Cloud CRMs – Do we need to manage the risks?

31 Jul 2019

By: David Hart

CRM / E AND H / Membership Associations / Professional Membership Sector / Risk

Organisations upgrading their membership systems or replacing CRM are increasingly moving to cloud-based Software as a Service (SaaS) membership solutions.  There are good reasons for doing this – flexibility, scalability, security, reducing the overheads of in-house IT, no longer having to worry about upgrades etc. – and of course it is the way the market is moving now so there is often little choice for many organisations but to take this route.

The data about members and contacts is the key asset for any membership body or association, and its membership system underpins most of its day to day operations.   The common cloud platforms (AWS, Azure, Office 365 etc.) are all highly secure, with sophisticated back-up and disaster recovery, but the key difference with SaaS from the traditional in-house solution though is that the user has no control over either the system or the data – the control lies entirely with the supplier.

That might be fine, and certainly makes life easier.  We can focus on supporting our members rather than worrying about the IT.  But what if anything happens to our supplier?   It maybe unlikely, but what would happen if our supplier goes bankrupt, or just stops paying the hosting service bill?  What would we do?  Would we lose the system completely?  How long could we continue to work without it and could we get it back?

Is this a realistic risk that associations should be managing and, if so, how should we do it? 

Data is probably the easiest area to secure, certainly with Microsoft solutions, as tools are available to readily extract copies, provided of course you have somewhere to put it.  But if you no longer have access to your system what can you actually do with the data?  I hear it said that the benefit of a Dynamics CRM is that there are lots of suppliers out there so if you have a problem with one you can move.  However, you probably bought your particular system because of the functionality offered by your supplier – can your data be loaded into a different system and used effectively?  What if you are one of the increasingly large number of associations that have a proprietary membership product (widely used as they offer specialist functionality at a significantly lower cost)?

In the old-world of in-house membership systems, we would simply have put in place appropriate back-up and recovery arrangements, and entered into a relatively low-cost escrow agreement to release the source code in the event of supplier failure.  In the new SaaS world though that won’t work as we would need to have access to the full solution, i.e. the platform, the code and the data.   Escrow arrangements for SaaS are available, but anything that offers assurance of business continuity is unlikely to be affordable for most membership organisations.

Clearly there are things we can do to minimise the risk, particularly through due diligence at procurement stage, ongoing monitoring of the supplier’s status etc., but the risk will always remain as it is an inherent feature of the SaaS model.

Is it something as a sector we should be concerned about, and is there more that suppliers to the sector could be doing?

These are real questions we are having to deal with at the moment.  I don’t know the answers, but would very much like to hear the views of the wider membership and supplier community.  Please contact me with your thoughts – david.hart@eandhlimited.com.