IT at the Helm: Change Management for Cloud-Based SaaS is Key to Minimizing Risk
Cloud computing dates to the mid-1990s – so why is this relatively old concept still such a hot topic? Haven’t we figured it all out by now? And isn’t the benefit of today’s SaaS cloud environments that someone else, namely the SaaS provider, handles software management? What else is there to figure out? Having spent the last several months talking to legal, compliance, and IT professionals about their Microsoft 365 environments, I am confident that there is still a lot that corporate IT departments are grappling with. In fact, a recent survey conducted by Lighthouse of 106 IT managers and executives found that although most organizations had a change management process in place for on-premises feature updates and upgrades, and most organizations planned to have change management in place for enterprise-wide SaaS technology updates in the next five years, only 16% had something in place today. To better harness this technology as it continues to evolve and to minimize risks along the way, it’s important to understand why these change management gaps exist, what their impact is, and how legal and IT teams can work together in new ways to close them.
Managing the Evolution of SaaS
The adoption of enterprise SaaS cloud technologies has only become prevalent in the last decade and growth has skyrocketed over the last couple of years. In fact, Microsoft 365 had 23.1 million consumer subscribers five years ago (Fiscal Year 2016) and that number has grown to 58.4 million. As such, IT organizations have not had to support SaaS enterprise offerings at scale until very recently and today most IT departments are supporting both on-premises and SaaS cloud environments. The first priority in supporting this explosive adoption was to implement and migrate over to the new system. It is only recently that focus has shifted toward governance and processes around these systems.
Even with a newer focus on process, one of the touted benefits of SaaS cloud technology is less maintenance and software support by the in-house IT team. Of course, there is the need to set up process to resolve user questions and to ensure systems have been set up to facilitate the business running properly. But, planning and executing hardware or software upgrades is mostly managed by a third-party provider so there is not an urgent need to set up robust change management. In addition, the old change management process where major developments are analyzed, tested, and timed for deployment to desktops still applies to Microsoft 365.
However, using the old process for new applications can have drawbacks. First, not all updates that Microsoft or others make are configurable updates where there is a choice on how, and whether, to implement. Second, if users are logging into a web environment (as opposed to desktop apps), IT teams don’t necessarily have control over the version their users are utilizing. Finally, given that most organizations have differing levels of IT permissions, meaning some groups are upgraded sooner than others, teams must move quickly to handle unpredictable and varied update schedules. With the speed and variability of new feature updates, the old process may not be agile enough to handle them. The differences between SaaS and on-premises environments (where you have full control of the upgrade schedule) can leave some gaps even when organizations review, analyze, and test the roadmap and updates from the Microsoft Message center.
The old process often fails to prepare the business for these changes because IT, legal, and other teams are not always communicating about the broader risk or implementation implications. Because the IT team is focused on availability and scalability, it often misses how certain changes can introduce business risks outside of their ken. Solely relying on IT professionals to determine the broader impact of updates can mean that business, regulatory, and other risks outside of IT’s awareness are overlooked.
Measuring the Impact of Updates
Whether these management gaps are tolerable is a risk decision that each organization must make—one that can put the user experience in tension with a developed IT process. In discussions with legal, compliance, and information governance professionals that focus on SaaS services, handling the cadence and speed of these updates is a concern that keeps them up at night. But, quickly providing users new features has considerable benefits for the business too. It’s important for IT to prioritize ensuring that users can access their business data and that the business can continue without interruption over cumbersome update management.
When weighing these risks and benefits it’s important to fully appreciate their potential impacts. An example of where these priorities conflict is highlighted in a change around Microsoft Teams meeting transcripts. In March 2021, Microsoft made an update that allows for a live transcript of certain Teams meetings. In November 2021, Microsoft expanded that functionality to Teams Channel meetings and upgraded the features of live transcripts to include name attribution to the speaker. This is helpful functionality for users and, given that it is an automatic upgrade, there may be little to do from an IT perspective. From a risk and legal perspective, however, there are a couple of key considerations. First, where is the transcript stored after the meeting and do retention policies apply? Second, is the data subject to ongoing regulatory or litigation requests and how is it accessed? The answers to those questions are complicated by the fact that the location of the data depends on whether a user downloaded the transcript after the meeting. Many IT organizations caught this change by reviewing the Microsoft Message center for updates—and in doing their own testing they determined that disabling the functionality was the best course of action. This was an update with obvious data ramifications that outweighed the potential benefits in a risk assessment from both IT and legal. For updates that are less obvious, IT may not have consulted legal. For updates where the value to users may seem to outweigh the risk, where the risks aren’t initially apparent, or when there are no configuration options—IT may have a more challenging decision to make.
Reimagining a Change Management Process
Having a cross-functional framework in place to discuss and implement these types of updates is key to managing changes. Many organizations have some sort of accountability in place around updates—an individual or group of people are responsible for reviewing the Microsoft Message center. Although this structure is lower in cost and requires fewer resources, it has a few drawbacks. First, if only IT is involved, you may have only one perspective on the impacts of updates and that can be too narrow to determine the effects on the broader business. Second, many organizations do not have a tracking mechanism to determine what Microsoft updates they have read, evaluated, tested, and taken action against. With dozens of messages, many of which don’t need action, it is easy to lose track of what has been evaluated. Finally, if there isn’t clear accountability with dedicated resources the process can lose legitimacy and fail. Organizations who choose to minimize their business risk do not have to put in place a heavy structure to manage updates. In fact, the process around on-premises software upgrades can easily be adapted to the cloud situation.
The single most important thing that an IT team can do for an effective SaaS support practice is to adapt and enforce existing change management and organizational controls. More specifically, IT organizations should consider:
- Dedicating a resource to track and review changes from service and cloud providers to ensure updates and changes are properly evaluated for risk and business continuity.
- Relying on a robust change management system with stakeholders throughout the organization to provide clearly articulated approval, risk identification, testing, and risk management.
- Partnering with your compliance team to ensure adherence to governance frameworks, organizational commitments, and client requirements. The compliance function is trained to manage risk and is uniquely chartered with authority and independence with a company’s governing body.
- Collaborating with legal. Lawyers are trained to spot issues and manage risk for the entire business. Often times, individual departmental stakeholders are responding to team-level incentives. Legal teams are also learning to adapt their governance structures to evolving cloud solutions.
- Leveraging the Project Management Office to ensure that stakeholders and risks are identified at the start of any specific project (i.e., measure twice, cut once).
One of the most effective ways to get the right stakeholders’ input is to create a Change Approval Board (“CAB”) with subject matter experts from every business group to meet on a periodic basis. The CAB provides a framework that ensures IT has input from across the business while still giving it the opportunity to own and manage the support of the software.
One of the benefits of SaaS technologies is the ability to utilize and optimize with the newest features and to take some of the hardware management burden off IT. By putting in place a cross-functional team to review and manage the update process, you can mitigate your organizational risk while allowing users take full advantage of the benefits.
 In February 2022, Lighthouse surveyed 106 IT managers or above who had Microsoft on-premises and now have Microsoft 365. The survey found that only 16% had implemented a change management process for M365 and 62% of organizations planned to implement one in the next 5 years.