Risks and rewards of cloud computing in the UK public sector: A reflection on three Organisational case studies

  • Steve Jones
  • Zahir Irani
  • Uthayasankar Sivarajah
  • Peter E. D. Love
Open Access
Article

DOI: 10.1007/s10796-017-9756-0

Cite this article as:
Jones, S., Irani, Z., Sivarajah, U. et al. Inf Syst Front (2017). doi:10.1007/s10796-017-9756-0

Abstract

Government organisations have been shifting to cloud-based services in order to reduce their total investments in IT infrastructures and resources (e.g. data centers), as well as capitalise on cloud computing’s numerous rewards. However, just like any other technology investments there are also concerns over the potential risks of implementing cloud-based technologies. Such concerns and the paucity of scholarly literature focusing on cloud computing from a governmental context confirm the need for exploratory research and to draw lessons for government authorities and others in order to ensure a reduction in costly mistakes. This paper therefore investigates the implementation of cloud computing in both a practical setting and from an organisational user perspective via three UK local government authorities. Through the qualitative case study enquiries, the authors are able to extrapolate perceived rewards and risks factors which are mapped against the literature so that emergent factors can be identified. All three cloud deployments resulted in varying outcomes which included key rewards such as improved information management, flexibility of work practices and also posed risks such as loss of control and lack of data ownership to the organisations. These findings derived from the aggregated organisational user perspectives will be of benefit to both academics and practitioners engaged in cloud computing research and its strategic implementation in the public sector.

Keywords

Cloud computing Risks Rewards Case studies Public sector Local government authority 

1 Introduction

Cloud computing is considered to be the latest evolution of the internet (Sabi et al. 2017; European Commission 2014). It is an emerging paradigm of computing that allows for delivering information technology (IT) resources and services through a network, usually the Internet (Krishnaswamy and Sundarraj 2015; Bhattacherjee and Park 2014). Primarily, the cloud consists of the provision of information systems (IS) and the whole range of IT infrastructure, such as servers, file storage, email, telephones, personal computers and laptops, over the internet, instead of being hosted locally and on site by an organisation. Cloud computing elements have been around for some time, with companies such as Google offering certain aspects of cloud, such as email. However, in recent years the cloud solution has developed and matured to offer the full range of IT services (Panda et al. 2017). According to a report by Forrester Research, the global public cloud market is expected to reach $191 billion by 2020, growing significantly from 2013’s market size of $58 billion (Columbus 2014). Furthermore, the European Commission (EC) considers that the public services and administration are being transformed increasingly by the evolution of technologies such as cloud computing that encompass distinguishing technical and commercial features (ENISA 2015; Pillay 2014; Fishenden and Thompson 2013). Thus, signifying the importance that governments worldwide are recognising cloud computing as an enabler of digital government services, from platforms that manage citizen requests and transactions to those that handle massive data sets. This highlights the sheer importance that many organisations and IT executives place on these technologies and helps underpin research in this area.

Public sector organisations have traditionally delivered and hosted IT systems locally. The United Kingdom (UK) government similar to other countries such as the United States (US), Australia and other European countries have called for public sector organisations to strategically embrace cloud computing to reap its benefits (Mendoza 2014; Kundra 2011; Cabinet Office 2011a). The UK national government has made particular reference to the Government Cloud (G-Cloud) where the architects of this UK government strategy have predicted that significant savings of approximately £3.2bn can be made by switching to this initiative (Kepes 2015; Cabinet Office 2011a). The reason for this is that G-Cloud is seen as a shared service, with resultant shared costs, which would lead to reduced individual costs for each organisation and create a level playing field for suppliers who wanted access to Government contracts (Donnelly 2015). There is also increasing recognition that efficiencies and shared risks and rewards will come from common information technology systems and business processes in the public sector (Khanagha et al. 2013; Simpson 2011). It has also been asserted that the G-Cloud will improve IT resilience, deliver more agile IT responses to changing business requirements and enable organisations to become more innovative (Cabinet Office 2011a). However, there are also concerns over the potential risks of cloud computing and the main obstacles considered impeding its adoption are standards, certification, data protection, interoperability, lock-in, and legal certainty (Burton 2015; ENISA 2015). Such issues emphasise the need to explore this area and to pass on useful observations to others.

This paper seeks to investigate the perceived risks and rewards1 surrounding the implementation of cloud computing through exploratory research via three case studies, in which United Kingdom Local Government Authorities (UKLA1), (UKLA2) and (UKLA3) have recently implemented cloud computing technologies. Cloud systems were introduced primarily with the intention of reducing costs and to strategically comply with the UK political mandate to implement cloud computing. The paper draws upon the literature and case study findings to extrapolate the perceived rewards and risks together with practical lessons to help assess the implementation of cloud computing in organisational settings and from three aggregated user perspectives. Thereby, seeking to enhance existing taxonomies of rewards and risks surrounding cloud computing. In doing so, this paper contributes to the normative literature by strengthening existing knowledge factors and providing new insights on cloud computing in the public sector especially from a local government perspective. Furthermore, the paper is concerned with the high-level, key strategic issues and lessons that have emerged from the case studies and aims to inform both theory and practice. Therefore, the contribution of the research will be of benefit to both academics and practitioners engaged in cloud computing research and implementation.

2 Rise of cloud computing and its significance, risks and rewards

The explosive growth and use of the Web has resulted in internet challenges such as supporting thousands of concurrent e-commerce transactions and millions of search queries a day. In response to facilitating such web transactions and queries, technology firms have had to develop increasingly large data centres to support this ever-expanding load of electronic information (Sivarajah et al. 2017). Thus, cloud computing represents the commercialisation of these solutions provided by technology organisations such as Amazon, Apple and Google to name but a few (Amoretti et al. 2013). In the public sector, government organisations and its early use of cloud computing has been an inevitable response to informal use by its employees, agencies and departments (Sultan 2014; Paquette et al. 2010). Cloud computing is a new computing paradigm for delivering computing resources and services through a network which is usually the internet also metaphorically referred to as the “cloud” (Sultan 2014; 2013; 2011). According to Regealado (2011), MIT Technology Review traced the coinage of the term ‘cloud computing’ back to late 1996; where a small group of technology executives based in Compaq Computer’s were discussing the future of internet business and referred to it as cloud computing. There is little consensus on how to define this paradigm in the literature (Foster et al. 2008; Voas and Zhang 2009). However, the definitions that generally refer to it as clusters of distributed computers (i.e. large data centres and server farms) that enable convenient, on-demand access to resources (e.g., networks, servers, storage) and services (e.g. software and web applications) over a networked medium such as the internet in a self-service fashion, independent of device and location, appear to be commonly accepted (Marston et al. 2011; Scarfone et al. 2009). Cloud computing platforms are mainly categorised into three distinct classes of services (Zissis and Lekkas 2011; Sultan 2011). Each service model category outlined below serves a different purpose and offers different classes of services for organisations and individuals
  • Infrastructure as a Service (IaaS): is a provision model offering the consumer outsourced processing, storage, networks, and other fundamental computing resources by cloud service providers such as IBM, Microsoft and Amazon’s EC2.

  • Platform as a Service (PaaS): is a service delivery model allowing the consumer to deploy consumer-created or acquired applications (e.g. operating systems, databases, Web servers, etc.) onto the cloud infrastructure.

  • Software as a Service (SaaS): is a software distribution model providing the consumer with the capability to use the provider’s applications running on a cloud infrastructure which are made available over the internet and accessible through a web browser. This type of cloud service offers complete application functionality that ranges from productivity applications (e.g., word processing, spreadsheets, etc.) to programs such as those for customer relationship management (CRM) or enterprise resource management (ERM).

There have been various views among scholars with regard to the drivers behind the recent emergence of the cloud computing phenomenon. As per Foster et al. (2008) and Sivarajah et al. (2015; 2014) some of the factors contributing to the surge of interest in emerging technologies such as cloud computing are as follows: (1) a decrease in hardware costs and an increase in computing power and storage capacity; (2) rapidly growing data size in terms of internet publishing and archiving and (3) widespread adoption of services computing and Web 2.0 applications. Sharif (2010) explores the collision between internet and enterprise computing paradigms and explains why cloud computing and emerging technologies will be driven not by computing architectures but by more fundamental information and communications technology (ICT) consumption behaviours. Such views are underpinned by viewing SaaS, and the impact of social, open source and configurable technology services.

2.1 Significance of cloud computing in the government context

In the governmental context, cloud computing is used as a tool to facilitate information sharing, applications processing, and as a cost-saving measure compared to traditional technological architectures (Ali et al. 2014; Shin 2013; Mukherjee and Sahoo 2010). Cloud computing platforms offer an operational model that can digitally combine geographically remote data centres into a common infrastructure, providing a prime gateway to government related services and data. Thus, allowing organisations to leverage existing infrastructure and provide public services while using fewer resources, reducing carbon emissions, and contributing to wider carbon-reduction targets (Zissis and Lekkas 2011). Besides these significant benefits, cloud computing also facilitates strategic IT architecture for organisations as it allows for ubiquitous IT where it provides users with the freedom to access cloud systems from any location as long as they are connected to the internet (Nolan 2012). According to Paquette et al. (2010) the United States federal government, began to incorporate cloud computing infrastructures into the work of various departments and agencies. The interest in exploring the cloud as a strategic component in the federal IT transformation has been expressed in favour by President Obama and the Chief Technology Officer Vivek Kundra (Miller 2009; Paquette et al. 2010). Their key reason for wanting to explore cloud computing in federal IT transformation has been in order to openly engage with citizens and spur innovation within government organisations (Paquette et al. (2010).

