Issues and trends:
Assessing and managing SaaS risk
SaaS Risk Survey 2011
Serving your software business
Grant Thornton LLP’s Software practice provides a full range of services
to clients in the software sector. Our Software professionals in the United
States, assisted by Grant Thornton International Ltd member firms
around the world, possess comprehensive industry understanding and
second-to-none business and financial knowledge to help your software
organization fulfill its strategic objectives. Our skilled professionals will
work closely with you to help you meet today’s needs and anticipate
tomorrow’s challenges.
For additional information about how Grant Thornton can help your
software organization maximize its success, please contact a member of
our national Software team:
Contents
1 Executive summary
2 Overview of findings
5 Survey demographics
6 Assessment of risk and risk
practices
7 Assessment of financial risk
9 Assessment of operational risk
Ralph Nefdt
National Software Sector
Leader
T 415.365.5452
E ralph.nefdt@us.gt.com
12 Assessment of compliance risk
Will Choi
Mid-Atlantic Region
T 703.761.7720
E will.choi@us.gt.com
David Pansing
Central Region
T 214.283.8184
E david.pansing@us.gt.com
Mike Schamberger
Midwest Region
T 312.602.8760
E mike.schamberger@us.gt.com
Mark Greeff
Southeast Region
T 404.475.0040
E mark.greeff@us.gt.com
Mike Rebholtz
West Region
T 408.346.4333
E mike.rebholtz@us.gt.com
Tim Zingraf
West Region
T 415.318.2300
E tim.zingraf@us.gt.com
David Lewandoski
Northeast Region
T 617.848.4839
E david.lewandoski@us.gt.com
Acknowledgements
We gratefully acknowledge Grant Thornton’s authors of this publication:
Ralph Nefdt, national Software sector leader; Danny Miller and Jeff
Spivack, Business Advisory Services principals; and Stephen McGee,
Corporate Finance practice leader. In addition, we would like to thank
Jeff Kaplan, managing director of THINKstrategies, for his contributions
to this survey.
We would also like to thank the many members of Grant Thornton’s
Software sector team for their daily leadership in and contributions to the
software sector.
14 Assessment of risk management
strategies
15 Conclusion
Executive summary
Responding to interest among software as a service (SaaS)
providers in detailed information about risks pertinent to the
sector, Grant Thornton LLP conducted this survey in the
winter of 2011. Our goal was twofold:
• Help fill the need for quantifiable data regarding the
nature, extent and mitigation of risks in the SaaS sector
• Provide business-focused analysis of that data, drawing on
the extensive technology and risk management experience
held by Grant Thornton professionals
The process of gathering, analyzing and reporting on our
findings has been exciting because of the value we believe this
information contains for boards, CEOs and other C-suite
executives, and leaders within SaaS companies. We believe
that this survey report will be useful to both pure-play SaaS
providers and traditional software vendors that have SaaS
offerings. Its greatest value lies in helping corporate leadership
understand — and take steps to mitigate — three specific types
of risk in the SaaS sector:
Financial risk — All companies share certain financial
risks such as the external market risks posed by competition
and the internal challenges of maintaining adequate capital
for growth and development. As relatively young businesses,
SaaS companies face unique financial risks — notably how best
to develop sustainable revenue- and sales-generation models
given the rapidly evolving technological landscape.
Operational risk — SaaS services require 24/7 operability
backed by vigilant observation and the execution of
highly effective business continuity plans. To protect their
reputations, organizations demand the highest caliber of data
management and security protocols. For almost any SaaS
company, scalability is critical to a viable future.
Compliance risk — Companies are burdened with national
and global compliance requirements that are increasingly
complex — often too complex for most organizations
to understand or manage on their own. For that reason,
companies frequently overlook or minimize the value of
critical control and efficiency practices, including SSAE 16
audits (formerly known as SAS 70 audits), ISO certifications,
SysTrust audits and other standard industry compliance tools.
Implementing the right set of compliance controls is not only
crucial for meeting regulatory standards, but can also enhance
an organization’s efficiency, control processes and market
credibility.
This report presents both an overview and a detailed
analysis of Grant Thornton’s survey findings. In the overview,
readers will gain insight into (1) the key reasons behind
respondents’ bullishness about the SaaS sector; and (2) broad
concerns related to financial, operational and compliance
risk in the industry. In the detailed analysis, we will look at
respondents’ attitudes toward specific types of risk within each
of the three categories. Readers will also benefit from Grant
Thornton professionals’ high-level guidance and observations;
we will recommend approaches that we believe to be effective
in mitigating financial, operational and compliance risk.
The majority of our respondents were CEOs, other
C-suite executives, or board members at companies that have
SaaS offerings. We hope that readers will gain insight from our
analysis of the responses in this survey. We further hope that
this insight will help readers drive the implementation of best
practices.
