Make sure to to register for our upcoming free IT Webinar, taking place Thursday 14th, May between 14:00 – 15:00. Michelle Mullen, Partner, will be joined by Phil Riley, Senior IT Procurement Consultant, to provide you with an understanding of IT Cloud Services and the essential guide to successful contracting.
Contemplating a move to the cloud? Whether you are contracting with a small supplier for a single purpose application, or upgrading your entire IT infrastructure, there are advantages to be gained from a move to the cloud, some of which are:
- Cost reduction: IT capital expenditure can be reduced with minimal onsite infrastructure. You just need an internet connection.
- Scalability: the ability to scale the size of your cloud up or down depending on user demand offers flexibility, and concurrent cost efficiencies of only paying for what you require.
- Speed and availability: cloud services are available anywhere there is an internet connection, 24/7.
- Mobility: the cloud can be accessed on smartphones, tablets, laptops and desktop computers, allowing greater scope for remote working.
- Automatic updates: removal of servers and other onsite infrastructure allows suppliers to keep infrastructure and software up to date remotely.
- Security and business continuity: it is possible to take advantage of advanced security feature provided by cloud providers and cloud based backup and recovery minimises business disruption following a disaster.
Equally, there are challenges to a move to the cloud and it is important to get the key elements right from the outset to save a lot of time, angst and expense in the future.
Here are 10 Things to keep in mind when contracting for cloud services:
1. Plan, plan, plan!
SaaS, IaaS, PaaS? Hybrid in-house and cloud services or full migration? A full plan is essential to ensuring your organisation procures what it needs for best value. Planning will allow you to fully understand what it is that your organisation needs from a move to the cloud, and the solutions the market has to offer.
For large projects a detailed specification is crucial. Not only should it define technical requirements it should also cover implementation, testing and acceptance criteria, service standards and levels and compatibility with existing or continuing systems. A condition of the contract should require the supplier to deliver the project in accordance with the specification. For greater certainty, the specification can be incorporated into the contract.
2. Contractual approach
The contractual approach will be determined by the project size and how much you are prepared to spend on procurement. Whichever approach you take, you should aim to agree robust supplier performance obligations and reasonable limits on liability based on sensible allocation of risk between the parties. Different approaches include:
- Bespoke customer contract: This approach allows the customer to contract on its own terms. It is especially beneficial when procuring large projects. It may not be appropriate, or even acceptable to suppliers, where you are purchasing single products.
- Supplier’s standard terms and conditions: Occasionally suppliers insist upon using their own terms, and sometimes it just makes sense from a cost perspective. It may not be a surprise to find that supplier’s terms are very often lacklustre from the customer perspective. However, there is always room for negotiation!
- Consortia and framework agreements: these offer greater purchasing power and the terms are often recognised across the industry. Often framework suppliers (such as those on CCS) have been vetted, giving assurance to customers. However, often the contracts themselves are very cumbersome and may contain a substantial volume of irrelevant provisions.
3. Detailed planning and implementation
Like traditional IT services, cloud services are front end heavy: most of the customer risk arises during the implementation phase, with only managed services and maintenance and support provided following go-live. A detailed implementation plan should be agreed either before, or within a very short period of, contract signing.
The plan should cover design, configuration, migration and integration, acceptance testing and roll out against a reasonable timeline to achieve system go-live.
It is important to include rights for the customer to require the supplier fixes issues during implementation (at no additional cost) and appropriate remedies for failure to agree the plan and implement by a go-live or longstop date. Payments for implementation or professional services should be tied to the implementation plan.
4. Pricing and cost control
Typically, the majority of the customer’s costs of procuring or migrating to the cloud are incurred prior to go-live. A common model for payment is using milestones during the implementation phase and a small retention to be paid after go-live. Following go-live there are generally annual fees for any managed or support services.
Cloud services are generally charged on a consumption model, including on a “pay as you go” basis. We recommend fees for scaling capacity (both up and down) and any other service or ancillary fees the supplier may charge are included in the contract, as should the supplier’s rate card.
The contract should state whether any part of the fee is fixed and/or any fee increases should be in-line with a recognised index, such as CPI.
5. Service levels
Service levels offered by cloud providers to supplier are on a take it or leave it basis. IT managers should be familiar with these service levels, as they will override service levels agreed with the supplier.
Nonetheless, service levels between the supplier and the customer are important and should cover service availability, down-time/ maintenance windows, response, fix and resolve times, service improvement, reporting and user training and development. Where BCDR is provided as part of the service, time targets to return the service should be included.
Services levels should be measured against quantifiable targets. Where services credits are to be available, the credit should be tied to the target.
6. Change control
It is almost unheard of that an IT project goes according to the plan, cloud services are no different. A clear contractual procedure for agreeing changes to the project is vital to ensure that the customer retains control of changes to the project and costs.
The procedure should place the onus for proposing solutions to any changes (even when instigated by the customer) on the supplier and require costs and alternatives to be included. Final sign-off and discretion to agree any change should remain with the customer. For a change to have effect it should be in writing and signed by both parties.
7. Intellectual Property & licencing
Typically cloud services and associated applications rely on a combination of supplier and third party intellectual property. It is standard to include intellectual property indemnities in favour of the customer, and the supplier may require reciprocal arrangements in the event of breach of intellectual property rights by the customer.
The customer should ascertain the full extent of supplier and third party licences required for the service being procured. The customer should review all licence terms. Licencing arrangements should be reflected in the contract and cover the full term and a period following termination (whether in perpetuity or until such time as a replacement service can be procured).
8. Data control and security
The same laws apply to cloud services as it does to other IT infrastructure and services, particularly with regard to the collection and holding of personal data. Customers and suppliers must have appropriate technical and organisational measures in place to ensure security of data in the cloud.
There are industry standards (e.g. ISO/IEC) covering cloud services. These can be referred to in the specification and/ or contract and the supplier should be obliged to comply with them.
9. Service continuity
In addition to service levels, specific contractual obligations requiring the supplier to provide technical assistance to restore any services or relevant parts of your system that are taken down due to a disaster.
There should also be clear obligations for the supplier to have, maintain and be able to implement disaster recovery arrangements in accordance with industry standards or practice in the event of its own service going down.
Depending on the nature of the services it may be justifiable to have a contractual BCDR plan. The initial plan should be agreed from the outset or within a reasonable time after contract signing with provision to review and update the plan during the term.
10. Exit planning
All things come to an end! From the customer perspective avoiding the situation where the contract is ending (possibly on less than happy terms) and you need to start to plan how to get all your data back from the supplier and transition to a new supplier while keeping all the cogs turning is key: the risk here being held to ransom by the outgoing supplier.
Exit planning should form part of the implementation of the IT service you procure. It is fairly typical to agree a high level exit plan within the contract, with a detailed plan to be approved by the customer within a few months of contract signing. Provision should be included to review the plan from time to time so that it keeps pace with your system as it evolves. The contract should include obligation on the supplier to implement the plan on termination or expiry of the contract; co-operate with the customer and any new supplier; carry out the plan in an efficient and orderly manner so as to causes minimal disruption and not have any adverse effect on business operations.
For more information, please contact Michelle Mullen or Christian Barnes.