Guardian Life Insurance isn't about to take big risks when making IT investments, and CIO Frank Wander will be the first to tell you that he doesn't have a cloud computing strategy, per se.

But over the past five years, the $10 billion financial services company has moved 18 applications into the cloud. It shut down a compute grid and moved its actuarial modeling application into an Amazon EC2 cloud. And it's now in the process of broadly deploying two major software-as-a-service suites.

One of the two is Workday's human resource management suite. Guardian wasn't ready to reveal the other, but at the Atmosphere conference last fall, Google announced that it had signed Guardian as a Google Apps customer.

There's no cloud agenda at work here, says Wander. Each service has earned its seat at the table by undergoing a rigorous technology acquisition process that has been updated to include considerations unique to SaaS and other cloud services. Each service has also passed through a collaborative review process that involved the legal, security and sourcing groups in addition to IT.

"We don't do anything because it's cloud. But if the financials look right, if the risk profile looks right, if the richness and robustness look right, we go with that solution," says Wander.

The sheer breadth of Guardian's move to the cloud puts the company on the leading edge among Fortune 250 organisations. The extent of its commitment to cloud services is also changing the business's IT infrastructure and redefining roles in the IT organisation.

As more corporate infrastructure moves to SaaS, it's important for organisations to build a strong foundation of best practices to manage risks around security, uptime guarantees, compliance, limitations of liability, remedies and other contract details, say Wander and other IT executives. The business must be fully engaged in the technology acquisition process, and the organisation must follow best practices that are well thought out - from the initial request for information to integration, ongoing management and contract renewal.

We talked with several organisations about the challenges they face in scaling up with SaaS and other cloud services, why the technology still isn't the best fit for some applications or business requirements, and why they decided to sign on - or walk away.

Leading by example

Wander "is a real leader," says Robert McNeill, vice president of research at HFS Research. In many organisations, he says, SaaS "happens" to CIOs as business units bypass IT. "What's interesting is that he is using SaaS in IT - an area that he controls. He is embracing SaaS as a way of changing the business," says McNeill.

But Wander isn't alone in his thinking. The number of SaaS implementations is climbing in other enterprises, says McNeill. He adds, "We're seeing global implementations of cloud services across the very largest of organisations," including even core enterprise applications to some extent. McNeill sees the use of horizontal SaaS applications globally or across large swaths of the corporate user base as a key trend.

That view is backed up by research from Gartner. The overall market for SaaS-delivered enterprise applications will increase from $9.97 billion to $23 billion by 2015, representing a compound annual growth rate of 17.9%, according to a November 2011 Gartner report.

Cindy McKenzie, senior vice president of enterprise application services at Fox Entertainment Group, has also moved aggressively into the cloud. Transferring 11 shared services applications, ranging from recruiting to tax reporting, over to SaaS providers was "the riskiest business decision I have made in the last 18 months," she says. The global SaaS deployments, which host personally identifiable information and other sensitive data, "pushed information security, audit and legal departments past their comfort zones," but allowed the business to get strategic initiatives up and running more quickly and at a lower cost than on-premises alternatives, says McKenzie.

This year, Fox plans to move more corporate applications to the public cloud, including payroll and HR. The new system is easier to use than the existing PeopleSoft application, has passed a five-year total-cost-of-ownership evaluation and can be online in much less time than it takes to upgrade PeopleSoft.

The most critical success factor, McKenzie says, was involving the audit, security and compliance departments from the beginning. "It saved a lot of headaches. If you try to do that work after the fact or when you're signing a contract, you've lost your negotiating power," she says. "The biggest surprise was how immature the governance processes were for some of the smaller SaaS vendors. We ended up pushing a number of vendors to make changes to meet our standards."

Guardian's team follows a well-defined, formalised process from start to finish, says CTO Richard Scott. "Together we evaluate all aspects of technology solutions. It's based on a matrix and scoring and a very pragmatic, objective way of looking at the solutions," he says.

"We have good vendor management processes," which are part of Guardian's governance model, Wander says. Guardian has the same operational processes for SaaS and on-premises software. "We have operational performance management. We check response times just as we would do internally. And we take end-user satisfaction measures over time," he says.

A disciplined approach

Start scaling up SaaS with a centralised procurement model, these executives say. Before Guardian developed its federated approach to technology acquisition, its SaaS deployments didn't always go through IT, says Doug Greene, vice president of corporate systems, security, risk and compliance at Guardian. That's a common problem, especially in large companies, according to Robert DeSisto, an analyst at Gartner.

"I get calls from sales organisations that are buying directly from outside of the IT procurement process," he says. One client he spoke with had 19 individually negotiated contracts, none of which went through IT. That business was losing its volume purchasing power, and contracts weren't getting the scrutiny they deserved, DeSisto says.

Both McKenzie and Wander say it's also critical to understand the fully loaded costs of hosting applications on-site and to include that in the technology acquisition model when comparing costs to SaaS alternatives. "We always do a five-year total-cost-of-ownership evaluation that includes all costs, such as power, data centre resources and staffing," says McKenzie.

But Tom Check, CIO at Visiting Nurse Service of New York, says organisations shouldn't draw any conclusions based on IT costs alone. The $1.5 billion provider of home healthcare services has about a half-dozen SaaS deployments, including HR and CRM.

There's also one application that its nearly 4,000 clinicians in the field use to order medical supplies. In that case, Check says, "the software subscription was higher than what we incurred in the past, but the overall cost of the business process has gone down and the value to the business has increased."