One final point: In running various cross-tabulations on
different subsets of data, we encountered notable differences
between pure-play SaaS providers and traditional software
vendors that have SaaS offerings. Readers will find these
differences addressed throughout this survey report.
As relatively young businesses, SaaS companies face unique financial risks — notably
how best to develop sustainable revenue- and sales-generation models given the rapidly
evolving technological landscape.
Issues and trends: Assessing and managing SaaS risk 1
Overview of findings
The SaaS sector is no longer in its infancy. In November 2010,
the leading SaaS company — Salesforce.com — estimated
that its revenues would total $1.6 billion for FY 2011, a 30%
increase over 2010 revenues. Salesforce.com also reported
a 20% year-over-year increase from 2009 in its number of
customers — now 87,200 — along with record quarterly
revenues of $429 million and projected 2012 revenues reaching
as much as $2 billion.
Salesforce.com may be at the front of the pack, but it’s a
very big pack indeed. THINKstrategies’ Cloud Computing
Showplace (www.saas-showplace.com) lists more than 1,300
cloud vendors, including SaaS providers, in more than 80
application and industry segments. THINKstrategies estimates
that there could be two or three times that number of companies
operating in this space worldwide. The number of new, fastgrowing, pure-play SaaS providers is climbing, and that number
doesn’t include major traditional software vendors — such as
Microsoft, Oracle and SAP — that have SaaS offerings.
The drivers of SaaS growth are manifold. Almost all of
them are due to the industry’s ability to generate meaningful,
sustainable, business-oriented innovations using an efficient
delivery model that reduces total cost of ownership (TCO) for
software users.
Facing unprecedented market challenges, few industries today
can report this type of upswing, and few observers are as bullish
about their future as the participants in this survey appear to be.
However, a word of caution is in order: The relative youth,
diversity and as yet loosely defined nature of the SaaS industry
all pose risks for those who participate in or support it. The lack
of a clear set of criteria to define SaaS has opened the door to a
formidable number of players offering a wide array of hosted
software services that vary greatly in their functional capabilities
and measurable benefits. This has created intense competition
along with customer confusion. Such volatility threatens the
success of SaaS vendors that have little industry experience, poor
visibility and limited financial support. And SaaS companies’
financial strains are compounded by the revenue recognition
model employed in the industry and the incremental way in
which many customers procure software services.
Research findings: Well-grounded optimism
The knowledgeable professionals in Grant Thornton’s
Technology Industry Practice have been interested in the SaaS
sector since its inception. We have worked with businesses in
the sector as it has attained a place of prominence. We have
listened, learned, developed our skills, and tailored our services
to the industry. We have built lasting relationships with SaaS
clients and analysts who have shared their knowledge and
vision with us.
As professionals who have been observing the SaaS
sector for several years, we are encouraged by many of the
responses we received from industry participants. Figure 1
provides a compelling snapshot of respondents’ bullishness.
That optimism appears to be well-grounded in light of several
trends emerging over the past half-decade: the escalating
prominence of the Internet as a primary (and secure)
connectivity tool, the continuing pressure on businesses
to do more with less, and the diminishing appetite among
corporations for investing in technology that will rapidly
become yesterday’s news. Evidence in the field is mounting
that unlike many here-today-gone-tomorrow technology
trends, SaaS is an industry advancement with legs.
Figure 1: Survey respondents: Bullish on SaaS
Strongly agree
72%
49%
36%
SaaS apps scale
better than
in-house
SaaS providers
offer greater
tech expertise
53%
49%
46%
36%
30%
20%
SaaS has a
strong future
2 Issues and trends: Assessing and managing SaaS risk
Agree
SaaS uptime is
as good as
in-house
25%
SaaS is more
cost-effective
But the question for any young industry is how to
build initial success into long-term sustainability. Given the
turbulence of the technology sector in particular, all tech
companies — no matter how successful — struggle with key
challenges such as high-speed change, the need for continuous
innovation, an overcrowded and unpredictable competitive
landscape, and the need to achieve consistent profitability over
the long haul. This survey sheds light on how SaaS executives
can meet these challenges.
Research findings: Areas of risk and concern
Despite their overall bullishness, many executives responding
to our survey believe that the industry could do better:
• Thirty-four percent of respondents indicate that SaaS
compliance management systems are no better — or are
worse — than in-house compliance systems.
• Thirty-eight percent of respondents find that SaaS risk
management practices are no better — or are worse — than
risk management practices developed in-house.
• Sixty-three percent of respondents believe that the SaaS
sector needs to improve its credibility.
