IT procurement or sourcing managers challenged with finding sourcing options should examine nine contractual terms to reduce risk in cloud contracts, according to Gartner Inc. The cloud delivery model is gaining popularity, but it includes risks that are often unclear or overlooked when assessing the appropriateness of the sourcing model.

“Cloud solutions often appear to have lower initial and switching costs than traditional solutions, but include hidden costs and risks, and require unique terms for contract protection, compared to traditional arrangements,” said Alexa Bona, research vice-president at Gartner. “Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.”

When assessing cloud offerings’ procurement and sourcing, executives need to understand what can be negotiated relative to risk elements, what they need to pressure cloud providers to offer, and what will likely not be negotiated.

“Cloud markets are generally still very competitive, and it is important for sourcing and procurement executives to leverage competition to optimize negotiations. They should be prepared to walk away from deals, if some of the risk elements are not satisfactorily addressed,” said Frank Ridder, research vice-president at Gartner. “As this computing model is relatively nascent, we believe that, over time, the combination of buyer pressure, and a provider desire to reduce the length of negotiation cycles and number of customized deals will mean that some terms will evolve to more of a middle ground, rather than the current contract practices, which are mostly provider-centric.”

The nine steps to help to mitigate excessive risk in cloud deals are:

 

 

1. Document uptime guarantees. Numerous cloud contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually.

 

 

2. Service-level agreements need penalties. For service-level agreements to be used to steer the behavior of a cloud service provider, they need to be accompanied by financial penalties. Rather than credits, money back is preferable, because no vendor likes to have to give money back, once booked.

 

 

3. Watch out for SLA penalty exclusions. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Review these carefully. They should ensure that any downtime calculation starts exactly when the downtime commences, for example.

 

 

4. Focus on security/privacy measures. Ensure that the provider’s security practices are at the same level as, or exceed, the bank’s. Gartner analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it.

 

 

5. Nail down business continuity and disaster recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some providers don’t even take responsibility for backing up customer data. Banks need to confirm that their provider has a suitable API or other mechanism to accommodate the organization taking responsibility for disaster recovery.

 

 

6. Make clear data privacy conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organization, the client needs to be explicit about what they are doing and understand any gaps.

 

 

7. Clarify suspension of service terms. Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. Banks should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service.

 

 

8. Extend termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six months notice for the provider to terminate, unless they have materially breached the contract.

 

 

9. Push for higher liability protection. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organizations should try to negotiate for higher liability protections. Be prepared to walk away if this issue is not resolved.

For more information:
http://www.gartner.com/it/page.jsp?id=1689914