How Insights from SaaS Disputes Can Safeguard Your Organisation
In this article, discover how to:
- Understand the Transition from On-Premise to SaaS
- Leverage Insights from SaaS Solutions Disputes
- Ensure a Smoother Transition Using Key Due Diligence Practices
- Identify Functionality Gaps and Integration Challenges
- Protect your Business Using Stringent Security, Compliance, and Performance Considerations
- Migrate to SaaS by Implementing Change Management and Continuous Monitoring
Over the last couple of years, we have seen a worrying uptick in significant disputes from client organisations that have moved, or are in the process of moving, their on-premise mission critical legacy software solutions to the legacy provider’s cloud based (SaaS) offerings.
From the numerous projects we have been asked to advise on, we have identified that many of these disputes have centred on the client not receiving full and complete guidance/transparency from their legacy provider, on the operational differences between the legacy solution they had been reliant on, and the cloud/SaaS solution the client had been advised to move to.
This article looks to provide a framework for helping your organisation determine whether such a move from on-premise to SaaS solution is the right decision right now, and to provide guidance, based on our dispute experience, of the due diligence and key migration considerations necessary to leverage the advantages of a SaaS based offering while mitigating the potential downsides.
The challenge of moving to cloud (SaaS)
The landscape of IT solutions has been undergoing a significant transformation over the past decade. The potential for reduced upfront infrastructure costs, low maintenance on software upgrades, ease of scalability and the ability to access software from anywhere with an Internet connection has driven take-up of Software as a Solution (SaaS) offerings, replacing traditional on-premise solutions, which require a business to manage and maintain its own hardware and software.
However, this transition is not without its challenges.
One of the most significant risks lies in the fact that many SaaS-based versions of software, designed to replace their legacy counterparts, often offer not only just a fraction of the functionality compared to the legacy solutions you currently use, but the reduced functionality in the SaaS often operates very differently and in a reduced scope than that of the legacy solution embedded in your current operational environment.
A lack of visibility
Before even considering a move to an SaaS solution, it is crucial to thoroughly evaluate the provider’s claims rather than to simply take them at face value. You need to have full visibility of what the SaaS solution will provide, where material changes exist in how the functionality operates against that same functionality in your legacy solution, and what the new SaaS solution will not cover at all.
From the many disputes we have advised on with those that have embarked on the legacy-to-SaaS transition, we have found that clients are often unsure of the right questions to ask about the new SaaS solution; the assumption being that the solution will largely be the same as the legacy system, just operated from ‘the cloud’. The majority of clients in the disputes we have been advising on have assumed that the new SaaS solution will still support all of the existing functionality, although the client often accepts that it ’might’ operate ‘slightly’ differently than their existing legacy solution.
At the same time, many software vendors/system integration partners do not seem to have a good enough understanding of the aspects of legacy solutions functionality that is critical for their clients, and where the new SaaS solutions will operate differently from the legacy counterpart. Most importantly, however, there is often too little advice from the providers on how to bridge that operational gap.
Part of the problem seems to be that some SaaS solution providers and/or their system integration partners do not appear to be as well versed on these functionality differences, between the SaaS solution and the legacy on-premise solutions, as they could be.