• The vast majority of our respondents do not use standard
risk management practices such as ISO 27001 certification
or SSAE 16 (formerly SAS 70) or SysTrust audits — even
though many respondents say that these practices are
important.
In our work across industries, we have
found that many companies do not
appreciate how crucial it is to address and
manage compliance risk.
In the survey, respondents were asked to rate the overall
importance to their business of three risk categories: financial
risk, operational risk and compliance risk. Respondents then
took a deeper dive into each category by rating the importance
of specific subcategories of risk. Three-fourths of respondents
rate operational risk as highly or extremely important to their
business, and nearly 69% give the same ratings to financial
risk. Yet only 49% ascribe the same level of importance to
compliance risk. Clearly there is room for improvement,
particularly when it comes to managing compliance risk, as
Figure 2 illustrates.
Figure 2: Importance of risk to business*
Not at all/NA
Somewhat important
Highly important
Extremely important
Financial risk
9%
23%
34%
35%
42%
33%
Operational risk
9%
16%
Compliance risk
15%
36%
28%
21%
*Responses may not total 100% due to rounding.
As representatives of a public accounting and business
advisory firm with long-standing experience in many areas
of risk management — such as helping clients maintain
compliance via standard quality control tools — we are
somewhat concerned to see that compliance risk is rated
so weakly. In our work across industries, we have found
that many companies do not appreciate how crucial it is to
address and manage compliance risk. It is not uncommon to
find companies that are unaware of some of the compliance
standards they are required to follow — or would be wise
to follow even in the absence of regulatory mandates.
Issues and trends: Assessing and managing SaaS risk 3
This tendency is more prevalent in younger or smaller
organizations. The data shown in Figure 3 bears out this
hypothesis, showing that in general, smaller and younger
pure-play SaaS providers are significantly less concerned about
compliance risk than are the more established traditional
software vendors that operate in the SaaS sector.
For many young companies, early success is not
necessarily a barometer of consistent long-term profitability.
As businesses mature, diversify their product offerings,
add customers and personnel, and become more financially
complex, they typically require greater standardization and
more robust control systems. Our experience suggests that
most growing companies reach an inflection point at which
a looser entrepreneurial structure must yield to a somewhat
stronger emphasis on structure, stability, sustainability, and
compliance with industry and operational standards. Judging
from the responses of our survey participants, many SaaS
companies have reached such an inflection point. However, not
all of them may understand the implications and challenges of
this evolution.
As readers move through the detailed analysis of our survey
data, they will find a more comprehensive discussion of various
types of financial, operational and compliance risk. We have
been careful to present data objectively so that SaaS executives
can draw their own conclusions. In addition to analyzing the
survey data, we conclude the sections on financial, operational
and compliance risk with guidance and recommendations
pertaining to effective risk management.
Figure 3: Importance of compliance risk to business
Traditional software vendors
Extremely 21%
Highly 37%
Somewhat 32%
N/A 5%
Not at all 5%
Pure-play SaaS providers
Extremely 20%
Highly 24%
Somewhat 42%
N/A 4%
Not at all 10%
Our experience suggests that most growing companies reach an inflection point at which a
looser entrepreneurial structure must yield to a somewhat stronger emphasis on structure,
stability, sustainability, and compliance with industry and operational standards.
4 Issues and trends: Assessing and managing SaaS risk
Survey demographics
Grant Thornton conducted this online survey in the winter of
2011 with pure-play SaaS providers and traditional software
vendors that operate in the SaaS sector. Our primary targets
were C-suite executives and board members; we received
responses from 121 individuals. Participant titles and
organizational types and sizes were as follows:
• C-suite executives (CEOs, CFOs and CIOs) and board
members represented 55% of respondents.
• Pure-play SaaS providers comprised 62% of respondents.
• Traditional software vendors pursuing a SaaS strategy
totaled 22% of respondents.
• Companies with revenues of $50 million or less
represented 82% of respondents.
• Small firms that were in the prerevenue stage or that
had revenues of less than $1 million totaled 25% of
respondents.
• Beyond participation from US-based companies, our
survey reflects input from companies headquartered in
Canada, Ireland, the Netherlands, the UK, India, Italy,
Belgium, the Czech Republic, Turkey and South Africa.
When it comes to revenue, there is a notable difference
between pure-play SaaS providers and traditional software
vendors: More than one-half of pure-play SaaS respondents
report annual revenues of $5 million or less, while 62% of
traditional software vendors cite revenues exceeding $5 million.
(See Figure 4.)
Figure 4: Revenue variation between pure-play SaaS providers and
traditional software vendors
Revenue <$5M
Revenue >$5M
Pure-play SaaS providers
58%
42%
Traditional software vendors
38%
62%
Issues and trends: Assessing and managing SaaS risk 5
Assessment of risk and risk practices
Roughly 60% of our survey questions focused on issues of
risk in the SaaS industry. We asked respondents to rate the
relative importance of three overall categories of risk: financial,
operational and compliance risk. Then we asked respondents
to rate specific types of risk within each category.
