Towards a Reference Model for Risk and Compliance Management of IT Services in a Cloud Computing Environment

  • Benedikt Martens
  • Frank Teuteberg


Industry analysts have made several enthusiastic projections on how cloud computing will transform the entire computing industry. According to recent research studies it is on the verge of becoming an extremely lucrative business: the financial profit to be drawn from business and productivity applications as well as related online advertising is expected to amount to billions of Dollars. However, the question arises whether there are any obstacles on the way to mature cloud computing environments. If one looks at IT outsourcing and the emerging field of cloud computing from an economic perspective, some obvious similarities between the two concepts strike the eye. In other words, already existing knowledge about the outsourcing of IT Services should be aligned with new arising obstacles and challenges created by the cloud. The objective of our paper is to support the improvement of decisionmaking processes by contributing to a better understanding of risk and compliance issues in the field of cloud computing and of their likely impacts. This can only be achieved by identifying the main risks and the necessary safeguards required. The reference model presented in this article could help to accomplish this goal.


Cloud Computing Reference Model Inform Science Systematic Literature Review Service Level Agreement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Adeleye, B. C. et al. (2004): Risk management practices in IS outsourcing: An investigation into commercial banks in Nigeria, in: International Journal of Information Management, 2004, 24(2), pp. 167–180.CrossRefGoogle Scholar
  2. Aloini, D. et al. (2007): Risk management in ERP project introduction: Review of the literature, in: Information & Management, 2007, 44 (6), pp. 547–567.CrossRefGoogle Scholar
  3. Anandasivam, A./Premm, M. (2009): Bid price control and dynamic pricing in clouds, in: Newell, P. et al. (Eds.), Information Systems in a Globalising World: Challenges, Ethics, and Practices, Proceedings of the 17th European Conference on Information Systems, Verona 2009, pp. 1–10.Google Scholar
  4. Armbrust, M. et al. (2009): Above the Clouds: A Berkeley View of Cloud Computing, online:–28.pdf, last update: 10.02.2009, date visited: 15.07.2009.
  5. Aubert, B. et al. (1998): Assessing the Risk of IT Outsourcing, in: Thirty-First Annual Hawaii International Conference on System Sciences, Band 6, Hawaii 1998, pp. 685–691.Google Scholar
  6. Aubert, B. et al. (2002): Managing IT Outsourcing Risk: Lessons Learned, in: Hirschheim, R. et al. (Eds.), Information Systems Outsourcing in the New Economy: Emergent Patterns and Future Directions, Berlin 2002, pp. 155–176.Google Scholar
  7. Bahli, B./Rivardp. (2003): The Information Technology Outsourcing Risk: a Transaction Cost and Agency theory-based Perspective, in: Journal of Information Technology, 2003, 18, pp. 211–221.Google Scholar
  8. Bernhard, M. (2003): Der Werkzeugkasten für Service-Level-Kennzahlen, in: Bernhard, M. et al. (Eds.), IT-Outsourcing und Service-Management, Düsseldorf 2003, pp. 295–312.Google Scholar
  9. Bible, L. et al. (2006): The Balanced Scorecard: Here and back, in: Management Accounting Quarterly, 2006, 7(4), pp. 18–23.Google Scholar
  10. Blecken, A. et al. (2009): Humanitarian Supply Chain Process Reference Model, in: International Journal of Services, Technology and Management, 2009, 12(4), pp. 391–413.CrossRefGoogle Scholar
  11. Braun, C./Winter, R. (2005): A Comprehensive Enterprise Architecture Metamodel and Its Implementation Using a Metamodeling Platform, in: Desel, J., Frank, U. (Eds.), Enterprise Modelling and Information Systems Architectures, Proceedings of the Workshop in Klagenfurt, GI-Edition Lecture Notes (LNI), Klagenfurt 2005, pp. 64–79.Google Scholar
  12. Braunwarth, K.p./Heinrich, B. (2008): IT-Service-Management – Ein Modell zur Bestimmung der Folgen von Interoperabilitätsstandards auf die Einbindung externer IT-Dienstleister, in: Wirtschaftsinformatik, 2008, 50(2), pp. 98–110.CrossRefGoogle Scholar
  13. vomBrocke, J. (2007): Construction Concepts for Reference Models – Reusing Information Models by Aggregation, Specialisation, Instantiation, and Analogy, in: Loos, P./Fettke, P. (Eds.), Reference Modelling for Business Systems Analysis, Hershey 2007, pp. 47–75.Google Scholar
  14. vomBrocke, J. et al. (2009): Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process, in: Newell, P. et al. (Eds.), Information Systems in a Globalising World: Challenges, Ethics, and Practices, Proceedings of the 17th European Conference on Information Systems, Verona 2009, pp. 1–10.Google Scholar
  15. Brown, D. H./Lockett, N. J. (2001): Engaging SMEs in E-commerce: The Role of Intermediaries within eClusters, in: Electronic Markets, 2001, 11(1), pp. 52–58.CrossRefGoogle Scholar
  16. Breiter, G./Behrendt, M. (2008): Cloud Computing Concepts, in: Informatik Spektrum, 2008, pp. 624–628.Google Scholar
  17. Brown, D. (2008): It is good to be green: Environmentally friendly credentials are influencing business outsourcing decisions, in: Strategic Outsourcing: An International Journal, 2008, 1(1), pp. 87–95.Google Scholar
  18. Buyya, R. et al. (2008): Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities, in: Proceedings of the 10th IEEE International Conference on High Performance Computing and Communications, Dalian 2008.Google Scholar
  19. Cederlund, J. et al. (2007): Global Sourcing of IT Services: Necessary Evil or Blessing in Disguise?, in: Communications of the Association for Information Systems, 2007, 19, Article 14.Google Scholar
  20. Cobit4.1 (2004): Control Objectives for Information and Related Technology Version 4.1, online:, last update: 15.07.2009, date visited: 15.07.2009.