How to achieve better visibility of the ‘unknown’
To avoid any material misunderstandings of how/whether the new SaaS-based solution will continue to appropriately support your operational requirements, you normally have three primary options:
Item | Option | Pros | Cons |
---|---|---|---|
1 | ‘Light touch’ internal review. You internally review the SaaS product yourselves to assess fitness for purpose against the legacy solution. | • Direct insight into the new SaaS functionality and limitations. • Enables high level identification of immediate gaps and operational challenges. • Quick assessment with internal knowledge. | • High risk of overlooking issues due to a lack of deep technical understanding of the new SaaS solution. • Internal bias may lead to inaccurate assessment. • May miss subtle differences in functionality critical to business operations. • No external validation of findings. • Resource-intensive for internal teams with potential gaps in both technical and operating expertise. |
2 | ‘Diligence-based’ internal review. Your team maps out existing organisational processes and use cases supported by the legacy product and uses this as a comparison to assess the new SaaS product. | • Provides a structured and objective comparison. • Facilitates identification of improvements to current operations alongside the assessment. • Aligns new software capabilities with specific business processes. • Enables consideration of operational improvements. • Better assessment by using known operational benchmarks. | • Time-consuming to map out existing processes in detail. • Internal team still likely to overlook critical technical differences as it is highly likely they will lack in-depth knowledge of the new SaaS solution. • Potential for significant resource commitment. • Unlikely to uncover all material limitations of the SaaS solution without significantly deeper technical insight. • Internal knowledge unlikely to be sufficient to fully assess the impact of missing or altered functionalities. |
3 | ‘Due diligence-based’ software provider review. Your internal team maps out existing processes, including potential/aspirational improvements and develops terms of reference for the SaaS provider to conduct due diligence on your operational processes and use cases. | • Leverages provider's deep technical expertise and industry knowledge. • Ensures a thorough, expert-led assessment. • Reduces risk of overlooking critical functionality gaps. • Provider's due diligence includes real-life migration experiences from other clients. • Allows you to understand the full impact, including operational changes and compromises. • Potentially aligns SaaS solution more closely with business needs and improvements. | • Higher cost due to provider involvement. • Although likely to extend the ‘initial’ timeline for migration, will likely save 2-3 times the implementation cost and timeline, due to the SaaS provider’s specialist knowledge of its solution. • Dependence on provider's honesty and transparency (can be mitigated by appropriate assurance of their terms of reference for due diligence). • Risk of the provider downplaying limitations to push the sale. (Again, can be mitigated by appropriate assurance of their terms of reference for due diligence.) • Client may need to manage the relationship closely to ensure thoroughness. • Less control over the assessment process compared to internal review. |
The remaining aspects of this article focus on why it might be helpful to consider how to undertake option 3: the ‘Due diligence-based’ software provider review.
The Importance of Detailed Due Diligence (Undertaken by your Software Provider)
The most assured way of protecting your organisation from the ramifications of a lack of an informed migration decision is to ask your provider to conduct a thorough due diligence exercise on how you currently operate and deliver on your business outcomes, using the software provider’s legacy solution. During this exercise, also articulate any improvements to existing workarounds you would like them to consider.
This should help them critical-friend-check and identify any existing functionality gaps in their SaaS offering, workarounds you would need to adopt if you migrated and what functionality improvements are on their development roadmap that will assist you in minimising any workarounds in the future. The output from this exercise – provided it is structured in the right way – will offer you invaluable guidance for the transition from an on-premise solution to the provider’s equivalent SaaS offering.
Many SaaS/cloud-based solutions are functionality impotent when compared with their on-premise brethren
The software provider’s due diligence exercise is likely to show that many cloud versions simply do not match the depth and breadth of functionality of their tried-and-tested legacy software versions. A comprehensive evaluation from the provider should pinpoint where the SaaS version lacks key functionalities or where replacement functionalities operate differently. Understanding these gaps and adaptation requirements, and their impact on your organisation, is crucial for making an informed migration decision.
Key Areas of Due Diligence You Should Ask Your Provider to Undertake
Leveraging Provider Expertise: Why the Provider’s Specialist Due Diligence is Crucial for SaaS Migration
When a provider specialising in your industry promotes its cloud-based (SaaS) solution to replace its legacy on-premise software, it also brings, or should bring, to the table unique insights and a detailed understanding of both systems. This expertise, combined with experience from working with other clients, should enable the provider to identify and mitigate any operational gaps that may arise during the migration process.