Figure 5: Respondents categorizing risk as highly or extremely important
Pure-play SaaS providers
Traditional software vendors
90%
79%
66%
73%
58%
Following are the specifics:
• Nearly 69% believe that financial risk is highly or
extremely important.
• Three-fourths of respondents rate operational risk as being
highly or extremely important to their business.
• Just under half — 49% — ascribe the same level of
importance to compliance risk.
44%
Financial risk
Operational risk
Compliance risk
When we looked at how pure-play SaaS providers
assessed risk as compared with traditional software vendors,
we discovered some noteworthy differences: Across all
risk categories, respondents from traditional information
systems (IS) software vendors, which are generally larger
organizations, assign risk considerably more importance than
do respondents from pure-play SaaS providers. (See Figure 5.)
Three-fourths of respondents rate operational risk as being highly or extremely important
to their business.
6 Issues and trends: Assessing and managing SaaS risk
Assessment of financial risk
We asked respondents to rate four types of financial risk:
• Funding for SaaS businesses
• Sales model risk
• Client-side cash flow
• SaaS competition
Collectively, these risks address internal financial
considerations (cash flow needed to launch, grow or sustain a
business; the effectiveness of the business’s sales model) and
external considerations (cash flow needed to deliver pay-asyou-go SaaS offerings; the competitive landscape). Looking
at overall responses (Figure 6), we found that internal risks —
funding the business and sustaining it through an effective sales
model — rate as the most important financial concerns of our
respondents, followed closely by the risks posed by the need
for optimal client-side cash flow.
When we cross-tabulated this data, we found two notable
differences between pure-play SaaS providers and traditional
software vendors, as illustrated in Figure 7. These differences
reflect the varying ways in which respondents from these
two groups view the risk of funding SaaS businesses and the
risk of competitive threats. In both cases, smaller pure-play
SaaS providers appear more confident about the industry and
their organizational performance than traditional software
companies do. We will return to this point throughout our
analysis of the survey findings.
Figure 7: Respondents rating risks as highly or extremely important
Pure-play SaaS providers
61%
Figure 6: Respondents rating risks as highly or extremely important
Traditional software vendors
58% 61%
49%
56% 56%
44%
30%
Highly important
Extremely important
29%
17%
11%
44%
44%
44%
Funding SaaS
Sales model
Client cash flow
Competition
33%
Funding SaaS
Sales model
Client cash flow
Competition
Most strikingly, while 44% of respondents view competition
as a highly important risk, none of them regard it as extremely
important — and on the whole, respondents rate competition
as the least important financial risk they face. Given that the
industry has several thousand SaaS providers, it is surprising that
no one rated risk from competition as extremely important. One
possible explanation could be that awareness of the breadth of
the competitive landscape is not well-understood at this point
— and that lack of understanding is a risk in and of itself. Or
it could be that other financial risks — especially those related
to funding and sustaining the business through effective sales
models — dominate the concerns of most SaaS providers.
Meanwhile, one additional data set serves to illustrate
this point here. The following chart shows nearly 10% more
confidence among pure-play SaaS providers in the financial
value of SaaS offerings:
Survey question
Pure-play SaaS
providers that
agree
Traditional
software vendors
that agree
Regarding total cost of
ownership, SaaS applications
are more cost effective than
in-house applications.
83.0%
73.8%
Issues and trends: Assessing and managing SaaS risk 7
Thoughts from Grant Thornton on managing financial risk
Capital is the lifeblood of any software company. The ability
to scale rapidly is often dictated by the amount of available
capital, meaning that businesses should think strategically
about their capital needs in the short, medium and longer
term. In the absence of available capital, consolidation often
becomes the alternative — selling the business or merging it
with another entity to achieve scale. It is critical that businesses
not only think strategically about their capital structure, but
also maintain a constant state of transaction readiness. The
ability to secure new capital and the ability to attract a merger
partner are to a large extent driven by the same factors. Here
are five things that should always be top of mind:
1. Get your company’s house in order — Make sure that
contracts are current, licenses and patents are up to date,
and any litigation is being addressed. If there are skeletons
in the closet, the time to clear them out is before entering
discussions about mergers or raising capital. Valuation is,
at its most basic, a future cash flow stream discounted by
a risk-adjusted discount rate. The more perceived risk in
a business, the higher the discount rate and the lower the
value.