In the UK, government announced the establishment of an UK onshore, private Government Cloud Computing Infrastructure called G-Cloud (Cabinet Office 2010, 2011b). There are six government initiatives that have sparked the creation of this cloud computing plan:
  1. 1)

    Standardize and Simplify the Desktop;

     
  2. 2)

    Standardize Networks and Rationalize Data Centre Estate;

     
  3. 3)

    Deliver on Open Source;

     
  4. 4)

    Open Standards and Reuse Strategy;

     
  5. 5)

    Green IT;

     
  6. 6)

    Information Security and Assurance.

     

In addition to these six existing initiatives the G-Cloud is also there to help the government improve: a) Shared Services; b) Reliable Project Delivery; c) Supplier Management; d) Professionalizing IT Enabled Business Change. The UK central government is recommending that the UK public sector deploys cloud solutions (Cabinet Office 2011b) and there have been some early adopters. For example, the London Borough of Hillingdon is one of the first UK local government authorities that has announced plans to move into SaaS platforms by using Google Apps for Business. According to the Council (i.e. local government authority), this shift into cloud computing is expected to improve its internal collaboration and productivity, giving it the scope to develop new ways of working, and produce cost savings of nearly £3 m in the coming years (Guardian 2011). Another example in the UK is Warwickshire County Council, which is to phase out its current internal email solution and implement Google Mail as part of the government’s G-Cloud computing service. The council is working closely with the Cabinet Office with a pilot, which will be the one of the first major public sector organisations to provide email services via the public cloud. Anticipated benefits had included savings due to reduced licensing costs, increased flexibility and mobile working (Computer Weekly 2011). It is apparent that there is a need to continue to transform public services and administration by the use of emerging technologies such as Cloud computing to enable transformation of the way the public sector runs and operates (Cabinet Office 2010). The UK public sector has responded to the increasing demands and in doing so has built an ICT infrastructure that in many cases duplicates solutions across various areas of government. The Government ICT Strategy (Cabinet Office 2010) ensures that the Cloud infrastructure goes through a process of standardisation and simplification, to create a common infrastructure designed to enable local delivery suited to local needs. As a result of the synthesis presented in this paper around cloud computing and its significance across government, there is much need to explore this emerging domain. Specifically identifying those constructs supportive of the evaluation of cloud computing. Better understanding these constructs, namely risks and rewards will support decision makers in government to assess the impact of cloud computing on their organisation.

2.2 Risks and rewards of cloud computing

Government institutions implementing a cloud computing operating model can gain value from the concentration of data that result in centralisation, which leads to better consistency and accuracy (Zissis and Lekkas 2011). The centralisation of data and application solutions has the capacity to provide additional tools, thereby enhancing timely communications and control. Reducing the time required to access both data and applications, not only across departments but also between business partners, generates stronger collaboration. Leveraging existing remote infrastructures into a common information system (IS) reduces installation and monitoring time and expense, and focuses on improving quality (Chhetri et al. 2015). By centrally managing, developing, implementing and assessing a system, costs can be amortised across the federal structure. Nevertheless cloud computing is an emerging computing service paradigm. Consequently, due to its sheer scale, complexity and novelty, there are still uncertainties, risks and concerns surrounding the technology’s maturity. The key issues presented are those relating to performance, provider trust, service provider lock-in, control, performance, latency, security, privacy and reliability (Sultan 2011; Catteddu and Hogben 2009). One of the main challenges is to ensure that only authorised personnel can gain access to data as cloud computing provides ubiquitous access to stored data (ibid). In addition, although cloud computing allows for stronger collaboration, the sharing of knowledge is also risky and cannot be done in an arbitrary manner (Trkman and Desouza 2012; Marabelli and Newell 2012; Roberts 2011). This also ties in with the problem of trusting cloud computing and its service providers (Armbrust et al. 2010). Organisations question cloud computing’s capabilities as it is an emerging technology but trusting cloud computing doesn’t lie entirely in the technology itself. The lack of customer confidence also rises from a lack of transparency, a loss of control over data assets, and vague security assurances (ibid). Therefore, while cloud computing remains one of the top technology investments, the deployment of these technologies is being made cautiously due to its unknown long-term implications (Luftman and Ben-Zvi 2011).

Government organisations are under increasing pressure to find ways to measure the contribution of their organisations’ IT investments to enhance performance, as well as to find reliable ways to ensure that the value from these investments is actually realised (Lin and Pervan 2003; Smith et al. 2004; Xu 2012). Therefore, it is important for managers to improve their understanding of the impact of IS on organisational performance; in particular, understanding the rewards and risks related with the financial and social capital investments in developing such infrastructures (Irani and Love 2008). Proponents of the cloud argue that implementation can reduce costs and improve current IT deployment. Existing literature and practitioner reports (Wyld 2009; Sultan 2011) mainly present a few ambiguous arguments on cloud computing rewards and risks. Although these discussions present a general assessment of this emerging phenomenon, very few case studies articulate a systematic list of rewards and risks that seek to aid government organisations in their decision-making processes when choosing to use cloud computing. When it comes to theoretical insights associated with cloud computing, these tend to be orientated around for example the science of the cloud (see for example Marinescu 2013) which suggests that existing theories such as IT diffusion (Fichman 1992; Moore and Benbasat 1991) and Technology Acceptance Model (Venkatesh and Davis 2000; Legris et al. 2003) to name but a few are relevant to the cloud based computing domain. However, before assembling the literature through which those factors associated with cloud computing are to be extrapolated, an appropriate organisational lens needs to be identified. In support of identifying such a lens, a normative framework that recognises the transformational and transactional implication of cloud computing was sought. The works of Anthony (1965) provides a progressive hierarchical structure that propose the following management levels around which organisations are traditionally structured. This layered approach was considered to offer a structured approach through which the rewards and risks of cloud computing could be mapped:
  • strategic;

  • tactical; and

  • operational.

These hierarchical levels are related to the traditional structure of top management, middle management, and operating or supervisory management functions. The mapping of this hierarchy to an emergent taxonomy of benefit realisation was first proposed by Irani and Love (2001a, b) and then empirically tested by Irani (2002). It is the extension of this perspective when mapped to rewards and risks of cloud computing that adds to new knowledge. In this regards, Tables 1 and 2 present a categorised list of rewards and risks of cloud computing through a lens proposed by the normative work of Anthony (1965) where this paper contributes to the normative literature. The proposed tables therefore provide a practical means to assist decision makers in making informed IT investment decisions, and help with the evaluation of business cases for the implementation of these emerging technologies (Irani et al. 2005).
Table 1

Rewards of cloud computing

Classification

Factors

Description*

Strategic

• Centralisation of infrastructure

- Being able to centralise government infrastructure in locations with lower costs for example out-of-city centres.

• Increased resilience

- The nature of cloud computing removes single points of failure and therefore provides a highly resilient computing environment for government organisations.

• Device and location independence

- The independence of device and location enables users to access systems using a web browser regardless of location or device.

• Release internal IT resources

- The reduction in the use government organisation’s own computer system and peripherals.

• Better Citizen Services

- Government organizations are redefining their businesses to deliver improved citizen services. For example, the Open Government initiative and Government as a Platform concept are good examples of better citizen services provided by governments informing and empowering the citizens through dashboards and scorecards about government and the flagship initiatives.

• Green Technology

- Cloud storage services are more energy efficient than storage on local hard disk drives when files are only occasionally accessed. Additionally cloud services are more efficient than modern mid-range PCs for simple office tasks. Thus reducing an organisation’s carbon footprint by saving energy.

Tactical

• Improved business continuity and disaster recovery

- Improved business continuity for government authorities and disaster-recovery capability by being on several cloud sites.

• Improved agility and empowerment

- Improved agility and empowerment with users’ ability to re-provision technological infrastructure resources themselves.

• Faster implementation

- Cloud-based implementation can be achieved relatively quickly accelerating the time required to make the new services available to internal users compared to traditional systems implementation.

• Improved security

- Improved security by being able to leverage the cloud service providers’ specialised security and privacy staff personnel and additional robust security systems and infrastructure.

• Scalability

- Allows servers and storage devices to be shared and utilisation be increased or decreased as required.

• Easier application migration

- Ability to easily migrate application from one physical server (cloud) to another.

Operational

• Reduced costs

- Cost reduction as capital expenditure is converted to operational unit cost expenditure.

• Reduced maintenance and support

- Reduced maintenance and support, especially for in-house IT teams, as software does not need to be installed on each user’s computer and can be accessed from different places.

• Flexibility of work practices

- Easier access from any appropriate internet-ready device, as infrastructure is off-site and provided by a third party and accessed via the internet, users can connect from anywhere.