We have recently worked on several disputes that highlight why it is crucial to have your provider conduct a thorough due diligence exercise for your migration. Despite the technical proficiency of your internal team, and even if your provider suggests that you perform your own due diligence, our experience shows that relying on the provider’s expertise is far more prudent. We have seen many cases where clients have conducted their own due diligence only to face significant issues later due to gaps in their understanding of the new SaaS solution’s functionality.
Viewpoint 1: Your Perception of Self-Sufficiency
You may believe that your own technical specialists and/or application users can undertake the due diligence necessary to assess the differences between the legacy on-premise system and the new cloud-based solution. You may feel that your internal teams have the requisite skills and knowledge to conduct a comprehensive evaluation, identify potential gaps and plan for the migration. This confidence is often rooted in your team’s familiarity with the current system, their general technical expertise and their knowledge of your operational processes.
Viewpoint 2: Your Provider’s Superior Knowledge for Effective Due Diligence
However, while your internal technical specialists and experienced users may possess valuable system and operational processes knowledge, our dealing with many disputes in these on-premise to cloud-based migrations evidences that relying on in-house due diligence between both systems is likely to fall short for several reasons:
- Detailed Understanding of Both Systems: Your provider has, or should have, an intricate and comprehensive technical understanding of both the legacy on-premise solution and the new cloud-based offering. This includes deep knowledge of how functionalities translate between systems, the technical nuances and the specific differences that might not be apparent without extensive experience with both Internal teams, despite their proficiency, typically lack this level of detailed insight for the new SaaS product, which is crucial for identifying subtle yet material operational differences.
- Real-life Migration Experience: Your provider’s experience in guiding other clients through similar migrations offers invaluable real-life insights. With a specialist role in your industry, they have encountered common pitfalls, operational challenges, and best practices that your internal team may not be aware of. Their practical knowledge of issues such as differing data structures, data mapping, and functional operating differences enables them to anticipate potential operational gaps and address them proactively, ensuring a smoother and more effective transition.
- Knowledge of Your Specific Usage: Your provider is likely to have detailed knowledge of how you use the legacy on-premise solution, including existing on-premise integrations and on-premise customisations. Having a specific terms of reference that includes your operating processes, use cases and requirements for your software provider to undertake detailed due diligence against enables them to identify what will continue to work well, where existing operational processes will not be supported or cannot be changed and where the SaaS can be configured to meet your specific needs, ensuring that key business processes continue to function smoothly post-migration.There are likely to be many material aspects where the SaaS solution is unable to meet your operational needs. This does not mean the SaaS solution needs to mimic the functionality of the legacy on-premise solution – it means that there may be other ways the SaaS solution can be configured to work with – or even improve – your current operational processes. Internal teams may struggle to achieve this level of understanding of the new SaaS solution, without the provider’s insights, potentially overlooking critical custom workflows and integrations that you rely on.
- Devil in the Technical Detail: The complexity and depth of the technical, functional and operational details involved in such a migration are significant. Providers can identify and address these technical and operational intricacies (on the basis that your terms of reference to them for the due diligence is structured in an appropriate way), ensuring that all aspects of the system are considered. Although your internal teams have a detailed understanding of your operational processes, they are unlikely to have access to all of the necessary technical documentation or the specialised knowledge required to thoroughly assess the SaaS solution’s capabilities and limitations.
In conclusion, while your internal technical specialists and experienced users play a crucial role in the migration process, our experience with disputes between users and SaaS solution providers strongly suggests that the provider’s involvement in conducting detailed due diligence on a client’s operations and how they will map to the new SaaS solution is often indispensable. The provider’s industry insights, comprehensive technical understanding, practical migration experience, familiarity with your specific usage and diligent assessment of both operational and technical details, will collectively ensure a smoother and more successful transition from the legacy on-premise solution to the cloud-based SaaS offering.
Key Considerations in Migrating to Your Provider’s SaaS Offering
When you ask your software provider to undertake due diligence, the following points are typically the primary considerations they will (should) take into account.
