Recommendation

In this section we will give some recommendations both to the SaaS Sourcing Lifecycle itself and also for Shell.

11.1. For SaaS Sourcing Lifecycle

In the validation process of the SaaS Sourcing Lifecycle, we see that trust and relationship has been an important consideration in making the decision regarding the supplier, therefore this will need to be incorporated in the SaaS Sourcing Lifecycle.

Another item is that in the decision tree when deciding a go-no go decision for SaaS, we have not considered a consideration for SAP as a choice when deciding a type of application, so the

strategy within Shell is to also consider SAP as one of the option strategy. Another input we get is that in the SaaS Sourcing Lifecycle we also have not give real form on change management guidelines which is something important within Shell.

The SaaS Sourcing Lifecycle has been tested only in one case, therefore we recommend Shell to use the lifecycle in another projects starting from the very early phase and the re-evaluate and improve the lifecycle.

All of these recommendation are coming from a Shell perspective, therefore its generality need to be validated before integrated to the SaaS Sourcing Lifecycle.

11.2. Recommendation for Shell

We see there are 8 items that needs to be followed by Shell to successfully implement a SaaS model:

1. Make sure that you really know whether or not you want SaaS.

When building the business needs, business should understand their own business strategy, what they are aiming for in the coming years. They should understand strategically

whether they will need a service with unique functionalities because it will bring strategic business added value, or they just need something standard because the application will not support something that will bring strategic added values.

2. Start change management in the early stage

Simplification is something that needs to be kept inside every body´s head. Without having this way of thinking, Shell will have tendency to go to the gold plated solutions which of course leads to higher price. Awareness of how the decision of choosing SaaS will impact the users or any part of Shell will need to be communicated so their

expectations can be managed.

3. Perform Business Impact Assessment (BIA1) before any decision making.

As we have discussed before, SaaS model is not always the right answer to outsource an

1)

BIA: Standard method to assess the consequences from the loss of availability, integrity, confidentiality and/or regulatory compliance of an information asset.

application.

Therefore BIA should always be done to know what the impacts are, or risks faced by the business related to information security. The information resulted from the BIA should be part of the input used in the decision making process to go for SaaS or not.

4. SaaS Supplier needs to comply with the compliance items defined by Shell

Compliance is a really important factor in Shell. Therefore any selected SaaS supplier should comply with the compliance items defined for a typical SaaS application.

5. Project needs to engage with BAM and IRM in gathering requirements for RFP

Both BAM and IRM is the owner of non functional requirements for a solution. Projects need to engage with BAM and IRM to gather the requirements regarding service level, information security, compliance, supportability and other non functional requirements. The requirements gathered from BAM and IRM then need to be merged with the functional requirements into the request for proposal that is going to be sent to potential suppliers. This action will ensure that the supplier is qualified from the business

perspective and also IT perspective

6. Execute Threat Vulnerability Assessment (TVA1) for most potential supplier

Once there is a most preferred supplier has come into the picture, a TVA will need to be done to this supplier to ensure awareness of the business on the vulnerabilities of the service provided by the SaaS supplier. The business may choose to accept, transfer or remediate the risk. The decision from the business will then drive the decision to choose that certain supplier or not.

7. Ensure that the key clauses for SaaS are included in the contractual agreements.

Shell need to have a minimum checklist of the key clauses that they would like to have in the contractual agreements with the SaaS supplier. This is due to the reason that the contractual agreements for SaaS service are usually provided from the SaaS supplier to the customer and not from the customer (in this case Shell) to the SaaS supplier. The contracting key clauses list resulted in this research is sufficient to be used as the checklist.

8. Any enhancement proposal is voiced only through the user community.

The business should not directly have a contact with the Supplier and request any enhancement, since with the size of Shell as a company, will bring a high possibility of turning a SaaS into an ASP. Shell representatives should only voice their enhancement requests through the user community. The decision making to realize this request or not will still lies to the SaaS supplier, since any enhancement in the solution will also apply to other customer. For any enhancements in a SaaS model, there will be no extra fee charged to the customer since any enhancements are included in the service fee.

1)

TVA: A process used to assess the likelihood of incidents happening. Combined with the business impacts this determines the risk: RISK = IMPACT * THREAT * VULNERABILITY. Threats are e.g. human errors, natural disasters, criminal intents from within or outside the company. Vulnerabilities are deficient or missing controls.