  21. Cullen, P. et al. (2005): IT outsourcing configuration: Research into defining and designing outsourcing arrangements, in: The Journal of Strategic Information Systems, 2005, 14(4), pp. 357–387.CrossRefGoogle Scholar
  22. CurrieW./SeltsikasP. (2001): Exploring the supply-side of IT outsourcing: evaluating the emerging role of application service providers, in: European Journal of Information Systems, 2001, 10(3), pp. 123–134.CrossRefGoogle Scholar
  23. Delic, K. A./Walker, M. A. (2008): Emergence of The Academic Computing Cloud, in: ACM Ubiquity, 2008, 9(31), Article 1.Google Scholar
  24. Dibbern, J. et al. (2004): Information Systems Outsourcing: A Survey and Analysis of the Literature, in: The DATA BASE for Advances in Information Systems, 2004, 34(4), pp. 6–102.Google Scholar
  25. ElKharbili, M. (2008): Towards a Framework for Semantic Business Process Compliance Management, in: Proceedings of the GRCIS'08 Workshop at CAiSE'08 - Governance, Risk and Compliance: Applications in IS, 2008.Google Scholar
  26. Eymann, T. (2008): Cloud Computing, in: Kurbel, K. et al. (Eds.), Enzyklopädie der Wirtschaftsinformatik, online:, date visited: 15.07.2009.
  27. FettkeP./LoosP. (2007): Perspectives on Reference Modeling, in: FettkeP./LoosP. (Eds.), Reference Modeling for Business Systems Analysis, 2007, pp. 1–20.Google Scholar
  28. Fleming, R./Low, G. (2007): Information System Outsourcing Relationship Model, in: Australian Journal of Information Systems, 2007, 14, pp. 95–112.Google Scholar
  29. Foster, I. (2005): Service-Oriented Science, in: Science, 2005, 308(5723), pp. 814–817.CrossRefGoogle Scholar
  30. Gefen, D. et al. (2008): Business familiarity as risk mitigation in software development outsourcing contracts, in: MIS Quarterly, 2008, 32(3), pp. 531–542.Google Scholar
  31. Goodman, P. E./Ramer, R. (2007): Global Sourcing of IT Services and Information Security: Prudence before Playing, in: Communications of the Association for Information Systems, 2007, 20, Artikel 50.Google Scholar
  32. Günther, O. et al. (2001): Application Service Providers: Angebot, Nachfrage und langfristige Perspektiven, in: Wirtschaftsinformatik, 2001, 45(6), pp. 555–568.Google Scholar
  33. Hall, J./Liedtka, St. (2007): The Sarbanes-Oxley Act: Implications for large-scale IT Outsourcing, in: Communications of the ACM, 2007, 50(3), pp. 95–100.CrossRefGoogle Scholar
  34. Hayes, B. (2008): Cloud Computing, in: Communications of the ACM, 2008, 51(7), pp. 9–11.CrossRefGoogle Scholar
  35. Iacovou, C. L./Nakatsu, R. (2008): A risk profile of offshore-outsourced development projects, in: Communications of the ACM, 2008, 51(6), pp. 89–94.CrossRefGoogle Scholar
  36. Iqbal, M./Nieves, M..(2007): Service Strategy, 2. Auflage, London 2007.Google Scholar
  37. JayatilakaB. et al. (2003): Determinants of ASP choice: an integrated perspective, in: European Journal of Information Systems, 2003, 12(3), pp. 210–224.CrossRefGoogle Scholar
  38. Kaplan, R./Norton, D. (1997): Balanced Scorecard, Stuttgart 1997.Google Scholar
  39. Karagiannis, D. (2008): A Business Process-Based Modelling Extension for Regulatory Compliance, in: Bichler, M. et al. (Eds.), Multikonferenz Wirtschaftsinformatik 2008, Berlin 2008, pp. 1159–1173.Google Scholar
  40. Kargl, H./Kütz, M. (2007): IV-Controlling, 5. Auflage, München 2007.Google Scholar
