Businesses can reduce cost and mature their operations at a rapid pace by adopting off the shelf SaaS solutions - bringing automation to streamline ways of working. It’s a ‘win-win’ surely?

However, with this opportunity comes risk. The confidentiality of your data is a key issue, but so is the availability and resilience of the providers systems. Often it is difficult to peer behind the curtain of external providers.

Here are 5 considerations to help maximise value and minimise risk:


1. Make sure that the use case for the application is clear. Will it become a key part of your business from the outset?

The process often starts with a defined goal, which then quickly becomes either stretched or replaced. SaaS tools can often provide multiple use cases or extended features. While these extra modules or new uses you hadn't considered can also be business drivers, they can amplify existing or introduce new risks.


What to do What not to do

Validate which business services and processes the identified SaaS solution will underpin and support.

Assess from the outset which capabilities are available, which are already being used, and what is still required.

Check if the capabilities already exist in other applications used (functionality and cost).

Assume that previous requirements are still valid, the intended use or business case might no longer be viable.

Subscribe to more than what was originally identified as required, either for extra perceived value or short term and introductory discounts.



2. Build effective procurement processes to enable safe and effective use of SaaS applications from day one.

While it can be tempting to on-board a new solution as soon as possible, this can quickly create unnecessary complexity. 

By using the procurement processes and sticking to approved channels, you will have the extra benefit of ensuring they're still fit for purpose.


What to do What not to do

Engage with your procurement team early and ensure the path to progress is clear.

Remind yourself of and validate the original business case at all stages of the procurement process.

Suggest changes to the procurement process if it is not fit for purpose. The exercise must work for all parties involved.

Be tempted to side-step official procurement channels to procure solutions quicker. Any short-term gain is likely to introduce unnecessary future complexity and risk.

Only provide the anticipated solution and benefit without the supporting business case. A common understanding and context will enable much quicker progress.



3. Ensure that all teams involved in the lifecycle of a SaaS application are clear on their roles and responsibilities. RACI models provide clear delineation internally and with the supplier.

There will be many different implications to using a new SaaS tool in the business. Specialist subject areas such as security, privacy, legal, and technology will all require some form of assurance that the new SaaS supplier is right for your business.

Knowing up front who is responsible for which part of the process will ensure value is delivered quicker, and risk is minimized. This starts with the effective procurement processes mentioned earlier, but with acknowledgment that many areas of the business will need to be a partner.


What to do What not to do

Leverage the expertise of all parties involved. 

Identify any involvement which has no direct input or involvement, is this actually needed? 

Ensure everyone involved understands their role, and what is required of them.

Assign ownership or responsibilities to teams or individuals who have not been involved in the process. 

Only focus internally and not with the supplier. They could have specific support in place to help you as a customer.



4. Perform assurance prior to fully on-boarding the new solution. Subsequent decisions are now informed by business risk.

Performing assurance activities upfront provides several benefits. Firstly, it provides validation, is the SaaS provider doing what they say? By scrutinising the internals and asking the questions that matter to your business, you will either be validated in your choice, or given the early opportunity to change course.

Identifying risk upfront allows you to make a decision in how best to manage it going forward.


What to do What not to do

Work closely with internal stakeholders and the security team to define and agree expectations of assurance. 

Combine validated assurance (e.g. ISO27001 certificates) with your own assurance activities for a fuller picture.  

Treat identified risk as a driver and not a blocker, it can now be managed commensurately upfront and transparently.

Do not on-board the SaaS supplier just relying on their certifications and accreditations. 

Perceive all risk as bad and avoid activities designed to identify it.

Accept all risk identified, assuming it will either not materialize or can instead just be managed once the tool is live.



5. Ensure your Business Continuity strategy recognises the use of external applications. Do they represent a single point of failure?

Business Continuity plans are often updated annually, and are unlikely to capture changes in suppliers and third parties immediately. And within this slow annual cadence, tests will be predominantly focused on big internal critical components. Business Continuity governance and management will not always link to security priorities and have competing priorities.


What to do What not to do

Identify the criticality of the SaaS application early, and understand the ability of the provider to deal with issues. 

Based on that criticality, work with internal Subject Matter Experts to define acceptable service and outage levels.

Understand if the current Business Continuity program would encompass this new SaaS tool or would it struggle to provide value in this context?

Where a gap is identified, proactively define example scenarios where the new SaaS tool might cause issues if unavailable.

Assume because Business Continuity is already defined or tested, it would automatically encompass all areas and scope of the business.

Assume global means always available. Many cloud-based tools are only based in one region by default, redundancy often costs extra.


If you’d like to know more about making the most of this fast-moving area, why not have a chat with us today?

Get in touch

Also see...

Change Portfolio Governance: Is Your Change Portfolio Really 'Green'?

If you're a change leader with responsibility for change portfolio management, Head of Internal Audit (HOIA), Chief Risk...

Regulatory Oversight, PRA ‘Dear CEO’ Letters – IT Change and Outsourcing

If you're a Head of Internal Audit (HOIA), Chief Risk Officer (CRO), Board member (incl. Non-executive Director), Audit ...

DORA Explained & How to Ensure Compliance

On 27 December 2022, the Digital Operational Resilience ACT (DORA) was published in the Official Journal of the EU. The ...