities that support evaluating opportunities to determine a strategy that manages risk against, establishing guidelines about how, when and by whom personal data should be accessed, creating a disaster recovery plan and monitoring readiness, and developing policies and practices for how information assets should be accessed and used.

Business operations

Capabilities that support the receipt and validation of sales quotes, creation of orders, supply chain response, and order fulfillment; the management of price-plans, the execution of core billing calculation engines, and the ability to handle billing inquiries; the setup and management of a channel strategy. Also includes capabilities needed to provide customer care and support, including the management of returns, renewals, upgrades and cross-grades, plus any required professional services.

Technology architecture and infrastructure

Technical capabilities that are needed across the enterprise from basic email and messaging services, to collaboration and social media, identity management, content and master data management, through to integration services and business intelligence solutions as well as the underlying infrastructure

Service management

Capabilities to provide clear governance to manage the relationship between the service provider and the business consumer, and to create clarity around performance and service delivery expectations. Includes capabilities to align business needs with shared services capacity through effective demand management and resource planning and to focus on continuous improvement of services delivered.

People and organizationCapabilities needed to manage the organizational shift to be cloud enabled including managing organizational change and design, planning workforce development, creating a talent acquisition and management strategy, and developing a communication plan.

CFOs and CIOs have indicated varying levels of sensitivity to having their information in the cloud, or off-premises, rather than on-premises. Regulatory and industry considerations such as those found in healthcare and financial services become prevalent in the data location decision making. For other considerations, such as those stemming from the fear of others accessing content, an evaluation of the content by purpose can help clarify the decision about what data, if any, to move to the cloud. Whether using a value chain approach or other means to identify the purpose of data in the organization, CFOs and CIOs awareness of cloud computing capabilities can help them make informed decisions.

From a risk perspective, is there data that is too sensitive for the cloud?

Financefunction

Threshold performance

Leading edge

Execution

EfficiencyContro

l

Perfo

rman

ce

Catalyst Strategist

OperatorSteward

Financefunc

Thresholddperformance

Leading edge

Execution

Contro

l

Perfo

rman

ce

Catalyst Strategist

Steward

Cloud Computing Service Provider Capability Map3

3 Deloitte Development LLC: Cloud Computing Service Provider CloudPrint Capability Map

CFOs and CIOs How can you mitigate concerns when moving to the cloud ? 7

What are potential SaaS “deal breakers”? As CFOs and CIOs consider which data or applications should be placed into the cloud, they should determine if there are any “Deal Breakers”? It is likely that these deal breakers result from data characteristics, application characteristics, and contract terms.•Are there any sensitive data that should not be placed

into the cloud (at this time)? For example, should social security, bank account information, PCI data, HIPPA data, etc. be placed in the cloud? What legal restrictions exist across different countries in which you engage in commerce? Do any countries (or states) have restrictions upon the location in which cloud data are stored? Any of these items could be deal breakers that prevent the use of cloud resources.

•Are there any applications that provide competitive advantage (which would be lost) if a “generic” version of that application was provided in the cloud? While there is certainly the allure of using cloud applications for many tasks, e.g., customer relationship management, consideration should be given to how

those cloud applications would interface with on-premise applications that are a source of competitive advantage.

•Are the terms of service associated with the cloud provider unacceptable? Click-through contracts are generally not acceptable to business organizations. Regardless, the contract should be carefully reviewed. A recent article has quoted terms from vendors that include “The SaaS vendor can suspend your right and license to use services, or terminate the agreement in its entirety for any reason or no reason, at its discretion at any time, with, at most, 60 days’ notice.” Or, with respect to indemnification “Your company must indemnify the SaaS provider from all claims relating to your use of the vendor’s services, with no limits on liability.” (Computerworld February 13 2012, “Big SaaS Done Right, Robert L. Mitchell).

In addition to the above risks (your organization might have different “deal breakers”); the chart below provides additional risk factors that should be considered when evaluating SaaS alternatives.