At Guardian, upgrade-and-refresh cycles have traditionally consumed 12% of the shared services budget. The move to SaaS, and an intense focus on expense optimisation, has transformed Guardian's IT budget. "What makes SaaS valuable is the continuous upgrading without the burden on our organisation," says Scott.

Today, 40% of the budget goes toward running and maintaining existing operations, down from about 60% a few years ago, leaving more money to invest in solving other business problems, says Wander.

Scaling up the contract

The contract sets the tone for the relationship with a cloud services provider, says Wander. If you want to be successful, he says, "focus on the contract."

Unfortunately, "cloud computing often is not amenable to in-depth negotiations," says Russell Weiss, a partner at Morrison & Foerster, a law firm that specialises in negotiating service agreements. "Click-wrap agreements" - the ones users typically opt for when signing up for SaaS offerings online - are the norm for SMEs. "They're full of 'outs.' When you read the fine print, it can be very alarming," he says.

Fox's McKenzie says it's critical to think about contract terms and conditions early in the process by making clear what terms the organisation can live with and which ones are nonstarters. "I have a requirements template, request for information and request for proposal templates, and a contract template with all of our criteria," she says. Included are canned paragraphs covering important areas such as information security. "If they can take that, we don't need to involve information security again," McKenzie says.

Greene says Guardian starts by clearly defining the service it's signing up for. "Make sure you have a defined service, not a product name. And ensuring that baseline functions won't change with updates to the SaaS application is critical," he says. "You want to make sure you're getting your minimum requirements around security and functionality and that they can't dumb down the product in a future release."

Limitations of liability clauses can be a major sticking point. "The vendors want no liability, and we want unlimited liability," says Wander. As with remediation for failure to provide service at agreed-upon levels, providers usually limit liability to a refund of up to the total dollar amount of the contract - or a prorated service credit. "But if a service is buggy, do you really want more of something that's bad? It's better to get a promise of better service or a certain termination right," says Weiss. Likewise, a data breach can easily cost more than the value of the contract.

Finally, contract pricing can come back to bite you, and vendors don't like to make downward price adjustments for changing user counts, as McKenzie discovered. "We need the ability to scale up and down. SaaS doesn't work that way. That's been our most heinous fight," she says, because vendors wanted to lock Fox Entertainment Group into a volume purchase agreement for three or five years.

Wander had better luck. "We have a five-year contract that locks in terms and conditions but trues up on an annual basis. We've gotten very good terms in many cases," he says. But Guardian is a big account, he admits, adding, "I don't think everyone can achieve that."

There are two other ways to improve your negotiating position, says Weiss. One is to announce up front that you'll be doing competitive bidding, and then take the most favourable contract terms and pricing from each proposal and ask vendors to meet them. Another is to work with a reseller. "They can help out with terms," he says.

Other challenges

Still, SaaS isn't a fit for every application or large business. Boeing provides SaaS applications to its customers at but uses only about a half-dozen SaaS offerings itself - in part because it's a defence contractor and must adhere to strict data security requirements. "Things that hold lots of intellectual property are way out of scope for SaaS," says Ted Colbert, vice president of IT infrastructure at the aerospace giant.

Integration issues present another potential challenge. For example, Boeing's current HR applications for recruiting, staffing and other functions are built around a data warehouse. "To use SaaS, we would have to build more interfaces than we have today, which would drive our complexity higher," Colbert says.

Also, with 160,000 employees, the ability of SaaS providers to scale is a concern. "We haven't seen that play out yet," he says.

And Boeing's complex business processes would require extensive customisation of any SaaS application. "The traditional SaaS offerings don't support the structure we have today," Colbert says, but Boeing will be better positioned for SaaS as it continues to simplify its business processes.

As the number of SaaS applications in use grows, managing integrations and data flows becomes a bigger concern. "One of the things we're careful about is understanding the integration and what that does to the overall profile of our solutions," says Scott at Guardian. As part of its governance process, Guardian has always had life-cycle methodologies for the software it builds internally. Scott's team extended that to accommodate SaaS. "Having this template to follow, which is predictable, has proved itself and is really one of the secrets to our success," he says.

Some business applications in the cloud aren't up to enterprise standards. "There are certain scenarios that aren't there yet," Greene says. In some situations, the risk profile doesn't match the organisation's requirements. In others, the business might need to wait until existing IT investments are fully amortised before investing in SaaS.

Even Guardian is still nibbling around the edges when it comes to moving core ERP applications to the cloud, and Gartner says cloud-based ERP implementations aren't nearly as common as cloud-based HR and CRM systems.

SaaS offerings for core ERP applications are still evolving. "One process I haven't seen in maturity out there yet is core financials," says Greene. McKenzie also evaluated financial service offerings but declined them. "The two major products I looked at were not ready for prime time. Honestly, the market is not mature enough," she says.

Overall, IT executives say their experiences with SaaS providers have been generally positive. "We haven't had one real problem, never a breach or had a vendor go away or bad service or SLA breaches or had to sue anybody," McKenzie says. "Our experiences have been exceptionally good - so good that we're pushing more and more."

These IT executives say SaaS didn't win out in every case. But Guardian chose that option in 20 instances because the business case made sense and the services were mature enough to meet the needs of a large enterprise in areas such as service-level performance and security. And Guardian had the clout to negotiate favourable contract terms for service levels, limitation of liability clauses, pricing and other requirements.

Every system that isn't a competitive differentiator should be delivered as a service, says Wander, warning that "businesses that fail to pare their legacy architecture may find their core business disrupted by smaller, nimbler companies who have built on SaaS and cloud."