Are you also reserving 15% for the management of Cloud Services?

In many organizations, the use and acquisition of cloud services are on the rise. What I observe is that organizations struggle with the management and governance of these services. This struggle is partly due to insufficient time and budget. 

In the context of outsourcing, it was commonly assumed that you needed to allocate approximately 15% of the outsourced value for internal management. This included roles like service level management, contract management, service management, etc. 

Cloud services are appealing. They are cost-effective and reliable. These qualities are inherent in the shared environment from which the services are delivered: a scalable IT environment where resources are shared, and a uniform service is provided. Another characteristic is that a cloud service doesn't necessarily have to be purchased through IT. Any department with a credit card and its own budget can subscribe to a cloud service. 

Can it now be argued that this means the 15% management overhead that organizations used to allocate for the oversight of these services is no longer necessary? 

This is not the case. A cloud service needs to be procured, contract terms need to be evaluated, and depending on the risk profile of the service and the type of data being processed, it needs to be actively monitored and managed. 

In recent years, it seems that these considerations have been overlooked, and cloud services have been procured and introduced without restraint. Both IT departments and business units have recognized the benefits of services like Office 365, Google Docs, cloud virtualization, and SaaS packages. Cost reduction, ease of implementation, and independence from internal IT service providers are frequently cited advantages. The roles involved in overseeing traditional IT outsourcing have shifted towards service portfolio management and demand bundling. 

In practice, we now see that companies, especially in the areas of risk management, privacy, and security, need to take action to mitigate the risks they face. Risks related to compliance with privacy regulations and risks related to continuity, availability, and confidentiality (data classification!) have been insufficiently considered. The reason for this is that the processes for acquiring cloud and SaaS services have often been conducted as if they were on-premise applications. 

Another significant reason is that cloud is also in the spotlight within legislation and regulatory bodies. IT plays a limited role in this regard since they are often not the owners or administrators of the application or contract. 

In addition, when delivering functionality from a private data center, all prerequisites are already contractually defined. Matters related to reporting, backup and recovery, data protection, exit clauses, etc., have already been addressed and do not need to be reconsidered. In a landscape with many small but critical cloud services such as SaaS solutions for finance or HRM, the same conditions must be ensured and monitored for each agreement. 

Many organizations do not know how much cloud they are actually consuming and lack insight into risks and the manner of governance. This is partly because the shift in how cloud is procured and delivered has not yet been translated into the roles and functions within the organization. 

Besides the necessity to explicitly consider risk mitigation and compliance with laws and regulations when procuring cloud services, it is advisable to continue to allocate a 15% overhead for management, but from different areas within the organization, with different roles and competencies, with a focus on architecture, contract management, risk management, and compliance, rather than service management. 

Highberg has extensive experience in issues related to the Cloud. Therefore, please contact us. We are happy to assist you!