Software development outsourcing and SaaS though based on the same idea – transferring software development to a third party – differ in fundamental ways. However, there are things that may be applicable for both solutions. Thus, the compliance and risk management strategies used in software development outsourcing, including supplier due diligence, compliance risk assessments, and standard contractual terms and conditions, are also should be used when considering SaaS solutions, according to Peter George, an outsourcing specialist, whose article I’ve read lately.

Those risks are generally categorized into three areas:

  • Governance risks – risks attached to the loss of control over the management and incentive structure of the party performing the outsourced function. Though currently, SaaS offerings do not provide benchmarking rights, or even promises for long term price protection – things that are very common for software development outsourcing, all the same, as SaaS providers seek to provide comfort to customers that governance risk will be tempered, such contractual provisions may begin to find their way into SaaS contracts. Moreover, SaaS providers start investing more willingly in their reputations, particularly with respect to data privacy, security and scrutiny over unilateral contract changes.
  • Operational risks – risks connected with the performance and delivery of activities that are under the control of a third party provider. When speaking about software development outsourcing, we normally mean service level agreements, mutually acceptable procedures manuals, and performance warranties as a means to address operational risks. SaaS solutions already borrow some aspects of the operational protections of software development outsourcing. They provide, for example, four different levels of service based on price which is very similar to the incentive structure employed in the service level agreements in development outsourcing deals. However, SaaS considers the service level agreement to be used mostly as a means of allocating resources based on price.
  • Compliance risk – risks that imply legal, government and other third party liability that may not be delegable even when control over the delivery of the outsourced function is transferred to a third party. In the context of software development outsourcing, these risks are addressed through the clear allocation of controls to mitigate the risk of violations, audit rights to verify conformance with controls, well articulated procedures, and indemnities intended to reallocate liability from the party that may incur a penalty for breach to the party best positioned to prevent a violation. Under a SaaS model customers will remain responsible for breach of non-delegable compliance obligations. Unfortunately, still many protections typical for software development outsourcing and  provided in the outsourcing agreements are absent in the context of SaaS solutions.