Functionality Comparison
When considering a transition to SaaS, a comprehensive comparison of functionalities between the legacy system and the cloud version is imperative. This involves a detailed analysis of all the features currently utilised in the on-premise system and mapping them (where appropriate) to the functionalities available in the SaaS solution. Missing or altered features will significantly impact your business processes and productivity.
For instance, certain automation workflows that were configured into the on-premise solution may not be available just yet, or are likely to operate and function very differently in the SaaS version. These discrepancies need to be identified early to allow for either adjustments in your internal business processes or to seek an alternative workflow within the SaaS platform. Detailed ‘gap’ documentation provided by your software partner, along with them demonstrating how you work now in the legacy solution and how you would achieve the same operational outcome (not necessarily functionality) in the SaaS platform, can help you understand the operational impact of these differences. Ensuring your provider involves key end-users in this evaluation will provide insights into how these changes affect individual department day-to-day operations.
Additionally, the SaaS provider advising you on how the roadmap for future updates will impact how you operate (for better or worse) is crucial. It may be that certain functionalities currently missing in the SaaS version are planned for future releases – or they may not. Clear communication from your provider about the roadmap will help you determine how transparent they are being when advising on how well the SaaS solution will meet all your business needs.
Data Security and Privacy
Data security is a major consideration when moving to SaaS. It is vital for the solution provider to assess the security measures and compliance protocols, ensuring they meet the stringent requirements necessary for both public and private sector organisations.
- UK Government, Defence and Security Organisations. Data protection and management requirements are exceptionally stringent. The SaaS provider must comply with specific regulations and standards, including the following (though this is not an exhaustive list):
- Cyber Essentials and Cyber Essentials Plus: These certifications ensure that the provider has fundamental security measures in place to protect against cyber threats.
- ISO/IEC 27001: This international standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
- Government Security Classifications (OFFICIAL, SECRET, TOP SECRET): Data must be handled according to its classification level, with appropriate measures for each tier. For example, data classified as SECRET or TOP SECRET must have appropriate layers of encryption and restricted access controls.
- National Cyber Security Centre (NCSC) Cloud Security Principles: Providers must adhere to these principles, which include data sovereignty, secure configuration, asset protection and operational security.
- Defence Cyber Protection Partnership (DCPP): Providers must meet the security controls outlined in the MOD’s Defence Cyber Protection Partnership framework, ensuring robust protection for defence-related data.
Providers must implement robust encryption both at rest and in transit, multi-factor authentication, and regular security audits. Additionally, the physical location of data centres should be within the UK to comply with data residency requirements and to ensure that data is not subject to foreign jurisdictional risks.
- Private Sector Organisations. While the security requirements here may not be as stringent as those for government and defence, they are still critical. Providers should:
- Adhere to General Data Protection Regulation (GDPR): This includes data minimisation, ensuring data subject rights and implementing adequate technical and organisational measures to protect personal data.
- ISO/IEC 27001: Compliance with this standard is also important for private sector organisations to ensure a robust information security management system.
- PCI DSS: For organisations handling payment card information, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is essential.
- Data Encryption: Implement strong encryption protocols both at rest and in transit to protect sensitive business data.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate potential threats.
- Multi-Factor Authentication (MFA): Enforce MFA to add an additional layer of security for user access to the SaaS solution.
Additionally, private sector organisations should request an evaluation from the provider in its assessment of their incident response plan and their ability to ensure business continuity in case of a data breach or cyber-attack. The provider’s transparency regarding their security practices and their compliance with industry standards is critical in building trust and ensuring data security.
Service Reliability and Performance
Service reliability is another critical factor. Ask the SaaS provider for independent and objective evidence of its track record for uptime and service continuity. Ensure they advise you correctly of the implications of Internet communications dependency, particularly for remote workers on private or domestic broadband provision who may experience more frequent service disruptions than those in an office environment.
