IT procurement or sourcing managers challenged with finding sourcing options that reduce costs at tolerable risks should examine nine contractual terms to reduce risk in cloud contracts, according to Gartner, Inc. The cloud delivery model is gaining popularity, but it includes risks that are often unclear or overlooked when assessing the appropriateness of the sourcing model.
"Cloud solutions often appear to have lower initial and switching costs than traditional solutions, but include hidden costs and risks, and require unique terms for contract protection, compared to traditional arrangements," said Alexa Bona, research vice president at Gartner. "Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. The starting point contractually often favours the vendor, resulting in a potential misalignment with user requirements."
When assessing cloud offerings' procurement and sourcing, executives need to understand what can be negotiated relative to risk elements, what they need to pressure cloud providers to offer, and what will likely not be negotiated.
"Cloud markets are generally still very competitive, and it is important for sourcing and procurement executives to leverage competition to optimise negotiations. They should be prepared to walk away from deals, if some of the risk elements are not satisfactorily addressed," said Frank Ridder, research vice president at Gartner. "As this computing model is relatively nascent, we believe that, over time, the combination of buyer pressure, and a provider desire to reduce the length of negotiation cycles and number of customised deals will mean that some terms will evolve to more of a middle ground, rather than the current contract practices, which are mostly provider-centric."
The nine key terms to understand in cloud deals to mitigate excessive risk include:
- Uptime Guarantees. Despite the significant business-criticality of certain cloud applications, Gartner analysts have seen numerous contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.
- Service-Level Agreement Penalties. For service-level agreements (SLAs) to be used to steer the behaviour of a cloud service provider, they need to be accompanied by financial penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable, in terms of your negotiating leverage and pressure on the provider, because no vendor likes to have to give money back, once booked.
- Watch Out for SLA Penalty Exclusions. More cloud providers realise that they need to add guarantees and quality measures for the services they sell in the cloud. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organisations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences.
- Security. As part of the cloud-sourcing strategy, procurement and security executives should ensure that the provider's security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. The analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it.
- Business Continuity and Disaster Recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some infrastructure as a service (IaaS) providers don't even take responsibility for backing up customer data. If organisations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organisation taking responsibility for disaster recovery.
- Data Privacy Conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organisation, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else (this becomes more complicated if they have to share data with a third party - e.g., a cloud infrastructure provider - which is common for many software as a service [SaaS] solutions) and that they will only do what the customer (the data controller) says they should do.
- Suspension of Service. Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. This gives the cloud provider considerable negotiation leverage in the event of any dispute over payment. Organisations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. Some providers are removing disputed payments from this clause.
- Termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six months notice for the provider to terminate, unless they have materially breached the contract.
- Liability. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organisations should try to negotiate for higher liability protections. Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved.
Additional information is available in the report "IT Procurement Best Practices: Nine Contractual Terms to Reduce Risk in Cloud Contracts. The report is available on Gartner's website at http://www.gartner.com/....
Gartner analysts examine additional best practices in negotiating contracts in the upcoming webinar "Microsoft Licensing: Yes You Can Negotiate," 25 May at 3.00pm and 6.00pm UK time. Gartner analysts will discuss the critical success factors in structuring a good deal. To register for the webinar, please visit http://my.gartner.com/....
In the Gartner Webinar on Demand "Negotiating with IBM, Microsoft, Oracle & SAP: Tips for Success" (http://my.gartner.com/...) analysts address the challenges customers have when negotiating with large software vendors.
Gartner IT Financial, Procurement & Asset Management Summit
The Summit focuses on the three key components to understanding the value of IT: financial management, procurement and asset management. By understanding costs, IT organisations can put a business face on IT services, illustrating the value of IT. Gartner analysts will provide their latest insight on how to better manage IT assets, the financial impact of IT decisions, and how to negotiate with software vendors. This summit pulls together and creates a setting for the IT financial, procurement and asset management community to connect and share ideas, experiences and best practices on topics such as effective cost-savings strategies, evaluating ITAM strategies, asset life cycle management, vendor management, cloud computing and more.
