SaaS offers CIOs impressive options to reduce internal resources and expenses devoted to application maintenance, version updates and patching. These "activity-based costs" represent appealing targets for CIOs looking to reduce their overall IT spending -- once an existing application is moved to the vendor (or a vendor-sponsored host), the availability of internal staff and devices improves. The newly available internal resources are then free to be deployed toward other internal operation priorities.

Within midmarket companies -- a high-priority market segment for SaaS vendors delivering human resources (HR), payroll, accounting, e-commerce, and off-site data storage applications -- the related business activities are subject to varied legal compliance duties with which the customer must ultimately comply. Contracting with a SaaS vendor rarely, if ever, eliminates the customer's legal responsibility for the activities conducted by the vendor.

Ticking time bombs

Those making the SaaS business case often overlook the compliance-driven risks and costs associated with:

• Shifting to the vendor the creation, management and storage of information and records that are subject to compliance duties.
  
• The added contract complexity -- and management costs -- for negotiating appropriate controls, and overseeing vendor compliance and reporting.
  
  
• Corrective and preventive strategies to recover from vendor-based events that create legal compliance risks.
  

As a result, many SaaS services contracted under standard, vendor-developed contracts are ticking time bombs. They add significant compliance risks that the CIO never evaluated at the front end of the process and create new ongoing costs in oversight and incident response that can reduce the actual economic value of the deal.

Charting the path forward

For both existing and future SaaS services, here are some useful steps a CIO can execute to manage compliance risks:

• Create a map relating to the application or service that identifies:
  • The data each application or service creates or manages.
  • The known compliance duties that relate to the identified data. Remember, compliance duties can refer to access controls, the type of data (especially nonpublic personal information in payroll, HR, benefits and retail services), data retention and storage policies, and formal reports to management of any of the preceding.
  • The risks the company faces if the compliance duties are not performed.
  
  
  
• Define the services the SaaS vendor must provide (through the application or other services) to enable the CIO's company to meet its compliance duties and avoid those risks.
  
  
• Assure that all service agreements contain legal terms that impose responsibility for the required services on the SaaS vendor. Involve your lawyer in this step -- many CIOs avoid doing so, often creating more problems than they solve.
  • For new vendors, identify needed compliance terms in the request for proposal or request for information in order to avoid later "add-on" premium pricing to deliver required compliance services.
  
  
  
• Establish in the contract vendor monitoring, and audit and reporting controls (often modeled on internal audit and security control structures) to assure compliance services are performed.
  

Regulators are now reviewing SaaS service agreements in detail, to assure the deals do not diminish a company's compliance posture. Finding (and eliminating) the ticking time bombs can help a CIO better achieve his or her SaaS ROI and promote a better culture of compliance.

Next month: Master data management: Crossing the legal chasm of ignorance