Contracts can’t control cloud risks

Any large, software-intensive business considering cloud computing needs to weigh up the risks of the cloud against its reliance on in-house legacy IT systems.

Jorn Bettin, IBRS analyst.

There are several risks involved when sweating legacy systems – outages at the Royal Bank of Scotland and NAB serve to illustrate, as do countless unreported delays in introducing new features.

I have come across global banks with legacy systems that require a gestation period of 18 months from requirement specification to delivery into production for the smallest of new software features.

Below the surface, web-based business software is redefining the story of outsourcing and blurring organisational boundaries to an extent where business executives are no longer in any position to list all the software services that are consumed by an organisation.

Most of the debate around cloud risks has been limited to the risks of using public cloud services from large global suppliers. I feel it’s time for a constructive debate over the quality of B2B software services from local providers of business infrastructure services.

Today, the customer-facing B2B software interfaces of banks and telecommunication service providers have emerged as a main source of aggregated risk potential. The crucial question is: Who ends up bearing the impact of risks when banks and telcos choose not to build their own systems?

The elephant in the room is the concept of resilience, which involves building sufficient levels of redundancy into the designs of systems that require a high degree of reliability.

The concept of redundancy is well understood in domains that involve life-critical systems such as aviation or healthcare, but the concept is much less well understood in the software engineering of web-based systems and banking solutions.

Cloud providers such as Amazon provide customers with the ability to deploy systems in different geographies. There are explicit mechanisms in place for using technological redundancy to improve resilience but that redundancy invariably must be weighed up against increases in operational costs.

The bottom line is that when excessive financial engineering is used to drive down operational costs, it invariably affects quality of service. Organisations that are neglecting the resilience of systems are simply propagating the cost of risk mitigation downstream to their customers.

In the absence of reasonably resilient customer-facing business applications, and in order to secure the savings achieved by cutting corners, legal contracts often end up being the focal point of risk management.

Every large organisation has a slightly different approach to the amount of risk they are willing to manage with a contract. All too often I’m seeing warning signs that would suggest many Australian organisations are over-reliant on these agreements.

The outsourcing deal between NAB and Oracle in relation to the supply of core banking software services is the latest example of this legal engineering.

NAB told iTnews: “Oracle historically had many of the individual components of what could conceivably be 'Frankensteined' into a banking solution (iFlex, CRM-on-demand, database etc.), but not an integrated banking system.”

NAB contracted Oracle “to replace NAB's 100-core systems with one integrated banking system that bundles together its customer-facing channel”.

There is nothing wrong with outsourcing non-core competencies, but the particular example raises a question about the choice of solution provider.

Consider, further, the following statement:

“We don't want to do the integration, we want Oracle to do that on our behalf”.

I assume this means that NAB outsources risk to Oracle. I can almost bet that Oracle will also ensure that the outsourcing contract sets a firm limit to the propagation of risk.

The crux of my theory is this: All of the risk that is contractually prevented from reaching Oracle is passed on to NAB customers in terms of outages.

The NAB’s Oracle solution will be hosted on a private cloud hosted by IBM in an NAB-leased data centre.

While that provides some reassurance, ultimately the kind of deployment is a technicality - what matters is the creation of deep chains of software services, and the resulting dependencies and potential failure points. The latter go hand in hand with legal engineering as a "mitigation" strategy.

There are similar examples to NAB dotted across the Australian business landscape. JetStar relies on so many outsourcing partners the airline’s IT operations now only require five full-time in-house IT staff. This strategy has been so successful, executives at its parent Qantas see it as the model of their future.

There are not a huge number of horror stories just yet. Most of the failures that result from an over- reliance on contracts to absorb risk are not publicly acknowledged as such.

Politically, as long as both parties in an outsourcing deal can point fingers at each other over responsibility for quality of service, all stakeholders feel on safe ground. The outsourcing contract may provide a limited protection against financial risk, but the most important measures are those taken to stay on top of operational risks.

The potential impact of legal contracts on overall risk exposure to the wider business ecosystem should not be underestimated. In the wake of the global financial crisis it has transpired that reckless financial engineering was one contributing factor, and that legal engineering was another. And while the quality of service of Australian banks may not bring down the global financial system, it can have significant effects on the productivity of our local businesses.

Outsourcing contracts offer no risk protection for businesses and consumers that rely on web-based banking and telecommunication services. On the contrary, the development of deep tangles of web service supply chains that cross several organisational boundaries make it increasingly difficult to obtain compensation for service outages in a timely manner.

It is time for the industry as a whole to address this lack of reliability. Each organisation in a web service supply chain has the responsibility to offer an appropriate level of redundancy to minimise the risk exposure of customers.

Further, we need to step up to the challenge of offering service level agreements that provide appropriate insurance against service outages. This would be a constructive form of legal engineering that benefits customers.

Jorn Bettin is an analyst for IBRS, providing advice on strategic risk management, operational excellence and big data solutions.