For further information on the Summit, taking place on 28-29 September in London, please visit www.europe.gartner.com/itam. Members of the media can register for the Summit by contacting Holly Stevens at holly.stevens@gartner.com.
"Cloud solutions often appear to have lower initial and switching costs than traditional solutions, but include hidden costs and risks, and require unique terms for contract protection, compared to traditional arrangements," said Alexa Bona, research vice president at Gartner. "Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. The starting point contractually often favours the vendor, resulting in a potential misalignment with user requirements."
When assessing cloud offerings' procurement and sourcing, executives need to understand what can be negotiated relative to risk elements, what they need to pressure cloud providers to offer, and what will likely not be negotiated.
"Cloud markets are generally still very competitive, and it is important for sourcing and procurement executives to leverage competition to optimise negotiations. They should be prepared to walk away from deals, if some of the risk elements are not satisfactorily addressed," said Frank Ridder, research vice president at Gartner. "As this computing model is relatively nascent, we believe that, over time, the combination of buyer pressure, and a provider desire to reduce the length of negotiation cycles and number of customised deals will mean that some terms will evolve to more of a middle ground, rather than the current contract practices, which are mostly provider-centric."
The nine key terms to understand in cloud deals to mitigate excessive risk include:
- Uptime Guarantees. Despite the significant business-criticality of certain cloud applications, Gartner analysts have seen numerous contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.
- Service-Level Agreement Penalties. For service-level agreements (SLAs) to be used to steer the behaviour of a cloud service provider, they need to be accompanied by financial penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable, in terms of your negotiating leverage and pressure on the provider, because no vendor likes to have to give money back, once booked.
- Watch Out for SLA Penalty Exclusions. More cloud providers realise that they need to add guarantees and quality measures for the services they sell in the cloud. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organisations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences.
- Security. As part of the cloud-sourcing strategy, procurement and security executives should ensure that the provider's security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. The analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it.
- Business Continuity and Disaster Recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some infrastructure as a service (IaaS) providers don't even take responsibility for backing up customer data. If organisations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organisation taking responsibility for disaster recovery.
- Data Privacy Conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organisation, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else (this becomes more complicated if they have to share data with a third party - e.g., a cloud infrastructure provider - which is common for many software as a service [SaaS] solutions) and that they will only do what the customer (the data controller) says they should do.
- Suspension of Service. Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. This gives the cloud provider considerable negotiation leverage in the event of any dispute over payment. Organisations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. Some providers are removing disputed payments from this clause.
- Termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six months notice for the provider to terminate, unless they have materially breached the contract.
- Liability. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organisations should try to negotiate for higher liability protections. Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved.
Additional information is available in the report "IT Procurement Best Practices: Nine Contractual Terms to Reduce Risk in Cloud Contracts. The report is available on Gartner's website at http://www.gartner.com/....
Gartner analysts examine additional best practices in negotiating contracts in the upcoming webinar "Microsoft Licensing: Yes You Can Negotiate," 25 May at 3.00pm and 6.00pm UK time. Gartner analysts will discuss the critical success factors in structuring a good deal. To register for the webinar, please visit http://my.gartner.com/....
In the Gartner Webinar on Demand "Negotiating with IBM, Microsoft, Oracle & SAP: Tips for Success" (http://my.gartner.com/...) analysts address the challenges customers have when negotiating with large software vendors.
Gartner IT Financial, Procurement & Asset Management Summit
The Summit focuses on the three key components to understanding the value of IT: financial management, procurement and asset management. By understanding costs, IT organisations can put a business face on IT services, illustrating the value of IT. Gartner analysts will provide their latest insight on how to better manage IT assets, the financial impact of IT decisions, and how to negotiate with software vendors. This summit pulls together and creates a setting for the IT financial, procurement and asset management community to connect and share ideas, experiences and best practices on topics such as effective cost-savings strategies, evaluating ITAM strategies, asset life cycle management, vendor management, cloud computing and more.
For further information on the Summit, taking place on 28-29 September in London, please visit www.europe.gartner.com/itam. Members of the media can register for the Summit by contacting Holly Stevens at holly.stevens@gartner.com.