2. Get the business firing on all cylinders — Buyers will
be looking at trailing 12-month revenues and EBITDA;
for this reason, these should be maximized. For example,
discretionary spending is a category of expense that often
contains low-hanging fruit that can be eliminated or
reduced with an immediate impact on EBITDA. A word
of caution, however: Don’t skimp on necessary business
expenditures, because buyers will see through that tactic. If
the roof is leaking, fix it; if you don’t, prospective buyers
will wonder why you can’t afford the repairs.
8 Issues and trends: Assessing and managing SaaS risk
3. Get focused on the future — Many privately held
businesses spend most of their time acting tactically in the
here and now and not enough time thinking strategically
about the future. Some businesses don’t have a 12-month
budget, let alone a five-year projection. Think about
the opportunities ahead for your business and ways to
capitalize on them.
4. Get serious about succession — Most buyers like to
see sellers stick around for at least a year following
a transaction. If the selling shareholders are active in
and critical to the business, this transition period may
be longer, or the perceived risk associated with the
purchaser’s dependence on the seller could be reflected in
a lower valuation. Again, the time to identify and develop
successors within or outside the organization is before
merger or acquisition talks begin.
5. Get audited — It can be hard to quantify what impact
an audit can have on a business valuation, but even so,
companies looking to participate in M&A activity should
have audited financial statements at the ready: Buyers and
investors generally take significant comfort from financial
statements that have been subjected to the scrutiny of an
independent audit.
Assessment of operational risk
For most respondents evaluating overall types of risk,
operational risk posed the greatest concern, followed closely by
financial risk. Compliance risk was a distant third in terms of
its relative importance.
Respondents rated the importance of four types of
operational risk:
• Scalability risk
• Service availability risk (i.e., system uptime)
• Customer service risk
• Data security risk
Figure 8 shows the relative importance of these operational
risks. Looking at the responses, we found a relatively even
distribution among the ratings of all types of operational risk:
Roughly 40% to 45% of respondents rate these risks as not at
all important or only somewhat important, while 55% to 60%
of respondents describe them as being highly or extremely
important. Examining responses from pure-play SaaS providers
versus traditional software companies (see Figure 9), we found
dramatic differences between the two groups with respect to
their assessment of operational risk: Pure-play SaaS providers
are significantly less likely to be concerned about risk than
traditional software vendors are. The reason could be that
pure-play SaaS providers are generally smaller, younger
companies that take a more entrepreneurial attitude toward
operational risk. Or it could be that with smaller operations
than traditional software vendors typically have, pure-play SaaS
providers have systems that are inherently less complex and
therefore less risky. But in our view, the most likely explanation
comes down to higher levels of confidence among pure-play SaaS
providers about their organizational performance.
Figure 8: Assessment of specific operational risks among respondents*
Not at all/NA
Somewhat important
Highly important
Extremely important
Scalability
18%
26%
34%
22%
Service availability
18%
21%
32%
30%
Customer service
10%
30%
34%
26%
Data security
15%
22%
25%
37%
*Responses may not total 100% due to rounding.
Figure 9: Respondents rating risks as highly or extremely important
Pure-play SaaS providers
Traditional software vendors
79%
72%
58%
55%
48%
Scalability
Service availability
78%
72%
Customer service
58%
Data security
For most respondents, operational risk
posed the greatest concern, followed closely
by financial risk.
Issues and trends: Assessing and managing SaaS risk 9
oftware
agree
The following chart shows enormous differences in how pureplay SaaS providers and traditional software vendors feel about
their operational robustness:
Survey question
Pure-play
SaaS
providers that
agree
Traditional
software
vendors that
agree
My organization is fully capable of
helping customers manage SaaS risks.
87.2%
50.1%
SaaS uptime is as good as in-house
application uptime.
87.2%
59.9%
SaaS applications can scale up better
than in-house applications can.
91.5%
56.3%
SaaS data is as secure as in-house data.
83.0%
31.3%
When we look at the question of data security from the
other end of the spectrum — that is, when we tabulate the
percentages of respondents who believe that SaaS data is not as
secure as in-house data — the results are equally striking:
• Nearly 9% of pure-play SaaS providers believe that SaaS
data is less secure than in-house data.
• Just over 31% of traditional software companies believe
that SaaS data is less secure than in-house data.
Pure-play SaaS providers show tremendous amounts of
confidence in their ability to provide what customers want —
secure data, scalability, system availability, and management of
SaaS risks. By contrast:
• fewer than 60% of traditional software vendors believe that
the availability and scalability of SaaS offerings are at least
equal to those of in-house systems,
• only one-half of traditional software vendors believe that
they are fully capable of helping customers manage SaaS
risks, and
• fewer than one-third of traditional software vendors find
SaaS data to be as secure as data gathered or stored inhouse.