• Utilisation and efficiency improvements

- Improved resource utilisation and more efficient systems especially for systems that are often only 10–20% utilised.

• Shared services

- Multi-tenancy enables sharing of resources and costs across a large pool of users.

• Increased peak-load capacity

- When peak-load capacity increases users need not engineer for higher load-levels.

*Normative References: Aymerich et al. (2008); Youseff et al. (2008); Armbrust et al. (2010); Marinos and Briscoe (2009);

Wyld (2009); Accenture (2010); Iyer and Henderson (2010); Baliga et al. (2011); Costello et al. (2011); Bhattacherjee and Park (2014); Perepa (2013)

Table 2

Risks of cloud computing

Classification

Factors

Description*

Strategic

• Unproven financial business case

- As most cloud projects are at an early stage there are limited or unproven financial business cases supporting the adoption of cloud systems. It is worth nothing that this risk could oscillate between strategic and operational risks of an organisation.

• Loss of governance

- Cloud computing amplifies the need for governance and this requires the control and oversight by the organisation over policies, procedures, and standards for cloud computing services.

• Lack of trust on providers

- Organisations relinquish direct control over many aspects of security and privacy to the cloud provider which necessitates a high level of trust of the provider.

• Security and privacy issues

- Data sensitivity and privacy of information is a pivotal concern as there is a risk of unauthorised users gaining access to sensitive data due to various users accessing the servers all the time. Risks of security and privacy issues could also shift between strategic and operational risks of an organisation.

Tactical

• Portability restrictions

- The issue of being locked into a single cloud service provider due to high switching costs in terms of effort and time to switch between providers.

• Lack of data ownership

- Organisation’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust and privacy of data.

• Integration restrictions

- Integration with equipment hosted in other data centres may be difficult to achieve. Organisation’s own peripherals (e.g. printers) and email systems may prove difficult to integrate into the cloud systems.

Operational

• Poor performance

- Issues of poor performance are common with new systems because the actual load is different from the predicted load. Sharing internal and external servers may introduce new problems because of the time required for data transfer to external systems.

• Limited storage capacity

- Some cloud service providers can include restrictions on the capacity of storage that they can/will provide.

• Financial pressures

- Though in the long run cloud hosting may prove a lot cheaper, it is currently new and has to be researched and improved making it more expensive in the short run.

• Loss of control

- Loss of control over both the physical and logical aspect of system and data as the shift to the public cloud requires a transfer of responsibility and control to the cloud provider.

• Lack of detailed information about data locations

- As data is stored redundantly in multiple physical locations, there is a risk of unavailability or undisclosed detailed information about the whereabouts of an organisation’s data.

• Disaster recovery restrictions

- Risk of partial or complete loss of data due to natural disasters.

• Lack of service availability

- Availability can be affected temporarily or permanently and a loss can be partial or complete due to equipment outages, natural disasters, virus attacks etc.

• Difficult to customise

- Decreased flexibility to customise systems as the organisation has no control over the cloud systems provided by the providers.

*Normative References: Belanger and Carter (2008); Jaeger et al. (2008); Armbrust et al. (2010); (Khajeh-Hosseini et al. 2010); Wyld (2009); Catteddu and Hogben (2009); Goiri et al. (2010); Popovic and Hocenski (2010); Iosup et al. (2011); Sultan (2011);Yam et al. (2011); Framingham (2012); Martens and Teuteberg (2012)

There are a number of different models (e.g. Ward et al. 1996; Wilderman 1999) that exist in the academic literature to classify the evaluation of benefits of information systems. However, most studies tend to range between either depicting a very specific perspective or a very general overview of IS benefits and, additionally, lack a long-term perspective of the benefits needed for a rigorous IS evaluation. Therefore, for the purpose of this research that is to strengthen and enhance existing benefits taxonomies, the chosen benefit model is adapted from Irani and Love (2001a, b). The authors adapted a strategic planning framework proposed by Anthony (1965) and applied it to the IS domain. In this context, the authors report that IS benefits can be mapped on to three corresponding planning levels; strategic, tactical and operational. While the strategic dimension relates to benefits that are intangible and non-financial in nature (e.g. centralisation of infrastructure), the operational dimension tends to reflect benefits that are tangible and financial in nature (e.g. reduced maintenance and support). On the other hand, the tactical dimension comprises both tangible and intangible benefits such as improved business continuity and faster implementation.

While it is important to assess and recognise the rewards of an IT system, in order to complete a robust IS evaluation, it is equally important to understand the adverse implications of an IS project. This element of risk evaluation or cost implications is often ignored as it is believed that there are significant difficulties with regards to quantifying costs and risks (Irani et al. 2005). The notion of risks in this research context is referred from the viewpoint of cost implications/drawbacks or uncertainty brought about by deploying IT/IS solutions to the organisation (Kaplan and Garrick 1981). According to Saarinen and Vepsäläinen (1993) uncertainty and risk are often used as synonyms in information systems literature. Table 2 presents the risks of cloud computing in order to highlight these implications and also help decisions makers conduct robust evaluations when investing in such emerging technologies.

Given the recent emergence of cloud computing on a large scale, the call from UK central government to deploy this technology and with very few implementations in the public sector in the UK, the rewards and risks, as highlighted above from the normative literature, are now investigated from an organisational user perspective and mapped against three case study scenarios in the next section. The aim is to strengthen and add to the existing literature on public sector cloud computing and to present practical lessons for effective cloud computing deployment.

3 Background to the case study Organisations

A number of factors were taken into account when choosing a case study approach to conduct this research. Notably, these included the need to empirically test the research questions, the complexity of the expected answers, the need to study the phenomenon in its natural setting, the need to do the research within the constraints of time, budget and access to data, and most importantly the need for rich primary data (Yin 2009; Creswell 1998; Easterby-Smith et al. 2008). This is not an exhaustive list of factors, but present ample justification for a case study approach. A detailed discussion on the research design of this study has been reported as part of the subsequent research methodology section. In effect, a case study approach was adopted as it allowed access to the type of real life data essential for this enquiry.

The three case studies chosen are public sector organisations (i.e. local government authorities) that provide a common range of services to the general public. These services include environmental health, refuse collection, building control, planning, highways, social services and education including schools. They are structured the same way with five Strategic Directorates in UK Local Government Authorities (UKLA1, UKLA2 and UKLA3). These are Social Services, Education, Community Services, Highways and Corporate Services. All report to the Chief Executive Officer. Within Table 3, there is a snapshot of their operational infrastructure and resources. The three case organisations all have complementary aspects and were not randomly selected.
Table 3

UKLA1, UKLA2 and UKLA3 profile

Variable

UKLA1 Description

UKLA2 Description

UKLA3 Description

Sector

- Public Sector, United Kingdom Local Authority

- Public Sector, United Kingdom Local Authority

- Public Sector, United Kingdom Local Authority

Services

- Environmental health, refuse collection, building control, planning, highways, social services and education including schools

- Environmental health, refuse collection, building control, planning, highways, social services and education including schools

- Environmental health, refuse collection, building control, planning, highways, social services and education including schools

Service Period

- 17 years (1995 to present, 2012)

- 17 years (1995 to present, 2012)

- 17 years (1995 to present, 2012)

Number of employees

- 7500

- 8500

- 10,000

CEO

- Legal background with legal degree, qualified solicitor

- Finance background with Finance degree and qualified accountant

- Leisure Services background with marketing degree

Customers

- Residents, citizens and tourists of UKLA1

- Residents, citizens and tourists of UKLA2

- Residents, citizens and tourists of UKLA3

Supplier

- Leading public sector cloud services provider

- Leading private sector cloud services provider

- Leading private sector cloud services provider

Competitors

- None, all services provided without any competitors

- None, all services provided without any competitors

- Most services in house, refuse collection outsourced

Service scope

- UKLA1 geographical area

- UKLA2 geographical area

- UKLA3 geographical area

Corporate strategy

- Five-year strategy explicitly defined to deliver public services. Organisation striving to provide high-quality, low-cost and value-added services to its citizens

- No defined strategy, emergent issues addressed as they occur

- Four-year strategy to tie in with political elections, to deliver services to citizens within a reducing budget

IT Strategy

- Five-year strategy, including action to investigate cloud computing

- No strategy

- Four-year strategy

IT/IS infrastructure

- 80 staff, 5500 personal computers and laptops, 180 sites, 200 servers, 220 departmental and corporate IT systems. All employees had basic IT use competency

- 100 staff, 6500 personal computers and laptops, 120 sites, 250 servers, 270 departmental and corporate IT systems. Most employees had basic IT use competency

- 120 staff, 7000 personal computers and laptops, 150 sites. 400 servers, 350 departmental and corporate IT systems. All employees trained in IT use competency

Budget

- £350 m

- £400 m

- £500 m

Population

- 160,000

- 200,000

- 250,000

In each Council (i.e. Local Government Authority) the Information, Communications and Technology (ICT) Departments are managed by the Head of ICT (HICT) and form part of a corporate support services directorate, which includes ICT, Legal, Administration, Finance and Property and reports to a Strategic Director. The corporate services directorate has two main functions. The first is to determine and monitor corporate and departmental strategies, policies and resources, in line with organisational objectives. The second is to provide corporate central support services to all other directorates. Most of these directorates in the cases are frontline, in that they deliver services direct to the public. The ICT department’s two main functions are consistent with that of the directorate. Namely, to facilitate corporate IT strategy and policy and to provide comprehensive ICT services to support corporate and user departmental objectives.