The provider should also advise you on any changes to its Service Level Agreements (SLAs) and the likely impact for your operations on its guarantees regarding uptime, response times for support issues and the degree of compensations in case of service outages. It is also beneficial to ask for independent and objective evidence from the provider of its historical performance, detailing metrics like average downtime per year, response times during outages and other customers’ satisfaction ratings.
The provider should also explain how your specific usage of its cloud-based solution could be affected by the geographical location of its data centres, particularly in terms of latency and the performance of its solution. For example, where you are a global organisation, it is important that the SaaS solution has a distributed network of data centres to ensure consistent performance across different regions.
Integration and Customisation
Integrating the SaaS solution with your other existing (usually niche) third-party on-premise systems can often present challenges. Your provider should give you an honest assessment (from its due diligence of your operational usage of the existing legacy solution it has provided you with) of the solution’s integration capabilities and it should also ensure that it will:
- Advise you on how its new cloud-based API will impact on any existing custom integrations and/or middleware solutions you have implemented;
- Determine how much in advance of the updates to their API the third-party integrations are tested prior to going live; and
- Provide insights about when the on-going maintenance changes and updates of the cloud-based API are communicated to you.
As part of its due diligence, the provider should explain (in layman’s and operational business terms, as opposed to technical terms) what its suggested integration strategy involves and how it assures the data flow between systems, identifies potential bottlenecks and ensures data consistency across platforms. Compatibility and mapping issues often lead to integration failures, data inconsistencies and workflow disruptions. It is crucial that as part of its due diligence process, well before any migration from your legacy solution to its new cloud-based solution takes place, that the provider conducts thorough testing of integrations in a controlled environment.
Additionally, and again as part of its due diligence process, the provider should give you visibility of any limitations in customisation options compared with your current on-premise solution. SaaS solutions are generally designed to cater to a broad audience, which can result in a one-size-fits-all approach. This standardisation may limit specific configuration options for specific business needs and unique workflows. Businesses with highly specialised processes may find it challenging to fully align the SaaS application version with their requirements, potentially impacting operational efficiency and effectiveness.
Conducting Appropriate Due Diligence
- Engaging the Provider
Engage with the provider to request that it undertakes an explicitly detailed due diligence process that investigates how you currently use its legacy solution and how that usage will map to use of the SaaS solution, while still achieving the same outcomes from supporting your operational processes. As part of the output from that due diligence, the provider should hold advisory workshops and Q&A sessions to make sure it has correctly captured your operational processes thoroughly, and that it understands the capabilities and limitations of the SaaS solution against those operational processes.
- For your insights, request an analysis of the provider’s side-by-side comparison of functionalities, detailed security reports, and performance benchmarks. Ensure that the provider is transparent about any known limitations or gaps in the SaaS version and their plans for addressing these issues.
- Additionally, seek appropriate references from other clients who have transitioned to the SaaS solution. Their experiences can provide valuable insights into the real-world performance and reliability of the solution.
- Stakeholder Involvement
Involve key stakeholders from various departments in the due diligence process to be undertaken by the provider. Form a cross-functional team that the provider can work with, so it can evaluate the fitness for purpose of its SaaS solution and gather diverse perspectives on its impact.
Stakeholder engagement is crucial for gaining buy-in and ensuring that all potential concerns are addressed. Regular communication and workshops can help align the transition with business objectives and address any resistance to change. It is important to keep all stakeholders informed about the benefits and potential challenges of the transition and to gather their input on critical decisions.
- Piloting and Testing
As part of its due diligence process, the provider should design and conduct pilots and detailed testing. These should test the SaaS solution in real-world scenarios (your use cases and alignment to your operational process maps) appropriate to your organisation. The provider should then evaluate the system’s performance with inputs from your internal team on usability and integration with existing workflows during the trial period.
Your provider should focus on critical business processes during the pilot and test how they are handled by the SaaS solution. It should also gather feedback from your end-users on their experience with the new system and document any issues or limitations encountered. The provider should use this feedback to make necessary adjustments and to ensure that the SaaS solution will meet the operational needs of the business.