Pure-play SaaS providers show tremendous
amounts of confidence in their ability to
provide what customers want — secure
data, scalability, system availability, and
management of SaaS risks.
10 Issues and trends: Assessing and managing SaaS risk
Thoughts from Grant Thornton on operational risk
Operational risk can present immediate danger to one’s business
and any other party that depends on that business to remain up
and running — including customers, clients, vendors, partner
organizations and sometimes government agencies. In fact,
external evidence suggests that the issue of operational risk is a
key concern for SaaS customers (see “A concluding note about
obstacles to enterprise adoption of SaaS offerings,” page 16) and
is one of the barriers to widespread adoption of the SaaS model.
Nevertheless, skilled management of operational risk through
such measures as business continuity and disaster recovery
plans can minimize or prevent negative effects on a business
and improve its financial performance and its relationships with
customers. Risk management approaches and processes should
address the following categories of operational risk:
1. Data security — SaaS providers are in the business of data
creation, storage and transmission. Every company should
know exactly what data it creates, stores and transmits.
Further, organizations should know not only what data
their transaction partners create, store and transmit,
but also how their partners create, store and transmit it.
Companies should audit controls such as data segregation
practices, roles-based data access practices, and password
procedures. SaaS providers can thus lay the groundwork
for the effective mitigation of risks with respect to both inhouse and third-party data.
2. Availability — In today’s world of 24/7 transactions,
system uptime is critical across a series of players, and the
rules of engagement are established by contractual
agreements between providers and their customers. In
order for organizations to maximize data availability, every
contract should provide for adequate business continuity
planning, which should include robust disaster/data
recovery procedures.
3. Operating level agreements — An operating level
agreement (sometimes known as a service level agreement,
or an SLA) should be clearly governed by the contract
between the provider and the customer. An operating level
agreement is a contractual tool that benefits both parties in
the contract and the businesses they serve.
4. Fraud prevention — The emergence of cloud computing
has had a particularly strong impact on SaaS providers and
others in the data transfer stream. A fraudulent interception
of data at any point could have significant effects for
any (or every) company that is part of the data stream.
It is essential for businesses to verify that the companies
with which they work have and use the highest grade of
encryption system.
5. Complexity — Because of the way data is shared and
analyzed, and ultimately used in business decision-making,
providers and clients need to be aware of how shared data
is used on both sides of the equation. For example, clients
may capture data from a SaaS provider at one moment in
time and use that data in business decision-making at a later
date. Prudent operational risk management requires both
client and provider to be cognizant of such considerations.
6. Data integrity — Maintaining data integrity through
careful reporting is an essential aspect of managing the risk
of data complexity. Reporting tools can be developed inhouse on the client or provider side, they can be canned
(as in an off-the-shelf CRM application), or they can be a
hybrid of the above. In order to verify that data is being
manipulated consistently, organizations should create
baseline client-side and provider-side reports early in the
relationship and provide periodic updates throughout the
engagement.
Issues and trends: Assessing and managing SaaS risk 11
Assessment of compliance risk
In the overview, we presented a fairly extensive analysis of SaaS
compliance risk issues. Our major conclusion was that many
SaaS companies — not only pure-play SaaS providers, but also
traditional software vendors — might benefit by strengthening
their compliance with industry and regulatory standards. We
believe that adhering more closely to established standards and
quality control procedures can:
• improve an organization’s operations, service and data
quality;
• increase the organization’s credibility in the market; and
• help the organization mitigate the financial risks that can
arise from suboptimal compliance.
Figure 10 reflects the relative values that our respondents
assign to various types of compliance risk. Two items are
particularly noteworthy: First, very few respondents perceive
any type of compliance standard as being extremely important
to their business. Second, the type of compliance most often
rated highly important is not compliance with governmental
regulations, but compliance with industry standards.
In order to dig deeper into how our respondents evaluate
and use specific compliance and quality control measures, we
asked each respondent to let us know which type of measure
his or her company uses (or doesn’t use) and whether that
measure is important. Figure 11 captures those findings, and a
simple way of reading this chart is through its color coding:
• Together, the blue bars show the percentage of respondents
whose companies use the measure. (For example, fewer than
25% of respondents use SysTrust audits.)
• The green bars show the percentage of respondents whose
companies do not use the measure.
The darker green bar is perhaps the most telling:
With respect to every type of quality control or compliance
measure, that bar shows that a significant percentage of
respondents believe the measure to be important but
nevertheless do not use it.
12 Issues and trends: Assessing and managing SaaS risk
Figure 10: Assessment of specific compliance risks among respondents*
Not at all/NA
Somewhat important
Compliance with U.S.
financial regulations
32%
Compliance with
other U.S. regulations
Compliance with
industry standards
Compliance with
international
regulations
Highly important
Extremely important
39%
34%
17%
33%
17%
18%
31%
39%
37%
25%
13%
15%
14%
28% 10%
*Responses may not total 100% due to rounding.