3.1 Information technology maturity

It is important for an organisation to evaluate its business objectives through continuous appraisal of its IT and also to deploy new IT developments (Andersen and Henriksen 2006; Mutsaer et al. 1998). There is a strong corporate desire in all case organisations to continue to improve the use and exploitation of IT to support improved business efficiency, decision-making, performance management as well as to serve as an important tool to engage and transact with the public. There is a consolidated IT function, which makes it easier to identify whether any IT associated financial resources are best utilised. IT functions and projects are well supported, with due diligence on return of investment. The IT maturity factor in UKLA1 would be 5, UKLA2 would be 3 and UKLA3 would be a 4 on a scale of 1 to 5 (Gartner 2011), where 5 is the most advanced and mature and 1 the least mature. These assessments were undertaken by the researchers during the case studies utilising the Gartner IT maturity measurement model.

4 Research methodology

Research into the adoption of new technologies highlights the need to consider a plethora of factors that broadly fall into human, organisational and technological categories. Given the relatively recent advent of cloud computing as a means of delivering computing as a service and thus, a utility rather than a product, it has challenged the largely accepted norms of computing. Having said this, the authors are seeking to explore constants in process and outcome in respect of creating a cross-case synthesis of public sector cloud computing rather than theory build or test. The mechanics of constructing Tables 1 and 2 was a physical clustering of risk and rewards factors.

In turn, this prompted the need to consider a research methodology that captures both the depth as well as the richness of emergent factors using anchor organisations that present broadly the same levels of organisation IT maturity using the works of Andersen and Henriksen (2006) as the frame of reference. This research is considered novel from the perspective of never having been explored when considering those factors that promote the rewards and risks surrounding the adoption of cloud computing. What was clear when considering the works of (Luftman and Ben-Zvi 2010a, 2010b; Luftman and Ben-Zvi 2011), which articulated that cloud computing has emerged as one of the key technologies that organisations are set to invest [in], with it [cloud computing] new to the list of key technologies. Given the nature of the research domain; specifically, its rapid evolution and prominence in terms of organisational priorities, and need to capture rich contextual information in pursuit of the underlying research questions, there was a need for a research methodology that would involve and enfranchise an organisation and its staff, so that the knowledge surrounding the adoption and use of cloud computing could be harnessed to develop effective technology management taxonomies that lead to descriptive lessons learnt. The research methodology is illustrated in Fig. 1.
Fig. 1

Research methodology

Considering the originality and exploratory nature of this research, a case study strategy was chosen; see, for example, Hakim 1987; Eisenhardt 1989; Galliers 1992; Yin 2009 Kotlarsky et al. 2007). Given that this paper sought to identify the rewards and risks associated with cloud computing and the development of practical lessons, it was felt that a broad, rich exploratory approach was needed. As a result, a multiple-case approach was pursued. Herriott and Firestone (1983) consider that the conclusions drawn from multiple case studies are more compelling than those elicited from a single-case approach. Although a single-case approach allows for a greater degree of rich description, multiple-case approaches allow the investigators to cross-check research findings as well as contribute towards the development of conjectures or lessons learnt. When it comes to defining the number of studies to use, the literature is vague and indeed conflicting. Dyer and Wilkins. (1991) suggest that the appropriate number of cases should depend on issues such as; how much is known about the phenomenon and, what new information is likely to emerge from studying further cases. Eisenhardt (1989), on the other hand, is more prescriptive and suggests a multiple-case approach requires the study of at least four but no more than 10 cases. However, Gable (1994) suggests a multiple enquiry should include up to five companies. This study adopted a research strategy and use of methods similar to those of Allen et al. (2002) and was guided by the principles of Dyer and Wilkins. (1991).

4.1 Data collection

The data collection technique was participant observation (Atkinson et al. 1994; Myers 1997) but followed the major principles of doing fieldwork research as advocated by Fiedler (1978), Bonoma (1985), Dane (1990) and Yin (2009). In the context of this and other studies of this nature, participant observation provided unique access to data points, organisational processes and idiosyncrasies that may not normally have been available to others. However, this approach does come with drawbacks that need careful mitigation and management. Bias represents a significant challenge, with the threat of the observer being ‘sucked’ into the project as an advocate rather than observer. A variety of data have been used to derive the findings presented in this paper, which include interviews, observations, illustrative materials (for example, newsletters and other publications that form part of the case study organisations’ history) and past project management documentation. Table 4 presents a collection of data sources used in this study. A variety of secondary data sources were also used to collect data with regard to the development of technology management taxonomies and the extrapolation of lessons learnt.
Table 4

List of empirical materials

Empirical materials

Media

Explanation

Meeting minutes (MM)

Electronic/paper

1. Meetings of IT Corporate Plan Group and IT Strategy group

2. Meetings with cloud groups and sub-groups

3. Meetings of research group

Interview transcripts (IN)

Electronic/paper

1. Interviews with participants in Corporate Plan, IT strategy and cloud deployment groups

2. Final interviews with cloud project managers

3. Final interviews with senior stakeholders

Informal discussion notes (IDN)

Electronic/paper

1. Informal conversations with employees at non-managerial roles

2. Notes made from discussions with employees regarding the organisational culture, cloud adoption awareness etc.

Diaries (DI)

Paper

1. Reflections from participation in activities.

2. Written on the same or following day based on field notes.

Emails (EM)

Electronic documents

1. Meeting agendas

2. Comments on draft reports and minutes

3. Discussions/ frustrations comments exchanged among researchers

4. Time schedules and project plans

The authors have extensive industrial experience and have published research of a similar nature; thus, tacit and explicit experience played a major role in predefining the interview protocol to determine the blueprint of the research process. The interview protocol was subjected to the standard university process with regard to ethical approval of data collection methods and modes of collection. Notwithstanding, great care was taken to ensure that data bias did not contaminate the data collection process. An approach consistent with that used by Molla et al. (2006) when conducting exploratory research was used as part of the research design, where an iterative process of data collection, analysis, and checking was employed. This led to pattern identification and explanation building that resulted in the authors proffering descriptive lessons learnt after suitable balances and checks.

4.2 Interview process

Interviews were conducted among those who were considered to be independent and most knowledgeable when it came to the human, organisational and technical factors associated with the adoption of cloud computing within the case environment. Given the relatively new phenomenon under study the aim was to explore, analyse, understand, gain insight and facilitate sense making of the three organisations. Their job functions (to elicit data) in all three cases were:

  • Head of IT

  • Cloud Project Manager

  • IT Infrastructure Manager

  • Data Protection Manager

  • Finance Manager

  • Social Services Manager

The duration of each interview was 45 min, where every interview was conducted on a ‘one-to-one’ basis so as to stimulate conversation and break down any barriers that may have existed between the interviewer and interviewee. Furthermore, all interviews took place away from the normal office environment and possible disruption (interviews were conducted in a bookable meeting room). The authors acted as a neutral medium through which questions and answers were transmitted in an endeavour to eliminate bias. Essentially, bias in interviews occurs when the interviewer tries to tweak the wording of the question to fit the respondent (this also raises the problem of inconsistent questioning) or records only selected portions of the respondent’s answers. Most often, however, interviewer bias results from the use of probes or leading questions. Shaughnessy and Zechmeister (1994) explain that these are typically used by interviewers to get respondents to elaborate on ambiguous or incomplete answers. The interviewers were also mindful of the feedback respondents gave from their verbal and non-verbal responses.

4.3 Case study validity

The use of interviews, documentary sources, and observations indicated that internal validity needed to be addressed to ensure robustness of the findings. Interviews, in particular, were used, with each being digitally recorded and subsequently transcribed. These were given to each person that had been interviewed to check and resolve any discrepancies that may have arisen and eliminate any interviewer bias. Bearing in mind the array of evidence that was amassed, great care was undertaken by the authors to ensure that the data collected converged around similar facts rather than emotion. The authors believe that the procedures followed in conducting the study and use of triangulation for data collection (see, for example, Jick 1979) contributed to the reliability and validity of the study, while conforming to the prescriptions of Pan and Tan (2011). Therefore, the researchers have full confidence in the veracity of the research process and findings.

5 Case study findings

The case study findings are discussed in terms of cloud adoption relating to the emerging categories linking to (1) each of the case’s IT strategy, (2) motivation for implementing cloud technology, (3) the strategy adopted for evaluating the use of cloud technologies and finally (4) the cost benefits realised by exploiting these technologies by the government authorities. Within the context of the empirical enquiry, cloud computing is seen in its fundamental sense, means storing and accessing data and appropriate software over the internet instead of locally, through a hard drive. The term cloud is used a metaphor for the internet.