Summary of the Above Best Practices for a Smooth Transition
Thorough Assessment
Before making the transition to an SaaS solution, it is crucial for the provider to conduct a thorough assessment of your organisation’s needs, risks, and benefits. This involves a comprehensive analysis of the current on-premise system, identifying pain points and understanding the specific requirements of your business processes.
The provider should also evaluate the potential benefits of the SaaS solution, such as cost savings, scalability and improved performance, against the risks, including data security, compliance issues and potential downtime. By the provider thoroughly assessing these factors and informing you accordingly, you can make an informed decision that aligns with your strategic goals.
Provider Diligence and Advice
When migrating from on-premise to SaaS, consider the following criteria:
- Security Measures: Ensure the provider employs robust security protocols, including encryption, multi-factor authentication, and regular security audits.
- Compliance Certifications: Verify that the provider complies with relevant industry standards and regulations such as GDPR, ISO/IEC 27001, and HIPAA.
- Service Level Agreements (SLAs): Review the SLAs to understand the provider’s commitments regarding uptime, support response times and data recovery processes. Ensure that these agreements meet your business requirements and provide adequate protection in case of service disruptions.
Data Management Strategy
A robust data management strategy is essential when transitioning to SaaS. Your provider should supply evidence that this includes:
- Data Backup: Regular backup of critical data to prevent loss in case of system failures or cyber-attacks.
- Recovery Plans: Development and testing of data recovery plans to ensure your business continuity in the event of data corruption or loss.
- Data Migration: As one of the outputs from its due diligence exercise, the provider should plan the data migration process meticulously to avoid data integrity issues. This includes the provider validating that the data stored in the on-premise solution and potential third-party integrations map appropriately to the SaaS solution.
Change Management
Effective change management is vital to ensure a smooth transition to SaaS. This involves:
- Communication: Taking the input from your provider’s due diligence output, clearly communicate the reasons for the transition, the benefits and the impact on various stakeholders. Keeping everyone informed helps to build support and reduce resistance.
- Training: As part of the output from the provider’s due diligence exercise on the considerations for your migration to SaaS, it should have outlined a comprehensive training programme to equip users with the skills needed to operate the new SaaS solution effectively. This should include workshops, online tutorials and hands-on training sessions.
- Support: The provider should offer ongoing support to help users adapt to the new system. This would usually include a helpdesk, online user manuals and a dedicated team to address any issues that arise during the transition period.
Continuous Monitoring and Evaluation
Once the transition to SaaS is complete, it is important to continuously monitor and evaluate the solution to ensure it continues to meet your business needs through joint workshops between you and your provider. This involves:
- Performance Monitoring: Regularly track key performance indicators (KPIs) to assess the system’s performance and identify any issues that need addressing.
- User Feedback: Collect feedback from users to understand their experiences and identify areas for improvement.
- System Audits: Conduct periodic system audits to ensure compliance with security protocols and regulatory requirements.
- Upgrades and Updates: Stay informed about updates and new features offered by the SaaS provider and assess their relevance to your business operations.
Conclusion
Transitioning from a legacy on-premise solution to an SaaS offering can drive significant benefits, but it also comes with considerable risks and challenges, primarily due to the often hugely reduced functionality of SaaS versions compared with their legacy counterparts.
It is therefore crucial for organisations to engage deeply with their software providers, ensuring that comprehensive due diligence is undertaken by those with the requisite expertise. Their ability to conduct detailed assessments, identify functionality gaps and configure the SaaS solution to the specific operational needs of an organisation is critical for a successful transition. Additionally, considerations around data security, integration, service reliability and change management must be rigorously evaluated and managed.
As the world of business marches towards an ever more connected cloud-based operating norm, it’s vital to recognise that the transition process is often far more complex and involved than some might have you believe. The rewards of such a shift will often exist, but only for those who first thoroughly assess the true challenges that need to be overcome and evaluate the best ways of adapting to this reality.