Know the Business Continuity Risks and Solutions When Investing in SaaS This blog post was authored by Elwin Bilkert - Associate Director, Protiviti Netherlands on Protiviti's technology insights blog.We often hear our clients ask what steps to take to develop a Software as a Service (SaaS) strategy for IT environments. Both the CIO and business owners recognise the benefits of SaaS solutions, which are readily available and often focused on a particular business need. SaaS products are becoming more popular, and usage is expected to grow at a double-digit rate in the coming years, driven by increased adoption of cloud computing, mobile devices and digital transformation initiatives in most industries and geographic regions. Topics Business Performance Cloud Why do we see this growth? Because these cloud-based services offer many benefits for both customers and providers, such as:Shortened implementation time as SaaS products are ready to use as soon as customers sign up. No complex installation or configuration is needed. Providers can update and improve the software without disrupting the service.Scalability as SaaS products can adapt to different levels of demand and performance, running on cloud platforms that automatically allocate resources to each customer. Customers can adjust users, features or storage as needed. Providers can use resources more efficiently and serve more customers with less infrastructure.Speed of innovation as SaaS products allow customers to access the newest features and functionalities without waiting for updates or upgrades. Customers can also learn from the feedback and best practices of other users. Providers can use data analytics and artificial intelligence to improve the user experience and offer customised solutions.Cost reduction — but buyer beware. SaaS products can reduce upfront and ongoing costs with no hardware maintenance, software licensing or installation costs. Customers pay only for what they use and can scale up or down as needed. Providers can save costs by hosting multiple customers on the same infrastructure. However, license models can be unclear, lock-in can occur and cloud services need careful financial management.Despite the benefit of SaaS solutions, organisations are wise to remain aware of the business continuity challenge.When using SaaS, the provider must ensure that data and applications are always available, secure and working well. But things can go wrong, and risks that can harm the business may surface. It is important to check the provider’s reliability, security and reputation before buying their service and keep an eye on their performance and compliance. Additionally, ensure backup plans and emergency measures are available.Business continuity risksLosing data: It may be possible to lose access to data because of a mistake, an attack or a provider bankruptcy. This can be detrimental for the business, as important information is lost or laws may be broken, resulting in greater risk of lawsuit exposure.Unauthorised access to data: Someone else may access data or applications without permission. This can be a hacker, a competitor or even someone who works for the provider that poses cybersecurity risks. This can be dangerous for the business, because they may steal secrets, damage reputations or impact operations.Not being able to use the service: It may be impossible to use the service because of a network problem, a power outage, a human error or provider maintenance. This can impact productivity, customer satisfaction and revenue.Support and maintenance issues: Not all SaaS providers are mature enough to handle business needs. This may cause issues with the support and maintenance of the service, which can affect user experience, functionality and security.Lock-in: It may happen that the organisation becomes stuck with the provider (lock-in) as it is difficult to switch to another one once a system has been put in place. This can be because the service is not compatible with other services or because it is too expensive or complex to move data and applications. This can be very limiting for the business, as it reduces flexibility, choice and bargaining power.Are there any countermeasures to support business continuity? Yes, of course. But it isn’t always straightforward and will depend on the possibilities the SaaS provider(s) offer. Different SaaS providers may have different levels of compatibility, interoperability and standardisation with other services or platforms. Some SaaS providers may offer more flexibility and customisation options for their customers, while others may limit or restrict them. Therefore, carefully evaluate the compatibility of each SaaS provider with existing or desired systems and processes before selecting one. Consider the potential costs, risks and benefits of customising those SaaS solutions if needed. Our advice would be to use them as out-of-the-box as possible.Three solutions to support business continuity for SaaS servicesSaaS-backup seems to be the most obvious solution that involves the organisation creating and storing backup copies of data and applications on a regular basis. The backup can be done either manually or automatically, using various tools and methods and can be stored either on-premise or on another cloud platform. This solution can ensure the availability and integrity of the customer’s data and applications, but it also has some challenges, such as resource consumption, security risks and data synchronisation.SaaS-escrow is an approach which involves a third-party escrow agent who holds a copy of the SaaS provider’s source code, data and documentation in a secure vault. In case the provider fails or goes bankrupt, the escrow agent can release the escrow materials to the customer, who can then continue to use the service or migrate to another provider. This solution can protect the customer’s access and ownership of their data and applications, but it also has some drawbacks, such as high cost, legal complexity and technical challenges.SaaS-guarantee fund is a new way of looking at things. It is based on a collective fund that is created and maintained by a group of SaaS providers or customers. The fund acts as an insurance mechanism that can compensate the customers in case of a provider failure or bankruptcy. The fund can also help the customers to switch to another provider or recover their data and applications. This solution can reduce the financial risk and increase the trust and confidence of the customers, but it also has some limitations, such as governance issues, regulatory compliance and fund sustainability. This approach is still a relatively new and experimental concept that has not been widely adopted or tested by SaaS providers or customers. There are many challenges and uncertainties involved in creating and managing such funds, such as legal, regulatory, governance and financial issues.Protiviti supports business continuity on SaaS services in various ways:Assessing current SaaS usage and identifying the critical data and applications that need to be protected from disruption or loss.Evaluating SaaS providers and their service level agreements, security measures, backup policies and recovery capabilities.Recommending the best business continuity solutions to fit the organisation’s SaaS needs, such as SaaS-escrow, SaaS-guarantee-fund or SaaS-backup. These solutions can help access, own or recover data and applications in case of a SaaS provider failure or bankruptcy.Implementing and testing the chosen business continuity solutions for SaaS services, ensuring they are compatible, reliable and effective.Providing ongoing support and maintenance for business continuity solutions, monitoring their performance and compliance and updating them as needed.Training and educating staff on how to use the business continuity solutions and follow the best practices for SaaS security and backup.To learn more about our business continuity solutions, contact us. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Building Technology Resilience: Aspects and Actions Building technology resilience is a continuous process. Technology resilience programs call for diligent monitoring, constant adaptation to evolving threats and continual evolution to respond to a shifting threat landscape. Read more