On-premise computing Cloud computing

Privacy / Security • Are my access policies adequate? Do I have a granular enough procedure to grant access where it is needed and keep non-authorized users from gaining access? Do I have appropriate firewalls? Are my applications updated with vendor service packs in a timely manner? What is the risk of accidental disclosure? Are critical data encrypted? What is the risk of disclosure if “hacked”? What policies are established to mitigate any data disclosure? What are my backup and restoration policies and procedures?

• All of the risks associated with On-Premise Computing plus the following: Am I sure that the multi-tenancy environment is secure so that other tenants cannot access my content? Does the provider have SOC/SSAE-16 types of assurance? What types of guarantees exist regarding data confidentiality? Data sharing with other service providers? If the data is marked for deletion, will it actually be deleted, including deletion from backup devices? If the cloud provider uses a third party cloud provider, what assurances do I have (e.g., a cloud application provider contracts with a cloud infrastructure provider for content hosting)? Can critical data be encrypted in transmission and for storage? Can the vendor logs be compared to my data logs? How does the cloud service interface with my on-premises security environment? Will the vendor comply with my backup and restoration policies and procedures?

What are risk considerations while managing acquisition of Software as a Service (SaaS)4?

4 Risk considerations are based on research conducted as part of Deloitte’s CFO Program Fellows & Scholars initiative, which connects Deloitte practitioners (“Fellows”) and professors from universities (“Scholars”) to develop CFO relevant insights and research.

8

On-premise computing Cloud computing

Legal issues / Location of data

• Generally not an issue; have complete control and ownership of the data and can control the location of the data.

• Does the negotiated contract take precedence over click-through agreements? If the cloud provider uses a third party cloud provider, what contractual rights/remedies do I have against the third party? Can I specify that the data must remain in a certain domicile? Does the contract cost include number of users (how are they counted)? Amount of data stored (how is this counted – peak amount? Average? Amount at end of month?)? Volume of data transmitted (data entered into system? Data output from system?)? How is elasticity measured? What types of incident reports are provided?

Exiting contract with cloud vendor

• Not an issue, however, have some similar issues with exiting contracts with on-premise computing providers.

• How will the data get migrated to a new application? How much lead-time is required to let the vendor know that you are exiting? For the vendor to let you know the service is ending?

Support • What type of support? Who handles initial user support questions? When to escalate to vendor support?

• Similar to On-Premise. What does the contract specify for the support received from the vendor? How is change management addressed? How much warning do users get before upgrades are applied? Can upgrades/maintenance be scheduled at my convenience? How does the cloud service interface with my on-premises computing environment?

Control • Data and computer systems under own control. • Computer systems under control of cloud provider. Data is likely physically controlled by the cloud provider. To what extent does the cloud provider have access to the data? Are the data formats and systems that need to interface with my systems compatible (i.e., are they interoperable)?

Governance • Traditional IT Control Framework • Who can contract for Cloud Services? How are Cloud services evaluated? Can (sub) units contract for Cloud Services without the involvement of central IT? How does the cloud service interface with existing IT infrastructure?

Type of expense / Usage monitoring

• Generally need to know either number of users/seats but few, if any, other costs

• Need to verify costs relative to contract terms, e.g., number of users (how are they counted)? Amount of data stored (how is this counted – peak amount? Average? Amount at end of month?) volume of data transmitted (data entered into system? Data output from system?)

Contingency • System failure• Vendor acquired• Vendor ceases

• Are responsible for recovery in case of system failure. Might have lost data if appropriate backup and restore policies were not followed. Might need to call application or hardware vendor for service.

• If the application or hardware vendor is acquired, can generally continue to use the software/ hardware. Most vendors allow continuation of prior negotiated contracts. No loss of data.

• If the application or hardware vendor ceases to exist, must provide own maintenance on the product. Can continue to use application/hardware until new application/hardware is acquired. Generally no loss of data.