There is a common motivation across the case settings, where lower cost ‘Cloud’ hosted ICT services are offered wherever possible. By doing so, a services-share infrastructure environment is created that keep purchase, operational, support, upgrade, billing administration and renewal overheads to a minimum. Experienced benefits include delivery of server space being much faster and security and resilience improved. The critical aspect of the three case study research is that the research methodology explicitly sought to discover the underlying assumptions, contexts and experiences of those involved and resulting motivation in adopting cloud computing. By implementing cloud technologies the three case study organisations had emerging scenarios and categories of IT strategy, motivation, evaluation and cost benefit analysis that were extrapolated via the research methodology. The findings from the studies were analysed to help understand, conceptually, the appropriateness of cloud computing, and to elicit salient clear issues in terms of risk and rewards that are discussed later as part of the discussion section. Table 5 presents those cloud services used by each of the case within the context of this paper. While there is no suggestion of the ability to extrapolate generic outcomes, others will be able to draw constants in process and outcome when evaluating their cloud services within the broad framework of the presented research.
Table 5

Specific Types of Cloud Services/Technology Adopted

Cloud Service model category

Specific cloud service / technology

Technical service

Business service

UKLA1 findings

UKLA2 findings

ULKA3 findings

IaaS

Big Data Storage

Yes

No

Yes

Yes

Yes

IaaS

On Demand computer power

Yes

Yes

Yes

Yes

Yes

IaaS

Disaster recovery

Yes

Yes

Yes

Yes

Yes

PaaS

Virtualised servers

Yes

No

Yes

Yes

Yes

PaaS

SQL databases

Yes

Yes

Yes

Yes

Yes

SaaS

Enterprise resource management

Yes

No

Yes

No

Yes

5.1 Case one: UKLA1 findings

5.1.1 Link to IT strategy

In 2010, the case study organisation developed a five-year corporate IT business strategy which included 65 strategic actions. The Head of IT stated that “the main objectives were to establish a high-level IT strategy, develop and determine the scope of a corporate IT strategy, establish the Council’s current IT position, and establish what the Council should undertake to meet its corporate and departmental objectives in the areas relevant to the use of IT”.

The IT strategy was fully costed and developed to address the gaps between the current UKLA1 position and the desired UKLA1 position. The strategy also put in place the core components of a governance structure to manage the successful delivery of the IT strategy. The Head of IT noted that “the focus of the IT business strategy was on the business objectives of the organisation not technology”. One of the actions in this strategy was to investigate emerging IT solutions, such as cloud computing for big data storage, to determine the risks, rewards and merits of moving to a cloud solution. Following this review, it was determined that the cloud would be deployed and therefore this implementation occurred in early 2012.

5.1.2 Motivation for cloud

There were three main motivations for moving to cloud-based computing. The first being the perceived cost savings by leveraging big data storage, which had been promoted by central government’s G-Cloud. The second being the political pressure from central government to move to a cloud computing infrastructure (e.g. PaaS). These two differing political motivations were instrumental factors. The third motivation was other risks and rewards that have been highlighted, which were carefully considered as part of the decision to introduce cloud. The rewards included, faster implementation, flexibility of work practices, increased resilience, reduced maintenance, release of internal IT staff resources, shared resources, centralisation and handling of peak loads. The risks included, for example, poor performance, service availability, capacity issues, security and privacy, disaster recovery facilities, data ownership, integration issues, governance and supplier trust. The Head of IT stated that “a formal business case was developed highlighting the risks, rewards, pros and cons of cloud. This was considered by senior IT management at the organisation and a decision was made to proceed”. This executive decision to adopt the cloud therefore was heavily dependent on the risks and reward evaluation exercise undertaken by UKLA1. These strategic, operation and tactical risk and reward factors are discussed, analysed and presented later in this paper.

5.1.3 Evaluation of cloud technology

Prior to implementation, the cloud approach was considered via a formal business case. The case included potential and anticipated savings of approximately £500 k p.a. This was based on savings on licensing costs for existing solutions (e.g. enterprise resource management systems) which had been deployed to the cloud, minus the set-up and ongoing revenue costs of moving to the cloud solution. The case study organisation has recently undertaken a post-implementation review and robust cost-benefit analysis. The savings of £500 k are on target to be delivered. The savings have been achieved by reducing the revenue budget for licensing costs by the corresponding amount. The Finance Manager stated that “the savings arising from the implementation of cloud are substantial and due to be realised. I will be able to reduce the IT budget and use the saving elsewhere in the council where extra financial resources are required”.

5.1.4 Cost benefits

The deployment of IT often results in cost savings and efficiencies (Remenyi et al. 2000; Irani and Love 2008). The implementation of the cloud, according to the literature and government reports (Sultan 2014; Gartner 2010; Cabinet Office 2011b), should reduce costs. This was realised at an early stage in the cloud implementation, due to immediate savings on legacy licensing and hardware costs. However, there is a need for a future post-implementation value and benefit appraisal to determine whether the cloud implementation continues to be cost-effective, especially if the number of units increases substantially or unit costs rise. The Finance Manager highlighted that “there will be a need for ongoing financial and benefit evaluation our cloud solution”. The authority has experienced recent demands for home and mobile working from staff. This trend is matched by organisations in almost every business and government sector in the UK (Gartner 2010). The cloud deployment has helped with this emerging business requirement, as the Social Services manager stated the “staff can access the UKLA1 systems from any location with sufficient internet access and appropriate device(s). The cloud fully supports our current and future service delivery plans”.

In relation to risks and reward of the cloud, clearly an early reward for UKLA1 was significant cost savings. The adoption of the cloud as the core of the UKLA1’s existing and future service delivery plans, raises its strategic value, which is also a key reward. Moreover, improved productivity and internal collaboration was evident. Further rewards include a modern approach to business processes, reducing the head count of administrative staff, improved efficiency and improved data quality. In addition, the reduction of IT office server space was leading to reduced carbon footprint. However, there were also a number of risks evident. These include, for example, lack of clear data ownership, loss of IT infrastructure control and dependence on the cloud supplier. Whilst these risks had emerged, they were being mitigated by UKLA1. The rewards drawn from the literature are mapped against the case study findings in Table 6 below.
Table 6

Rewards mapped against case study organisations

Classification

Factors

UKLA1 findings

UKLA2 findings

UKLA3 findings

Strategic

• Centralisation of infrastructure

• Increased resilience

• Device and location independence

• Release internal IT resources

• Better Citizen Services

• Green Technology

Tactical

• Improved business continuity and disaster recovery

• Improved agility and empowerment

• Faster implementation

• Improved security

• Scalability

• Easier application migration

Operational

• Reduced costs

• Reduced maintenance and support

• Flexibility of work practices

• Utilisation and efficiency improvements

• Shared services

• Increased Peak-load capacity

5.2 Case two: UKLA2 findings

5.2.1 Link to IT strategy

The case study organisation does not have an IT business strategy or a corporate strategy. The Head of IT stated that “emerging organisational and IT issues are addressed and 'batted' as they emerge”. The main emerging IT development was the cloud and the Council reviewed this as a potential solution to its IT needs. Prior to the cloud solution being implemented, a review of the risks and rewards of moving to a cloud solution was undertaken. The Head of IT noted that “this was required to give us confidence in the success, or otherwise of cloud. This was especially related to our poor existing IT infrastructure”.

5.2.2 Motivation for cloud

There was one main motivation for deploying a cloud solution. This was the fact that the internal IT infrastructure was in a poor state, due to a lack of investment. It was acknowledged that there was a need for new IT facilities and the cloud solutions such as on demand computer power, big data storage and networks was the agreed solution. All aspects of cloud were reviewed as per UKLA1. The Head of IT noted “we were at serious risk of our old existing IT infrastructure failing, because it was neither economic, efficient nor effective”. The risks and rewards were carefully considered by UKLA2. This process provided assurance that adopting the cloud was a valid and correct decision.

5.2.3 Evaluation of cloud technology

A very broad and basic cost analysis was undertaken by the IT department, with savings estimated at approximately £750 k p.a. These savings were based upon the fact that a new internal IT infrastructure was not required because it was being replaced by the cloud. The case study organisation has not yet undertaken a post-implementation review and therefore the estimated savings of £750 k cannot be confirmed. The Finance Manager highlighted that “we will need to do a future professional accounting financial analysis of the cloud solution to understand the actual savings realised and compare to the figure broadly calculated by our IT department”.

5.2.4 Cost benefits

A formal business case was not developed. The Head of ICT made the decision to proceed. The Head of IT stated that “Cloud technologies were needed urgently to replace our failing and ageing IT infrastructure”. However, it was also highlighted that there is a need for a future post-implementation appraisal to determine whether the cloud implementation has delivered savings. Early rewards, however, include fast implementation, reducing the head count of IT staff, resilience and improved agility. Other key rewards for UKLA2 included a small initial financial investment and the cloud services was only paid for when it is utilised. A further reward is that the cloud technology provided adequate scalability, in that the cloud takes care of IT demand fluctuations. In terms of risks, issues such as integration to legacy systems, provider lock-in and higher costs than expected had not been evident.