Figure 11: Value and use of quality control/compliance standards and
practices*
Use practice;
believe it is
important
Use practice;
believe it is not
important
Do not use
practice;
believe it is
important
Do not use
practice;
believe it is
not important
Using vs.
not using this
practice
SAS 70 audits
50% 5%
22%
23%
SysTrust audits
20% 1%
ISO 27001
certification
23%
27%
9%
52%
26%
42%
Customer audits
60% 5%
21%
14%
SLAs
82% 1% 9% 8%
Customer
feedback
Working with
consultants
88% 8% 4%
72% 7%
12% 10%
*Responses may not total 100% due to rounding.
As we have said elsewhere, tightening quality controls and
compliance measures appears to be a significant opportunity
for SaaS providers to improve their operations, service, data
quality and credibility.
Thoughts from Grant Thornton on managing
compliance risk
It is no surprise that some organizations, particularly SaaS
providers, are not making optimal use of compliance as a
vehicle to improve organizational efficiency and quality —
or to strengthen market credibility. The reason is that there
are so many shapes and sizes of compliance requirements
and voluntary measures that organizations are not sure
about where to turn or what makes sense. Indeed, the
survey questions hint at an intimidating number of ongoing
requirements. In addition, many companies face new service
organization control reporting standards such as SSAE
16 (which replaces SAS 70 in the United States) and ISAE
3402 (the international equivalent of SSAE 16). Given that
many companies must adhere to even more requirements,
such as those associated with SOX 404, it is no wonder that
compliance costs can be burdensome. It is no wonder that
many executives want to figure out how to minimize their cost
of compliance and still comply. However, taking a negative
view of compliance measures can mean overlooking the fact
that their underlying goal is to help organizations rise to the
next level of control and credibility. Companies are acting with
the best of intentions, but the complexity of the compliance
puzzle is such that many organizations cannot effectively or
efficiently assess their compliance risk without the assistance of
outside professional counsel.
Issues and trends: Assessing and managing SaaS risk 13
Assessment of risk management
strategies
A key objective of conducting this survey was to understand
how SaaS providers assess and respond to various types
of risk. Having captured that data, we were also interested
in identifying {1) the degree to which our respondents are
following risk management programs within their companies,
and {2) the types of risk that companies devote most of
their attention to. We saw no significant differences among
respondent groups.
Overall, we found that 39% of companies surveyed do not
have a formal risk management program. Where such programs
do exist, those at 96% of respondent companies address
operational risk. Those at 83% address compliance risk, while
those at 61% address financial risk. Figure 12 illustrates the
specific risk subcategories that respondent organizations are
most focused on.
Figure 12: Types of risks respondents focus on*
Sales model
47%
Data security
41%
Funding SaaS
35%
Client cash flow
35%
Service availability
31%
Customer service
28%
Scalability
18%
Compliance with nonfinancial U.S. regulations
14%
Compliance with industry standards
13%
Competition
12%
Compliance with U.S. financial regulations
12%
Compliance with international regulations
10%
*Respondents were able to select more than one answer.
Overall, we found that 39% of companies surveyed do not have a formal risk management
program. Where such programs do exist, those at 96% of respondent companies address
operational risk.
14 Issues and trends: Assessing and managing SaaS risk
Conclusion
There is ample evidence to suggest that SaaS is a growing sector
within the technology industry. Although it is young, the
SaaS sector appears not to be a here-today-gone-tomorrow
technology trend, but rather a technology and business model
whose time has come.
The ongoing development, evolution and success — not
only of the SaaS sector, but of every player in today’s market
— are dependent on a number of variables such as:
• continued technical advancement, robustness and adoption
of the Internet (specifically cloud computing) as a viable
means of data and technology transfer;
• continued innovation among SaaS providers regarding
technological advancements;
• continued development by SaaS providers of business and
service models that maximize the value of Web-based data
interaction; and
• increased attention to financial, operational and compliance
controls, especially among pure-play SaaS providers as
opposed to traditional software vendors.
Although it is young, the SaaS sector appears not to be a here-today-gone-tomorrow
technology trend, but rather a technology and business model whose time has come.
Issues and trends: Assessing and managing SaaS risk 15
A concluding note about obstacles to enterprise adoption of
SaaS offerings
In developing this survey report, we looked at other industry
research to supplement our findings and data analysis. One
report has been especially useful: the April 2009 Cutter
Benchmark Review on SaaS and cloud computing. The
underlying thesis of the report is that “SaaS and cloud
computing are here to stay — not just another overhyped
technology trend.” These are the words of Cutter Senior
Consultant Jeff Kaplan (who is also managing director of
THINKstrategies). However, the Cutter Benchmark Review
includes some important cautionary data. Most compelling,
in our view, are the reality checks regarding the types of
SaaS services that are most — and least — sought-after in the
marketplace.
