Flexera logo
Image: How To Create a SaaS Governance Policy

SaaS has has spread its tentacles throughout your organization – and that’s a good thing. Ease of entry, common sense and normalized methodologies, tools that fit the job (rather than jobs that align with the tools), seamless updates, easy integrations, simple terms, and low-cost are just a few of the reasons they have made such an impact.

And that impact is spread across your organization –

  • The Sales and Marketing teams have CRM and integrated marketing automation, digital asset management, and lots of communications and analytics
  • Operations has HR and recruiting packages, travel and expense software, vendor and contract management, and a variety of tools for straight up financial operations.
  • IT and Product Development use specialized monitoring, ticket tracking, communications, analytics and security SaaS (not to mention having to jump in and help with SaaS issues across the company.
  • Even specialist teams, like customer service, GIS, and Data Management, are finding solutions in the cloud.

It’s everywhere, and it’s spreading, and OMG how do we control it? We certainly can’t afford to stop the rapid innovation and potential cost benefits, but how do we maintain IP security, and control costs with such a widely distributed network?

Your first priority will be to establish a governance policy for your SaaS products – one that is specific enough to provide control over the flow of critical information, yet flexible enough to provide the opportunity to keep up with the rapidly changing technology landscape.

How to Craft a SaaS Governance Policy

This is a good time to think about how strict you want your policy to be. If you come out too severe, you may end up encouraging workers to make end runs around the policy, or worse, discouraging innovation; too lax and you’ll maintain the status-quo and further your loss of control over security, wasted budget and transparency.

Step 1: Getting Started

Gather information on any policies you may have in place – start with department heads and move through appropriate teams accordingly. Check with wide-domain tech users such as webmasters and anyone with digital in their title ;). Check with legal on any larger SaaS contracts that may be in place. In all cases, ask what they like about the relationship with the specific SaaS providers. (This is also a good time to ask whether they have any SaaS that they tried but ended up abandoning…) A friendly demeanor up front will encourage adoption later.

Hint: Modern SaaS tools like Trello are great for taking notes, turning them into action items and then structuring/outlining your final docs.

Step 2: Compiling Best Practices

Each industry is different, and of course every company has it’s own strengths and weaknesses. However, here are a couple of general areas you might want to make certain your policy addresses (or not, depending on, well you know…) Remember the policy will help you make future decisions, and good questions to ask are:

  • Functionality – Does this SaaS duplicate something you already have in house? If it’s a replacement, does it lack any mission critical functionality?
  • Security – Does this SaaS adhere to your companies standards for Data Security – redundant backups, breach notifications? Will any data be stored outside of the US, and is there adequate legal protection against theft? Is the NDA provision adequate?
  • Integration – What are the points of integration and will anything need to be customized? What is the cost of integration? Will there need to be patches made on your end to keep up with patches on theirs?
  • Does the SaaS vendor have a disaster recovery plan in place?

You can also do background research on other SaaS governance policies. “Good artists borrow, great artists steal,” is a good rule of thumb – particularly when seeking the elegance of language required to get and keep a wide array of employees in step. Pick a few companies that you admire, and spend a little time on google, and you might be surprised at what you can find.

Step 3: Draft it Up

Compile the best of the best policies. Make sure you have addressed your business’s greatest concerns. As you review the document you have drafted, remember that jargon that may resonate with an IT department or Digital Marketing Manager may not make any sense to a Data Specialist, and if it doesn’t make sense, it won’t get followed. Also, keep it as short as possible for maximum adoption and adherence.

Step 4: Executive Buy-in

Everyone has a boss, so the higher you can get this approval, the better. The Marketing and Sales Groups likely don’t much care what the Director of Procurement demands, and have their own weapons of bad behavior to make life miserable – so get one of the corner offices to issue the proclamation.

Step 5: Wrapping Up

To Recap:

  • Ask around  – there may be a good foundation in the company to build on
  • Make sure the policy addresses aspects of SaaS that are important to your business
  • Keep it straightforward – simple policies get adopted
  • Get the big boss on board – it’s important enough for them to get behind


SaaS offers a potential advantage over traditional IT in a wide variety of business applications. However, the rapid deployment of new offerings can create a confusing patchwork of solutions in today’s workplace. Crafting a SaaS governance policy is a great way to ensure a more predictable, stable and secure business environment.

Are you able to manage the cost and security risks associated with your SaaS applications?

Download the Essential SaaS Management Toolkit to learn about SaaS usage trends, understand the importance of SaaS management tools and discover how to take control of your SaaS applications.