5.3 Case three: UKLA3 findings

5.4 Link to IT strategy

In 2012, the case study organisation developed a four-year corporate IT business strategy which included over 100 strategic actions. The main objectives were to establish a high-level IT strategy, identify what the Council should undertake to meet its organisational objectives via IT deployment and, importantly, making a strong contribution to efficiency and budgetary savings. The Head of IT noted that “the council as a whole had to make large budget savings and therefore the IT strategy had to play a major role with this issue”.

The IT strategy included a full cost breakdown with each action being identified as providing an efficiency or budget saving. The main focus of the IT business strategy was on business efficiencies and budgetary savings. These savings were not necessarily in the IT department but in user departments. However, the IT department was not protected from budget cuts and any IT investment had to be justified. One of the actions in this strategy was to investigate emerging IT solutions, such as cloud computing, to determine the risks, rewards and merits of moving to a cloud solution. Following this review, it was determined that the cloud business case was justified and cloud was deployed in early 2013. The IT Infrastructure Manager stated that “it appeared to be that cloud systems fitted well with both our IT and business requirements”.

5.4.1 Motivation for cloud

There were two main motivations for moving to cloud-based computing. The first being the perceived significant cost savings by leveraging big data storage capacity. The second was workforce efficiencies, such as remote working and secure immediate systems access while working in the field. Other risks and rewards were considered as part of the justification and business case to introduce cloud computing technology. The rewards included increased resilience, reduced maintenance, release of internal IT staff resources to make budget savings, centralisation and handling of peak loads. The risks included, for example, poor performance, service availability, capacity issues, security and privacy, disaster recovery facilities, data ownership, integration issues, governance and supplier trust. A formal business case was developed illustrating the implementation costs and efficiency and budgetary savings. This was considered by the Finance team together with the senior management team, including the CEO. The Finance Manager noted that “the financial figures indicated that there would be budgetary savings and improvements in efficiency. Cloud therefore, was deployed on this basis”. A key cloud benefit included the ability of UKLA3 to adopt and evolve quickly. Other key rewards, for example, included the centralisation of infrastructure, increased resilience, reduced IT resources, green technology and improved security.

5.4.2 Evaluation of cloud technology

Prior to implementation, the cloud was justified via a formal business case. The case included potential and anticipated savings of approximately £900 k per annum. This was based on savings on systems costs for existing solutions which had been deployed to the cloud, together with reductions in paper costs, travel costs and data storage costs due to remote working. However, this did not include the costs of the set-up and ongoing revenue costs of moving to the cloud solution. The case study organisation has not yet undertaken a post-implementation review and cost-benefit analysis. However, some savings of £250 k have been realised and the savings of £900 k are on target to be delivered. In addition to the savings already mentioned above, another significant saving was achieved through a reduction in the number of IT staff as fewer staff were required to support cloud infrastructure. The IT staff headcount was reduced from 120, to 110, which is approximately a 10% saving in IT staff costs. The Head of IT stated that “the loss of IT staff and resulting savings were an important factor”.

5.4.3 Cost benefits

The implementation of the cloud system realised cost savings of £900 k and improved efficiency. This was due to revenue budget savings together with agile, mobile and remote staff working. There was also a saving on IT staff costs and a small reduction in administrative costs. However, the Finance Manager stated that “there is a need for a full post-implementation value and benefit appraisal in the future to determine the savings from implementation of the cloud system”.

UKLA3 will undertake a full benefits review at some time in the future. Once undertaken, there will also be an annual review of costs and benefits. These reviews will be reported to the CEO, which will ensure financial and benefit appraisal transparency. Cost savings were a major motivation for the cloud implementation. The Head of IT commented “it is good that the CEO wishes to see the financial payback and he is ensuring that the cost savings and benefits are properly evaluated and regularly reported”. UKLA3 has had demands for home and mobile working from staff. These demands have been met with the deployment of cloud. The Head of IT noted that “with cloud, staff can access data and systems from home or when mobile, which is clearly a benefit and extremely resource efficient”. However, UKLA3 are at risk from data security breaches, as the data is accessed away from the office and therefore there is a risk the data is viewed by a third party. There is also the risk that equipment may be lost, which again could give data security breaches if non staff have access to UKLA3 data. Another risk is lack of data ownership, as the UKLA3 data is held externally by the cloud. Moreover there is risk of inadequate cloud performance. These risk examples are not exhaustive. A complete set of rewards and risks factors drawn from the literature are mapped against the case study findings in Tables 6 and 7 which are fully explored in the subsequent discussions section. It is important to note that the aim of the tables is to contrast and not to compare, in order for findings to be extrapolated.
Table 7

Risks mapped against Case Study Organisations

Classification

Factors

UKLA1 findings

UKLA2 findings

UKLA3 findings

Strategic

• Unproven financial business case

• Loss of governance

• Lack of trust on providers

• Security and privacy issues

Tactical

• Portability restrictions

• Lack of data ownership

• Integration restrictions

Operational

• Poor performance

• Limited storage capacity

• Financial pressures

• Loss of control

• Lack of detailed information about data locations

• Disaster recovery restrictions

• Lack of service availability

• Difficult to customise

6 Discussion

The rewards drawn from the literature are mapped against all case study findings in Table 6 below and discussed in this section. This was done via a manual process in which great care was taken to ensure that data bias did not contaminate the data collection process. An approach consistent with that used by Molla et al. (2006), was followed, to ensure robustness was followed. This approach is also explained in more detail in the research methodology section above. The aim was to obtain richness in each case organisation. These findings are graphically presented as ‘Not Significant’ (○), ‘Uncertain’ (◙) and ‘Significant’ (●) to illustrate the rewards that have been achieved in each case study organisation. This empirical data is then discussed further where there is no resonance with the literature to give further insight.

Each organisation was structurally similar; however they had different approaches on how to deploy the cloud and these motivations were highlighted in the case studies discussion prior to this section. Those aspects of the case studies in the table above which resonate and correspond with the literature provide further confirmation and are therefore not discussed in this study. The case study findings that are not identified in the literature are discussed below to give insight into the case issues, demonstrate progressive insight and help to extrapolate lessons learnt.

  • Improved resilience: Existing literature (Marinos and Briscoe 2009; Hamouda 2012; Cabinet Office 2011b) highlights resilience as a key advantage of cloud computing such that a failure of one node of the system in the cloud environment has no impact on information availability and does not result in perceivable downtime for the organisation. However, UKLA1 did not have improved resilience and occasional downtime was experienced by the case study organisation via the cloud deployment. This was explained as early ‘teething problems’, compounded by a complicated cloud configuration and implementation set-up. Strong representations were made to the cloud provider to resolve these issues. The case organisation even threatened to revert to the legacy systems if this was not resolved. This ongoing problem was having a significant effect on the case study organisation’s ability to operate and function. Clearly, when the cloud system was unavailable, all users were unable to utilise the cloud solution to undertake business functions. This issue was however not observed in UKLA2 or UKLA3.

  • Easier Application Migration: According to Youseff et al. (2008) and Lloyd et al. (2013), in an IaaS cloud environment application migration is focused on efficient moving of applications back and forth between a virtualised data centre and private cloud environment and public clouds. However, there were intermittent problems with the virtualisation and storage area network software deployed in the case study cloud solution, which made this a difficult transition for UKLA1. This issue also contributed to the lack of improved resilience. This was because applications were not being moved smoothly between the various decentralised cloud environments, which led to cloud downtime and delays to users’ access to systems. There were no issues of this nature in UKLA2 or UKLA3.

  • Utilisation and efficiency improvements: The literature (Aymerich et al. 2008; Accenture 2010) highlights the fact that cloud computing allows better utilisation rates of systems. The results from UKLA1 and UKLA3 support this finding. However, UKLA2 did not resonate with this finding, although this factor is currently unclear in the case study. Further work is needed to understand how and what future costs will be incurred. Future robust financial modelling is required, which will be undertaken by UKLA2. Organisationally, the case is trying to identify a set of key performance indicators (KPIs) that will help to measure future efficiency improvements. The Chief Executive Officer of UKLA2 considers this to be a priority that needs to be undertaken, as any new service delivery needs to be linked to ‘austerity’ (National Audit Office 2011). Cost savings are a key benefit claimed by cloud solution advocates but the position in this case is unclear and needs to be clarified.

  • Improved security: As per Aymerich et al. (2008) and Dorey and Leite (2011), organisations can benefit from improved security by leveraging the cloud service providers’ specialised security and privacy personnel and additional security systems and infrastructure. However, there was a significant security breach in UKLA2 due to loss of governance. This occurred when passing control to the private sector cloud service provider, who was hacked and some information was accessed by an unauthorised third party. This resulted in serious concerns within UKLA2. Cloud implementation in UKLA2 therefore resulted in more vulnerability and lack of control.

  • Reduced costs: Existing literature (e.g. Bhattacherjee and Park 2014; Sultan 2014) asserts that one of the key benefits of cloud computing is that generates significant cost efficiencies for users from economies of scale and from the inherent cost advantages of Internet-based computing. This has been evident in the case of UKLA1 and UKLA3. However, in UKLA2 a formal business case was not developed and therefore it is still unclear whether the solution has been cost effective. While there was an urgent need to replace the existing IT infrastructure and therefore the innovative cloud was deployed for a valid reason, there is a need to undertake a post-implementation, cost-benefit review that should address both direct and indirect costs which resonates with Hochstrasser (1992) and Irani (2010).

