Why SaaS Governance is Critical to Reduce Compliance Risk and Save Money: A Data-Backed Study

How is your organization managing its SaaS apps currently? Do you have a structured policy in place for handling new apps across their lifecycle yet? Do you do regular audits to ensure that you are paying only for apps that really create value?

If you answered 'no' to any of these questions, you’re not alone. Over the years, SaaS tools have become indispensable for businesses looking to cut operating costs and drive process efficiency. 

They represent a step change from on-premise software and are much simpler to work with. In addition, the SaaS model makes it possible for businesses to add new users on-demand besides providing anytime anywhere access. 

Is it any surprise that most organizations' average number of SaaS apps is around 600 today? However, the same flexibility is the cause of a phenomenon called shadow IT – a parallel cluster of apps used with IT approval - which has only accelerated since the pandemic.

The reason: many companies do not have a SaaS management strategy across the SaaS lifecycle - from procurement to termination. 

Now, small businesses like early-stage start-ups or sole proprietors can certainly get away with tracking SaaS subscriptions on a simple spreadsheet. They usually employ too few people to justify a dedicated SaaS management process.

However, for larger organizations with 500 or more employees, manual tracking is simply not an option. The risk of data loss or file corruption is just too great.  

A study conducted by Zluri in partnership with Pulse found that only 49% of US employees consulted their IT departments before buying new SaaS apps; a cohesive SaaS management strategy is imperative. 

That’s not all. With most organizations focussing solely on the early stages of the SaaS management lifecycle, there are significant gaps at the risk assessment, training, and offboarding stages.

The study showed that 66% of respondents had a SaaS onboarding strategy in place while 60% focussed on renewal and support. However, only 58% of respondents reported having a strategy for SaaS discovery or procurement. 

Offboarding was another area of concern, with only 53% of companies surveyed following a documented app termination process.

What is SaaS Governance?

Effective Governance Across the SaaS Lifecycle

For many businesses, the lack of common industry standards creates challenges in terms of choosing the right SaaS Governance approach. The survey showed significant differences in how US companies managed SaaS approvals, procurement, deployment, renewals, and offboarding. Moreover, the differences become progressively wider in the later stages of the SaaS lifecycle.

1. Procurement and Onboarding

Department heads are known to make up to 43% of the purchase decisions when it comes to SaaS apps. This is largely due to the fact that the time of implementation, for up to 54% of teams, is as long as 2-6 months. 

By bypassing the IT department or CIO, the department heads possibly hope to reduce time to value. However, the abuse of departmental authority can add to the SaaS management challenges in the long run. 

On the other end of the spectrum, 33% of teams surveyed reported just one month to implement a new app. Only a fraction of respondents – 3%, to be precise – said they were able to go live with a newly procured app in a single day. 

2. Training

Curiously, the survey also shows that 16% of organizations only held one training session at the time of procurement, while 33% reported receiving training only once on demand. 

This is likely true of apps procured at the departmental or business unit level without approval from IT. 

This can be inferred from another key finding of the survey: IT leaders are scheduling up to 25% more training sessions or even multiple sessions a year in 22% of cases. It is safe to say that these figures must pertain to authorized apps procured through official channels. 

However, only 39% of companies even have a strategy for SaaS training.

3. Discovery/Visibility

According to the survey, app discoverability was a key requirement for 71% of companies investing in SaaS management platforms, and it's not without reason. 

The ability to detect and monitor new SaaS apps is the first step in effective governance, after all. It allows companies to assess whether an app meets their security and compliance criteria before approval. 

Interestingly, the report points out that only 24% of companies used a SaaS management platform to govern apps, while 31% still used spreadsheets for tracking. In addition, 10% of companies had no SaaS governance tools to speak of.

4. Renewal and Support

The Pulse-Zluri report shows that 60% of companies had a policy for SaaS renewal and support. In fact, this stage was second only to onboarding in terms of the SaaS management lifecycle strategy followed by organizations. 

There is clearly scope for further growth in the renewal and support area as 60% of respondents felt that SMPs should have features for renewal management. 

On the support front, it was found that 78% of technical support requests are handled by specialists from in-house IT teams, while 43% of employees approached the SaaS vendor directly. Only 37% of requests are handled at the department head level. 

It is clear that SaaS renewal and support are a priority for most companies, given the cost implications of renewing subscriptions and app downtime.

5. Offboarding

There is a wide disparity in how companies manage app offboarding. According to the report, only 53% of companies had a documented offboarding process, while 8% didn't terminate an app at all. 

The security and compliance implications of sensitive business data falling into the wrong hands are significant. 

On the other hand, a standardized process provides assurance that the data has been secured in an appropriate manner. Moreover, 70% of respondents exported their data before closing a SaaS account. 

