Fellow compliance thinkers, I have seen the future—or more precisely, I have seen the Next Big Idea coming to a corporation near you, sure to add a new dimension of complexity to the already complex world of ethics, compliance and financial reporting we encounter every day.
I have, at long last, grasped what this “cloud computing” thing is all about.
IT vendors and consulting firms have been pestering me about the value of cloud computing for several years. It could cut a company’s spending on IT operations dramatically, they said, by letting you store corporate data somewhere on the Internet (that is, the cloud) instead of buying and maintaining servers and other IT equipment yourself. A simple example of cloud computing is Gmail; Google provides users with an email address and stores their email data on its own servers, and users then access that information from wherever they are via Web browser.
IT departments have a specific term for this technology: virtualization. Google is providing a virtualized email server, to save you the expense of owning one yourself. The actual server that Google operates—where it is, which company built it, the operating software behind it—is irrelevant to you, who only need it to deliver your email messages through the cloud to your computer screen. Remember that virtualization concept; we’ll going to return to it shortly.
The compliance concerns for our Gmail example, meanwhile, are pretty obvious. Imagine your accounting staff communicating about the next periodic filing via Gmail, and some departmental dimwit checks his account at an Internet café and forgets to log off before he walks away from his terminal. Or maybe a sales rep in the pharmaceutical division has all sorts of HIPAA-protected data sitting in a Hotmail address, and her laptop gets stolen at the airport. We can conjure up any number of scary examples, where employees store corporate data off-site and you can’t control the security around it.
But as I said, Gmail is a simple example of cloud computing. Now let’s scale it up to what’s coming next: Software-as-a-Service.
SaaS treats software programs just like data storage: something that exists in the cloud, without you ever actually owning it. In the SaaS world, you can purchase software computing power like you purchase electricity, paying for however much you use without caring where it comes from or who provides it. Electricity is just electricity, after all. Now imagine treating your accounting function—or the HR department, or records management, or any other business function—exactly the same way.
In other words, cloud computing first let us virtualize IT infrastructure. SaaS lets you virtualize processes. It lets you virtualize people.
Think about that for a moment. Imagine a world where your corporate headquarters are in the United States, but you “purchase” management of your product specification data from an IT vendor in Canada. You might need twice as many people during the busy sales season in fall, and they won’t necessarily be the same people who handled your data the previous spring. You believe the IT vendor uses labor in South Asia to do the actual work, but you’re not entirely sure. And the data those people access? That’s on another server somewhere in Europe. They pull the data through the cloud to do the number crunching, and your vice presidents of sales and engineering monitor all that activity via reports coming through the cloud as well.
Astute compliance officers should have a queasy feeling about cloud computing by now. Add a product recall into our hypothetical scenario outlined above, and imagine the litigation risks flying back and forth. Your customers will want to sue you, while you might chase the IT vendor, who at least in theory could try to hold his South Asian labor responsible—but good luck tracking down those culprits in India or Indonesia or the Philippines. And none of that will do much to sooth the board, staring at front-page headlines in the media.
Ah, you say, but we have a stellar compliance operation and have anticipated all this. That litigation risk is too high, so we keep all those functions in-house, where our IT and compliance departments can monitor everything. This would never happen at my company.
Well, let me add one more condition to our SaaS scenario above. Imagine your sales and engineering managers going online, finding a few SaaS vendors through a Google search, and purchasing those services with a credit card—all without ever telling the compliance department.
That is what SaaS represents: the ability to buy computing functions whenever you need them. One executive at a cloud vendor described this whole process as “the consumerization of buying software and storage applications.” That is, once upon a time, the IT department had to make those purchases because only the IT staff knew how to set up those computers and software programs to support your business processes. Now anybody can just buy business processes online, delivered through the cloud, without ever sparing a thought for the compliance department.
That’s something compliance executives should think about—quite a bit.
No comments yet