Cutter reports a sharp divide between the types of
applications procured most often from SaaS providers and
the types of applications procured least often. Cutter divides
SaaS applications into three types: (1) core applications, (2)
departmental applications, and (3) transversal applications.
Core applications address the core competencies of the
corporation overall. Departmental applications serve
departmental needs such as CRM systems for sales
departments. Transversal applications address crossdepartmental organizational functions such as management
development, learning and training, among others.
The following chart shows marked differences in corporate
adoption of these classes of SaaS applications:
Adopted or
planned for
adoption
Not suitable for
adoption/not
applicable
Core applications
56%
44%
Departmental applications
73%
27%
Transversal applications
70%
30%
16 Issues and trends: Assessing and managing SaaS risk
Cutter speculates that the adoption of SaaS applications
for core business functions may increase as SaaS applications
become more customizable and the industry matures. From
our point of view, these varied adoption rates may also
result from the credibility gap noted by many of our own
respondents. If 63% of them believe that the SaaS sector
needs to improve its credibility, it is easy to understand why
many potential customers are hesitant to outsource their most
important business functions to SaaS providers.
Nevertheless, with SaaS applications making significant
inroads at corporations, the door appears to be open for
greater opportunity. SaaS providers must meet the challenges
of remaining innovative and proving their bench strength if
they are to make further inroads with respect to enterprise
applications. Providers’ innovations will need to include
many areas of the business beyond technology. Key among
them will be a keen focus on standardization and the many
dimensions of risk management. Tighter controls and greater
familiarity with the compliance and operational concerns
of large corporations may go a long way toward closing the
credibility gap that seems to beset the SaaS industry. Those
players that step ahead by strengthening their controls and risk
management programs stand to enhance their reputations —
and increase their market share — as they expand throughout
the national and international market for SaaS offerings.
SaaS providers must meet the challenges
of remaining innovative and proving
their bench strength if they are to make
further inroads with respect to enterprise
applications.
Offices of Grant Thornton LLP
National Office
175 W. Jackson Blvd., 20th Floor
Chicago, IL 60604-2687
312.856.0200
Washington National Tax Office
1250 Connecticut Ave. NW, Suite 400
Washington, DC 20036-3531
202.296.7800
Arizona
Phoenix
Oregon
Portland
503.222.3562
Pennsylvania
Philadelphia
215.561.4200
South Carolina
Columbia
803.231.3100
816.412.2400
314.735.2200
Texas
Austin
Dallas
Houston
San Antonio
512.391.6821
214.561.2300
832.476.3600
210.881.1800
Nevada
Reno
775.786.1520
Utah
Salt Lake City
801.415.1000
New Jersey
Edison
732.516.5500
Virginia
Alexandria
McLean
703.837.4400
703.847.7500
New York
Long Island
Downtown
Midtown
631.249.6001
212.422.1000
212.599.0100
Washington
Seattle
206.623.1121
Washington, D.C.
Washington, D.C.
202.296.7800
Wisconsin
Appleton
Milwaukee
920.968.6700
414.289.8200
Maryland
Baltimore
410.685.4000
Massachusetts
Boston
617.723.7900
248.262.1950
602.474.3400
Minnesota
Minneapolis
949.553.1600
213.627.1717
916.449.3991
858.704.8000
415.986.3900
408.275.9000
818.936.5100
Colorado
Denver
303.813.4000
Florida
Fort Lauderdale
Miami
Orlando
Tampa
954.768.9900
305.341.8040
407.481.5100
813.229.7201
Illinois
Chicago
Oakbrook Terrace
405.218.2800
918.877.0800
316.265.3231
Michigan
Detroit
California
Irvine
Los Angeles
Sacramento
San Diego
San Francisco
San Jose
Woodland Hills
Georgia
Atlanta
Oklahoma
Oklahoma City
Tulsa
Kansas
Wichita
Missouri
Kansas City
St. Louis
404.330.2000
North Carolina
Charlotte
Raleigh
312.856.0200
630.873.2500
Ohio
Cincinnati
Cleveland
612.332.0001
704.632.3500
919.881.2700
513.762.5000
216.771.1400
Document content is not intended to answer
specific questions or suggest suitability of
action in a particular case. For additional
information on the issues discussed in this
document, consult your Grant Thornton
client-service professional.
In the U.S., visit Grant Thornton LLP at
www.GrantThornton.com.
© Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton International Ltd
4-684