  • Increased Peak Load Capacity: According to Armbrust et al. (2010), one of the benefits of cloud computing technologies is that when peak-load capacity increases, organisations need not engineer for higher load-levels as the cloud systems are capable of handling such loads. Although UKLA 1 and 2 did concur with the views of Armbrust et al. (2010), UKLA3 experienced issues with peak-load capacity such that there were delays accessing the cloud when under significant load. This was still being looked at and addressed by UKLA3.

The drawbacks and risks extrapolated from the literature are now mapped against the case study findings in Table 7 below. These findings are graphically presented as ‘Not Significant ( ○), ‘Uncertain’ ( ◙) and ‘Significant’ (●) to illustrate the drawbacks and risks that have been evidenced in each case study organisation. This empirical data is then discussed further where there is no resonance with the literature to give further insight.

Once again, the case study findings that resonate with the literature are not discussed in this paper. The findings that did not reflect those factors identified in the literature are discussed below.

  • Unproven financial business case: Another important issue is the lack of a clear business case. According to Yam et al. (2011), since cloud projects are at an early stage, there are limited or unproven financial business cases supporting the adoption of cloud systems. However, this was not the position in UKLA1 and UKLA3, as clear, robust financial business cases were prepared. UKLA1 had also undertaken a post implementation cost-benefit review. UKLA3 were due to undertake a review of this type. It was also evident that all 3 cases had been highly motivated to deploy CC by political pressure from central government.

  • Loss of governance: According to Catteddu and Hogben (2009), one of the most important security risks when using cloud computing is a loss of governance for organisations. The authors assert that when using cloud infrastructure, the client relinquishes control to the cloud service provider which could, as a consequence, have an adverse effect on their regulatory compliance, thus leaving a gap in security and governance defences. However, this seems unlikely to occur in UKLA1 and UKLA3. This is because governance has been addressed by deploying a high two-factor authentication system. This gives a high level of security (i.e.128bit encryption) for users requiring access to the system. The case studies have also implemented a data classification approach, which classifies data according to importance and criticality. Important information is then encrypted and also backed locally as a fail-safe. While this approach will not resolve any cloud system failure, it does give the case study organisation secure and encrypted data in the cloud and access to its vital data locally as a backup system. These failsafe initiatives ensure that access to data and the data itself is secure and complies with regulatory requirements, together with provision of a suitable backup system.

  • Lack of trust on providers: Organisations relinquish direct control over many aspects of security and privacy to the cloud provider which requires a high level of trust of the provider (Armbrust et al. 2010). However, this was not seen as problematic from UKLA2 and UKLA3’s perspective. This was because the data held in the cloud was 128bit encrypted. This means that the data was secure and the custodian cloud supplier cannot access the data content. This was critical due to the confidential and sensitive data held in the cloud solution.

  • Portability restrictions: Another primary concern around cloud computing that exists in the literature (Wyld 2009) and among IT executives is the fear among organisations of being locked into vendors. This is due to high switching costs in terms of time and effort that would be needed to switch between cloud service providers resulting in portability restrictions. Nonetheless, the three UKLAs did not reflect this concern. This was because the cloud solution deployed was a leading industry solution. The case studies, following a risk assessment, considered this aspect as low risk, in the same way as the industry is locked into standard PC software, such as Microsoft. To further illustrate the point, only 18 IT vendors handle approximately 80% of the UK’s estimated public sector IT expenditure (National Audit Office 2011). Thus, highlighting the fact that the case study organisations were already in a restricted situation in terms of being able to switch IT providers. It is also highly unlikely that the cloud solution company will cease to exist in the future. Although there is a slight risk, the case organisations are satisfied with this small exposure.

  • Integration restrictions: According to Khajeh-Hosseini et al. (2010), integration with existing equipment, for example, IT in the case organisations could be problematic. However, this was not an issue in all UKLAs because the IT systems had been deployed to the cloud so there were no issues of this nature.

  • Poor performance: The literature (Iosup et al. 2011; Jansen 2011) reports that issues of poor performance are common with new cloud systems because the actual load is different from the predicted load. However, in UKLA1 and UKLA3 this was not problematic. This was because accurate load metrics were calculated and tested prior to the cloud migration. This ensured that there was sufficient load capacity and adequate performance. This was important as remediation of failure needed to be clear.

  • Limited storage capacity: Some cloud service providers can include restrictions on the capacity of internet and storage that they can provide (Goiri et al. 2010). However, this was not the position in all UKLAs. This was because each case organisation implemented a leading and proven cloud solution, which had demonstrated that it has sufficient capacity to deal with fluctuations and growth in cloud usage. This large capacity had been able to absorb all the extra workload generated by each case study organisation. The large cloud provider had also carried out many implementations in other organisations where capacity is likely to increase. In addition, there were new organisations deploying the cloud solution. The three case studies are carefully monitoring the situation to ensure any issues in relation to future shortage will be resolved. This is an important aspect due to increasing digitisation of public services. Limited capacity would be a major handicap to the organisations. Effectively, it would prevent the case study organisations from undertaking business functions. There were also peak-load internet network capacity issues with ULKA3, which were being addressed.

  • Financial pressures: A recent survey by a global media company highlights the fact that an organisation’s IT spending in the short term will increase prior to realising long-term cost savings (Framingham 2012). However, this was not the finding in UKLA1. This was because the case organisation had carefully negotiated a ‘pay on completion’ financial model. This was unusual, in that most IT and cloud providers expect payment to be made via staged payments throughout the project implementation. This innovative funding approach had the significant benefit of preventing short-term costs accruing and rising. Savings were made by switching off legacy systems and funding the new cloud solution by savings in legacy licensing and hardware costs. There was also a pay-as-you-go financial arrangement, which ensured an appropriate payment method. The case organisation focused on strong contractual negotiation and firm arrangements, which proved to be of significant benefit. There were financial pressures in UKLA2 and UKLA3, which were consistent with the literature.

  • Disaster recovery restrictions: As per Popovic and Hocenski (2010), there have been concerns over the partial or complete loss of data due to natural disasters when moving to a cloud environment. However, this was unlikely to occur in UKLA1 and UKLA3. This was because the cloud solution was a world-leading product, with several locations around the world. In the event a disaster should occur, the cloud provider will be able to recover the data and systems immediately. This was because the data and virtualised systems are replicated in several places worldwide. The case studies back-up of legacy systems were located offsite, in only one location. Due to geography and internal governance, this facility was within 20 miles of each case study’s IT data centres. This local arrangement was high risk. For example, a flood or storm could damage both data centres. The cloud solution has resolved this issue. Disaster Recovery is a key case study benefit of cloud deployment.

All three cloud deployments have different outcomes as discussed in the in the case studies, when compared with the normative literature. However, the overall perception by interviewees is that the cloud was well implemented and well supported by cloud supplier staff. There were also many positive aspects about future cloud developments, including improved information management, improved cloud support services and an increasing demand for cloud-based IT services from the more knowledgeable, assertive and well-informed users in these organisations.

The case study research enabled a broad, high-level picture to emerge from studying three particular local authority scenarios. A theory related to the implications of cloud computing from the perspective of risks and rewards may emerge, should future research confirm the findings reported in this study by conducting cross-industry surveys, and testing the relationship between the risks and rewards reports and a robust approach to evaluating an investment in cloud computing. Alternatively these cases and future exploration can form the basis around which institutional/organisational theory (Currie and Swanson 2009; Weerakkody et al. 2009) can be used to discover, test or explore cloud computing within public sector setting. The paper now presents the case synthesis and formulates lessons learnt by drawing on the literature and case study research.

7 Case synthesis and lessons learnt for cloud computing deployment

The relevant risk and reward issues extrapolated from the three cases, that is to say from an aggregated organisational user perspective and other relevant case study findings are discussed as part of this case synthesis section, together with a number of lessons learnt. These findings are presented to help identify important issues for effective cloud deployment.

A properly conducted cost-benefit analysis study should always be undertaken, which robustly identifies costs, value and benefits from the implementation of new technology. This enables organisations to understand the full cost impact and any cost savings of the system. All appropriate staff, including senior management, should participate in this activity. This resonates with Irani (2010). Senior management team commitment to the project was evident in all the UKLAs, which helped to drive the implementation and project delivery. The challenge facing the UKLAs will be to develop an appropriate full and growing cloud strategy aligned to business strategy, together with an internal support programme to manage demand. These factors require planning, managing and monitoring to ensure the best use, value and benefit is obtained from the investment in the technology to help ensure efficient, effective and successful IT. This resonates with Wilkins et al. (2009).

Strong project management was evident in all cases, which assisted with the cloud implementation and helped to ensure that the project was well implemented. Appropriate training was not undertaken in any case and this needs to be dealt with to further exploit the technology. Therefore, cloud education, support and training should be undertaken, which is orientated both to the cloud application and to its use within a business context. This resonates with Wilkins et al. (2009). Appropriate support from the internal IT teams and cloud IT teams was evident and this helped to facilitate a successful technical implementation in both cases. The case study organisations are developing common business processes to help streamline and deliver process efficiencies. Furthermore, UKLA1 has now implemented these in some departments within the organisation. This resonates with Gershon (2004) and Simpson (2011). Regular post-implementation unit cost monitoring and review processes should be introduced both to ensure that costs do not escalate, and to enable intervention at an early stage. This resonates with Irani and Love (2008).