By implication, this is unsafe because individual employees- especially those that may be leaving - should not have access to any business data, which is the sole property of the organization. 

The fact that 55% of respondents coordinated with the respective SaaS vendors when terminating apps also represents a potential security threat. 

The risk of third-party employees coming into contact with confidential business data should be considered at the procurement stage itself.

The Role of SaaS Governance in Compliance Risk Management and Cost Control

To comply with tighter government regulations, businesses have been focussing on improving risk management.  

As we have seen earlier, the biggest gaps in SaaS management exist at the offboarding stage. If the data is not recovered correctly, an organization is exposed to security risks but also possible violations of GDPR and other privacy laws. 

According to the study, only 52% of companies evaluated new apps for such risks. For CIOs and IT managers, preventing the use of unauthorized apps also has a financial dimension. 

Given that just 58% of companies followed a structured procurement strategy for SaaS applications, IT teams are, by implication, not aware of nearly half of all apps procured. In turn, this adds to the burden on IT expenses. 

On the whole, it is clear that SaaS compliance risk management and cost control should start at the procurement stage itself. 

For example, 48% of teams seek the approval of their business unit heads to buy a SaaS app.  Thus ad-hoc procurements by individual business units across an organization, without IT approval, precipitate higher costs and data security problems for organizations.

The following aspects must be kept in mind for managing compliance risks and keeping SaaS costs under control:

1. Communicate the importance of SaaS governance: Accountability for SaaS management should begin from the top. It is vital for CIOs to communicate the cost and compliance impact of unauthorized apps to employees across the organization. 

Building a consensus can lead to greater buy-in from employees regarding the security, data management, reliability, and contingency aspects as well. 

According to the Pulse-Zluri study, an overwhelming majority of respondents felt that SaaS governance policies should cover these aspects. Interestingly, 39% of respondents were of the opinion that risk management was the biggest benefit of a SaaS governance framework. 

If your organization does not have an SMP yet, this is a good time to review your existing process and objectively analyze its pros and cons.

2. Evaluate apps for risks: The study also shows that SaaS requirement gathering was a routine in just 53% of organizations analyzed. Without a good understanding of the SaaS needs of individual business units, it would be impossible for IT departments to recommend guidelines for the purpose of evaluating apps for risk. 

Just over half the organizations (52%) surveyed said that risk assessment was a part of their operations strategy. Therefore, proactively evaluating apps for possible risk factors should be a top priority for companies, especially from the compliance point of view.

3. Having good visibility across the enterprise: It is encouraging to note that 63% of companies already have a documented SaaS governance policy in place. However, there are significant differences in terms of day-to-day administration. 

For example, 31% of companies used spreadsheets for SaaS management, with only 24% using a dedicated SaaS Management Platform. 

When seen in the context of app discoverability, it is clear why 71% of respondents believed that the introduction of SMP would help governance. 

Real-time discovery is also vital for tracking the average SaaS utilization across from onboarding to termination. This data could help companies identify apps with the greatest continuity and scalability impact for their teams in the long run. 

This could help them streamline renewals and account management in the most cost-effective way possible. The disruption caused by the COVID-19 pandemic underscores the need for such a data-driven approach to SaaS management.

4. Review and de-provision redundant apps: It is estimated that the average organization could have up to 20% annually by running regular SaaS audits and canceling subscriptions that are no longer required. 

Automatic renewals should be discouraged wherever possible, and teams should be asked to obtain prior approval. However, when it comes to termination, SMPs can play a major role. 

As the report shows, 67% of respondents expect a SaaS Governance Policy to provide guidance on data management. 

So CIOs and IT managers must make concerted efforts to adopt app termination processes that make it easier for employees to secure business data before closing an account, especially in situations where they may need to coordinate with the SaaS vendor. 

Given that only 52% of companies followed a documented process and 8% of companies have no information on it, there is a need for greater awareness around SaaS de-provisioning.

Plug the Compliance, Security, and Financial Risks via SaaS Governance 

In the 2020s, SaaS spends are likely to increase consistently as part of business and try to become more resilient. However, as businesses get more integrated, compliance and data security are becoming a bigger challenge than ever before. 

A well-designed SaaS Governance strategy can be the first step to plugging the risk and compliance gaps in the SaaS stack in use by companies around the world. 

By implementing a SaaS management platform, businesses could analyze and actively meet the growing SaaS needs of their teams in the most cost-effective way while protecting valuable business data. 

SaaS management platforms are an ideal solution to optimize spend, for security and compliance, facilitating innovation and growth.

Are you doing enough to manage compliance risk and protect sensitive customer data? Do you inventory the SaaS apps used by your team? Here’s how to win big by optimizing both.

Book a Demo