• What has been negotiated in the service level agreement (SLA)? How is uptime computed? Are the data verified/audited? What are the penalties for SLA failures? How can I get my data back after a system failure? How can I run my business if there is a SaaS system failure?

• What are my rights to terminate if the vendor is acquired? Can I access my data? How can I retrieve my data and transfer back to on-premises or to a different cloud provider? If I am on a month-to-month contract, what is the new fee structure?

• How do I get my data back if the vendor ceases to exist?

The risk considerations while acquiring and managing the transition to cloud computing have operator implications to manage the availability and use of data.

CFOs and CIOs How can you mitigate concerns when moving to the cloud ? 9

What cloud service contract attributes deserve extra attention

Much like entering any service provider contract, cloud service purchasers should consider the provider’s incentives and governance in place for their cloud service provider. Among many contract considerations, there are three contract areas for cloud service purchasers to consider when evaluating cloud service providers.•Evaluation Period: Does the cloud service provider offer

an evaluation period to “try out” and test the service? What evidence can the cloud service provider provide to validate services?

If you have decided that there is sufficient benefit to use the cloud services that outweigh the risks, how do you select a provider? How can you mitigate additional risks inherent in using an outsourcer? How does a cloud provider differ from a traditional outsourced service provider? For example, how does a cloud provider differ or is similar to an outsourced payroll service provider?

•Monitoring Usage/Dynamic Provisioning: What mechanisms does the cloud purchaser have to govern usage and potentially change the number of billable users or seats based on usage? How will expense management work and who will be accountable for the use of technology resources (i.e., will it be functional business leads, IT functional leads)?

•Contingencies: In a potential system failure, what back-up plans exist, and who manages the back-up plans? If the cloud service vendor ceases operations, what will be the process for operationalizing information hosted by the cloud service provider?

Financefunction

Threshold performance

Leading edge

Execution

EfficiencyContro

l

Perfo

rman

ce

Catalyst Strategist

OperatorSteward

Financection

Thresholddperformance

Leading edge

Execution

Efficiency

Perfo

rman

ce

Catalyst Strategist

Operator

Contract, governance, and contingency considerations have steward implications to help protect and preserve the assets of the organization.

10

Navigating the clouds with altimeters and instruments

The decisions that CFOs and CIOs make on the company computing environment is as much an operating decision as it is strategic decision. With the acceptance of cloud computing becoming more prevalent, and in many industries becoming the defacto computing environment, decision makers should consider how cloud computing can transform their organization and redefine the strategic use of information technology. Fundamentally, with cloud technology capabilities and controls strengthening and the availability of such technology, there is a risk of not moving to cloud from a competitive perspective and from an employee support perspective. Technology enables the movement of data, decision making, and is the foundation of information and operations; not having what may be the most effective technology for getting the job done could leave some organizations behind.

There are tools and resources to help organizations navigate the decision and path to the cloud, and in the cloud. The Deloitte Cloud Computing Offering provides additional insights and tools including cloud business cases and a cloud risk intelligence map; navigation need not be opaque but can be guided with instruments to manage at different altitude levels and to help anticipate potential turbulence.

As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

AuthorsAjit KambilGlobal Research Director, CFO ProgramDeloitte LLPakambil@deloitte.com

Daniel RootManagerDeloitte Consulting LLPdroot@deloitte.com

Severin GrabskiAssociate Professor and Senior Faculty Advisor for Instructional TechnologyMichigan State University grabski@msu.edu

For further information on the Deloitte Cloud Computing Offering, please visit www.deloitte.com and type “CloudPrint” into the search function.

Deloitte’s U.S. CFO Program supports the organization’s vision “to be recognized as the pre-eminent advisor to the CFO.” It harnesses the breadth of our capabilities to deliver forward thinking perspectives and fresh insights to help CFOs manage the complexities of their role, drive more value in their organization, and adapt to the changing strategic shifts in the market. For more information about Deloitte’s CFO Program, visit our website at www.deloitte.com/us/cfocenter

This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this article.

Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited