Although cloud offerings are rapidly maturing, the immaturity of cloud service contracting means that many contracts have structural deficits, according to Gartner ,which has identified four risky issues that CIOs and sourcing executives should be aware of when contracting for cloud services.
"Cloud service providers will need to address these structural shortcomings to achieve wider acceptance of their standard contracts and to benefit from the economies of scale that come with that acceptance," says Frank Ridder, research vice-president at Gartner. "CIOs and sourcing executives have a duty to understand key areas of risk for their organisations.”
"It's essential that organisations planning to contract for cloud services do a deep risk analysis on the impact and probability of their risks, and they should also plan mitigation for the most critical issues," says Alexa Bona, research vice-president at Gartner. "This might cost additional money, but it is worth the effort. Risk should be continuously evaluated, because contracts can change — sometimes without notification."
The four risky issues for CIOs, when contracting for cloud services include:
* Cloud sourcing contracts are not mature for all markets – When analysing cloud sourcing contracts, it is often obvious whether the cloud service provider wrote the contract with larger, more mature corporations, or the consumer side of the market, in mind. For example, there are cloud service contracts from traditional service providers for their private cloud offerings; these tend to include more generally acceptable terms and conditions. Gartner also sees many cloud-sourcing contracts that lack descriptions of cloud service providers' responsibilities and do not meet the general legal, regulatory and commercial contracting requirements of most enterprise organisations. Gartner advises organisations to carefully assess the risks associated with cloud sourcing contracts. Areas such as data-handling policies and procedures can have a negative impact on the business case (for example, additional backup procedures or a fee for data access after cancellation) potentially creating compliancy issues and cost increases, and indicating specific risk mitigation activities.
* Contract terms generally favour the vendor – Organisations that successfully outsource, evolve more partnership-style relationships with their vendors. Cloud service contracts do not lend themselves to such partnerships — mainly because of the high degree of contract standardisation — where terms are consistent for every customer, and service is typically delivered remotely rather than locally. An organisation needs to understand that it is one of many customers and that customisation breaks the model of industrialised service delivery. Cloud service contracts are currently written in very standardised terms, and buying organisations need to be clear about what they can accept and what is negotiable. To manage cloud services contracts successfully, organisations need to manage user expectations.
* Contracts are opaque and easily changed – Contracts from cloud service providers are not long documents. Certain clauses are not very detailed, as URL links to web pages detail additional terms and conditions. These details are often critical to the quality of service and the price (such as SLAs) for uptime or performance, service and support terms, and even the description of the core functionality of the offering. Clauses that are only fully documented on these web pages can change over time; often without any prior notice. Organisations need to ensure that they understand the complete structure of their cloud sourcing contract, including the terms that are detailed outside of the main contract. They need to be sure that these terms cannot change for the period of the contract and, ideally, for at least the first renewal term without forewarning. It is also critical to understand what parts of the contracts can be changed and when the change will take place.
* Contracts do not have clear service commitments – As the cloud services market matures, increasing numbers of cloud service providers include SLAs in URL documents referenced in their contracts and, in fewer cases, in the contract itself. Usually, the cloud service providers limit their area of responsibility to what is in their own network as they cannot control the public network. Things are improving, but service commitments remain vague. When deciding whether to invest in cloud offerings, buyers should understand what they can do, if the service fails or performs badly. They should understand whether the SLAs are acceptable and if the credit mechanisms will lead to a change in the providers' behaviour; if not, they should negotiate terms that meet their requirements — or not engage.