more-arw search

Q&A Forum

Cloud vs On Premise - What Are The Risk Management Trade-offs?

Cloud vs On PremiseHow would you describe the risk management trade-offs between cloud vs on premise software?

This question was asked during the Proformative webinar "The Evolving Role of Finance Leaders: Technology Strategists."  A video of the webinar can be viewed here:


Topic Expert
Donald Koscheka
Title: Principal
Company: Bluecloud Communications
(Principal, Bluecloud Communications) |

(1) Availability - When you host on-site, you have some control over system availability. However, keep in mind that both hosted and on-premise sites are sensitive to the same issues - power outages, network outages, denial of service attacks, etc. Most hosting companies provide secondary data centers and backup and recovery services to ensure high availability.

(2) Security - make sure the hosting company is at least as secure as you are. Most companies overestimated their security controls so you might want to have an independent security audit performed. Most hosting companies are actually MORE secure than their on-premise counterparts but this is offset by one factor: Large hosting companies are a more attractive target of attack simply because they tend to be large targets.

(3) Cost - if not managed properly, costs for hosting can exceed on premise costs, negating one of the primary motives for moving to the cloud. Do a thourogh cost/benefit analysis before you make the decision to move to the cloud.

One last point - a well implemented hosting solution should be able to provide your users with an experience that is as good as or better than can be provided via an on-premise solution. For some systems, like email, there is little or no incentive to keep an on-site presence. The security and availability risks for email are essentially the same regardless of where the service is installed because information must necessarily 'traverse the fire wall' to be useful (emails are only 100% secure if you never send them). If you want to explore moving to the cloud, email is a great starting point. We use Microsoft Office 365 and have not had any issues with the service (full disclosure: we're a small company with relatively light email volume).

Tom Kelly
Title: Managing Director
Company: T > Edward, Inc.
(Managing Director, T > Edward, Inc.) |

Recognize that risk will shift away from technology to the business. SaaS ERP systems can be implemented faster, cheaper, and easier than on-premise counterparts. This is true for the technology iteself since there is no software to implement on-site and there is less need for a physical infrastructure to support the solution. Also remember that if the Cloud provider can guarantee a secure reliable offering they will not be around for long! Do you homework on the top Cloud providers and you will not be disappointed.

Some people argue that the tradeoff is relative lack of flexibility, and as a result, CIOs and CFOs are forced to spend more time addressing organizational change management and training issues since the solutions can’t be easily changed to fit business needs, increasing the pressure on the organization to change its business processes and people. Frankly I think this is not well founded in that many Cloud based offerings are flexible and offer several ways to configure the system. Personal experience has validated this.

ERP implementations can be difficult, costly, and potentially risky to any organization, regardless of whether you’re implementing on-premise, SaaS or cloud ERP solutions. In my experience I have found that Cloud based implementations tend to go quicker and smoother than my experience with on premise. This is partly attributable to Cloud provides offering a straight-foreword implementation process and then allows the user to tweak as they go - the crawl, walk run analogy is applicable here.

Do not make the mistake of assuming that business processes don’t need to be redesigned, employees don’t need organizational change management, or adequate resources aren’t required to make the project successful. Mismanaged expectations are one of the root causes of ERP failures in general, this holds true regardless of offering you are implementing.

Kelly Battles
Title: CFO
Company: Bracket
(CFO, Bracket) |

I am the CFO of Host Analytics, a cloud Corporate Performance Management (CPM) company offering financial applications such as budgeting, consolidations, metrics management and automated reporting. From an internal IT perspective, we run our entire company on the cloud and here are my thoughts on this question as both a Cloud vendor and a customer.

As with any material purchase an important step is to do a total cost of ownership analysis and when comparing the Cloud/SaaS with on-premise software packages, it is critical to compare apples to apples and make sure you include all of the costs associated with on-premise that are not required in the Cloud/SaaS model (including but not limited to IT support and equipment, business analysts time, SW and Services costs for upgrades). Typically when this analysis is done correctly, it will indicate that going Cloud/SaaS can save 50% or more over a 3 to 5 year time period.

An important part of this equation is also time to value, typically Cloud implementations are easier and faster, less stressful on your team and much less expensive given you typically don't need an army of consultants writing code as they customize and implement. Cloud applications are typically designed as prebuilt modules that can easily be configured to meet user's needs without expensive, time-consuming coding or customization work.

Then and importantly, with SaaS vendors, it is critical to do thorough due diligence on the vendor's performance especially when it comes to Security and Service Levels (application availability). A couple of easy steps include making sure the vendors can provide SSAE16 security audit results and that the company puts their money where the mouth is on uptime commits in their Service level agreement (refunds or credits if they do not meet their uptime commitments in a month, termination with refund rights if they repeatedly miss committments).

Also make sure they have a complete disaster recovery plan - it is not fair to ask the vendor to share the plan details as it is very confidential for obvious reasons but it is very reasonable to ask questions such as 1) how often will you back up my data (hourly is reasonable) 2) how much time should it take to completely restore my application (Within 2 hours is reasonable), 3) where are your colocation facilities located and how many do you have (should have at least 2 - 1 primary and 1 back up of course) etc.

Finally always make sure that it is crystal clear you own your data, and that you can easily access/retrieve/migrate your data in the event of termination.

Hope this helps, Kelly


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.