The criteria for satisfying the business case objectives that have been drawn and extrapolated from the literature and the case studies are now presented in below Table 8. These findings are presented to help identify important issues for effective cloud deployment and the findings are graphically presented as ‘Not Significant’ (○), ‘Uncertain’ (◙) and ‘Significant’ (●). This table is tentative and should be used with care, because the findings from the case study are not generalisable; however, they may be generally useful (Walsham 1995). The table of case synthesis (Table 8) presented below illustrates the literature aspects and rationale, together with the case study findings. The need to fully implement these aspects should assist organisations in the future with cloud developments and improve cloud implementation elsewhere. The case organisations should address aspects that are partly or not implemented to obtain maximum value and benefit from the cloud deployment.
Table 8

Table of Case Synthesis

Aspect

Rationale

UKLA1 findings

UKLA2 findings

ULKA3 findings

1. Feasibility study, value and benefit appraisal

Understand impact

2. Senior IT management team commitment

Deliver project

3. Cloud Strategy aligned to business strategy

Meet business needs

4. Project Management

Deliver Project

5. Appropriate Training

Exploit Technology

6. Appropriate support

Ensure effectiveness

7. Better citizen services

Ensure efficiency

8. Regular post-implementation cost reviews

Understand costs

9. Appropriate data location of cloud

Ensure availability

10. Adequate security and privacy

Protect Data

11. Disaster recovery facilities

Ensure cloud recovery

12. Data ownership

Clarify responsibility

13. Governance

Clarify responsibility

14. Reduce IT staff headcount

Reduce costs

15. Adequate availability

Ensure availability

16. Financial pressures

Understand costs

17. Adequate Capacity

Ensure Availability

18. Portability Restrictions

Protect investment

19. Adequate performance

Ensure efficiency

20. Contract negotiation and arrangements

Protect investments

Table 8 above should also help researchers identify future research themes for cloud computing. The current position is optimistic in the organisations, because there is further potential to exploit existing cloud provision. Key staff in the case studies recognise that successful further development of the cloud, aligned to business and organisational strategy, will support many aspects of their organisations’ future and evolving working practices, including independent working via internet-ready devices. In the UK, there has been a lot of rhetoric and aspiration in relation to cloud computing. The evidence from the cases illustrates a mixed picture in relation to rewards and risks and there is further work to do.

The cases illustrate how the recent evolution of the cloud and connectivity improvements have the ability to transform the way public sector organisations do business, which are driving organisational redesign. However, integration with existing systems and customisation can be problematic. A major problem with UKLA2 was the illegal access to data via a significant security breach. With increasing financial pressure on the public sector, there is a need to maximise and exploit the cloud to deliver and plan for quality services effectively, taking decisions with all the available information to hand. The future of public sector IT will be shaped by the emerging technologies such as cloud computing and the tentative lessons presented in Table 9 represent an extrapolation of the key lessons learnt from the three case study organisations.
Table 9

Key lessons learnt and prerequisites from the case studies

Lessons

Description

Lesson 1

Public sector organisations need to critically question the underlying assumptions of their existing IT infrastructures and assess strategically whether a cloud solution fits the risks and rewards considered to be acceptable by the organisation and its stakeholder community.

Lesson 2

Cloud implementation should have an explicit concern for the organisational context and flexible working methods that need to be adopted if the full benefits of cloud computing are to be leveraged in the public sector.

Lesson 3

The views and assumptions of cloud should be exposed and considered within the public authorities’ evaluation process and not be ephemeral to it.

Lesson 4

The hierarchical and political nature of public sector organisations creates a barrier to change and this must be overcome to ensure cloud solutions are successful in practice.

Lesson 5

Public sector organisations must ensure the cloud solution is secure to ensure data is not accessed by unauthorised parties

Lesson 6

Public sector organisations should undertake a cloud benefits review to ensure the solution is a clear business case that is delivering cost savings, business efficiency savings and value for money.

Lesson 7

Public authorities should ensure that the strong leadership of the national government is followed to enable dynamic cloud solutions to be deployed to shape public sector outcomes.

Lesson 8

Public sector organisations should promote cloud internally and ensure adequate training is undertaken.

Lesson 9

Public authorities should implement adequate, legal, regulatory and governance frameworks to ensure cloud systems functions successfully.

Lesson 10

Public sector organisations should create a cloud aware culture to capitalise on the impact and benefits of cloud.

These new tentative lessons should generally be useful and should be carefully studied and applied to the right context as local government organisations structure and operations could vary (e.g. geographical, organisational or operational perspectives).

8 Conclusions

This research study has highlighted the experiences of deploying a cloud-based computing solution within three UK public sector case study organisations. In doing so, allowing others to draw parallels in constants and processes from the lessons presented thus potentially helping the public purse through preventing costly mistakes. The literature and research findings clearly highlight that the need for cloud computing solutions are continuing to grow as more organisations start using innovative means of data storage and sharing. Insights and theoretical perspectives can appear to be gained through drawing parallels from other technology-based paradigms, as this paper sought to provide a cross-case synthesis rather than theory build or test.

Both industry and academe predict a bright future for cloud computing as they expect it to become the norm, with companies mostly working on cloud-based applications by 2020 instead of using standard desktop systems. The reported research in this paper promotes an improved understanding of process and governance risk that will shift organisations’ preference from costly on-premises IT towards the auditable and robust security practices of cloud service providers. Public sector organisations in the UK have been put under pressure by central government to embrace cloud computing to captialise on its rewards. The three case organisations reported in this study have had to strategically implement cloud computing to meet a political mandate to reduce costs and gain efficiencies in departments against a backdrop of austerity. Apart from the benefits that these technologies have to offer, there were rising concerns about the risks that cloud computing can present to commercial users. The empirical finding from this study has highlighted several clear classifications of rewards (strategic, tactical and operational) and risks realised by the adopting organisation, following a robust evaluation of this new and emerging technology. Although there were mixed outcomes with the implementation of cloud computing across all three cases, the deployment of this technology has been well received by employees and users. This two-way communication and relationship between the organisations and the supplier(s) has been vital to an effective application of the cloud technologies within the cases. The deployment of cloud fully supports the service delivery plans in all of the case organisations.

The research study also identified lessons for future cloud deployments for organisations with similar characteristics to those of the case studies. Some of the findings that the case study organisations considered significant in influencing the adoption of a cloud solution included:

  • Government organisations are leveraging cloud computing technologies to help transform their operations to deliver improved citizen services in a cost effective way. For example, the Open UK Government initiative and Government as a Platform concept highlight better citizen services provided by governments to inform and empower the citizens through dashboards and scorecards.

  • Real-time automatic data synchronisation with internet-ready mobile data devices is predicted to significantly improve the organisational impact of cloud solution. These will need to be addressed along with strong contractual negotiations to protect investment decisions and project realisation (ex-post evaluation).

  • Flexible work practices and the significance of the senior management team in driving the implementation and project delivery of the cloud solution. Here, management is specifically distinguished from leadership right across the supply chain.

The contribution of this paper lies in demonstrating how cloud computing deployments may complement and improve existing approaches to IT implementation. The lessons learnt elicited from the research will be of benefit to both the IT practitioner and the research community, when developing their strategy to explore the deployment of a cloud based infrastructure is becoming a strategic imperative. Finally, this paper has sought to make an impact through enhance existing taxonomies of rewards and risks surrounding cloud computing. In doing so, it has contributed to the normative literature through strengthening existing knowledge and through providing new insights into cloud computing in the public sector. Thus, making a distinctive contribution to the emerging area of cloud computing and its strategic adoption within a governmental context.

Footnotes
1

Rewards in this research context is referred from the viewpoint of benefits or advantages brought about by implementing IT/IS with a desire to improve business or organisation performance, i.e. in order to realise business benefits (Ward et al. 1996). It is worth noting that the terms benefits and rewards are often used interchangeably within the academic literature.

 

Acknowledgements

The authors of this research would like to acknowledge the three case study organisations and their members of staff for their valuable time and assistance that have offered in generating the necessary data to ensure the completion of this research study.

Funding information

Funder NameGrant NumberFunding Note
Brunel University

    Copyright information

    © The Author(s) 2017

    Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

    Authors and Affiliations

    • Steve Jones
      • 1
    • Zahir Irani
      • 2
    • Uthayasankar Sivarajah
      • 3
    • Peter E. D. Love
      • 4
    1. 1.Information Technology DepartmentConwy County Borough CouncilWalesUK
    2. 2.School of ManagementUniversity of BradfordBradfordUK
    3. 3.Brunel Business School, College of Business, Arts & Social SciencesBrunel University LondonMiddlesexUK
    4. 4.School of Built EnvironmentCurtin University of TechnologyPerthAustralia

    Personalised recommendations