  41. Kauffman, R./Sougstad, R. (2008): Risk Management of Contract Portfolios in IT Services: The Profit-at-Risk Approach, in: Journal of Management Information Systems, 2008, 25(1), pp. 17–48.CrossRefGoogle Scholar
  42. Klotz, M./Dorn, D.-W. (2008): IT-Compliance – Begriff, Umfang und relevante Regelwerke, in: HMD – Praxis der Wirtschaftsinformatik, 2008, 263, pp. 5–14.Google Scholar
  43. Knolmayer, G. F. (2007): Compliance-Nachweise bei Outsourcing von IT-Aufgaben, in: Wirtschaftsinformatik, 2007, 49, pp. 98–106.Google Scholar
  44. Kondo, D. et al. (2009): Cost-Benefit Analysis of Cloud Computing versus Desktop Grids, in: 18th International Heterogeneity in Computing, Workshop, 2009.Google Scholar
  45. Krause, E. (2008): Methode für das Outsourcing in der Informationstechnologie von Retail- Banken, Berlin 2008.Google Scholar
  46. Kütz, M. (2009): Kennzahlen in der IT – Werkzeuge für Controlling und Management, 3. Auflage, Heidelberg 2009.Google Scholar
  47. Lacity, M. C./Willcocks, L. P. (1998): An empirical investigation of information technology sourcing practices: Lessons from experience, in: MIS Quarterly, 1998, 22(3), pp. 363–408.CrossRefGoogle Scholar
  48. Lee, J. et al. (2003): IT outsourcing evolution: past, present, and future, in: Communications of the ACM, 2003, 46(5), pp. 84–89.CrossRefGoogle Scholar
  49. Martens, B./Teuteberg, F. (2009a): Ein Referenz- und Reifegradmodell für integrierte Fundraising-Managementsysteme an Hochschulen, in: Hansen, H. R. et al. (Eds.), Tagungsband der 9. Internationalen Tagung Wirtschaftsinformatik: Business Services: Konzepte, Technologien, Band 2: Anwendungen, 2009, pp. 543–552.Google Scholar
  50. Martens, B./Teuteberg, F. (2009b): Why Risk Management Matters in IT Outsourcing – A Systematic Literature Review and Elements of a Research Agenda, in: Newell, P. et al. (Eds.), Information Systems in a Globalising World: Challenges, Ethics, and Practices, Proceedings of the 17th European Conference on Information Systems, Verona 2009, pp. 1–10.Google Scholar
  51. Matros, R. et al. (2009): Make-or-Buy im Cloud-Computing – Ein entscheidungsorientiertes Modell für den Bezug von Amazon Web Services, online:, date visited: 15.07.2009
  52. Meeker, M. et al. (2008): Morgan Stanley – Technology Trends, online:, last update: 12.06. 2008, date visited: 18.07.2008.
  53. Mei, L. et al. (2008): A Tale of Clouds: Paradigm Comparisons and Some Thoughts on Research Issues, in: Asia-Pacific Services Computing Conference, 2008, p. 464–469.Google Scholar
  54. Mika, P./Tummarello, G. (2008): Web Semantics in the Clouds, in: IEEE Intelligent Systems, 2008, 23(5), pp. 82–87.CrossRefGoogle Scholar
  55. Mossanen, K./AmbergM. (2008): IT-Outsourcing & Compliance, in: HMD – Praxis der Wirtschaftsinformatik, 2008, 263, pp. 58–68.Google Scholar
  56. Müller, P./Supatgiat, C. (2007): A quantitative optimization model for dynamic risk-based compliance management, in: IBM Journal of Research and Development, 2007, 51(3/4), pp. 295–307.CrossRefGoogle Scholar
  57. Murthy, P. (2004): The Impact of Global Outsourcing on IT Providers, in: Communications of the Association for Information Systems, 2004, 14, Artikel 25.Google Scholar
  58. Ngwenyama, O. K./SullivanW. E. (2006): Secrets of a Successful Outsourcing Contract: A Risk Analysis, in: LjungbergJ./Andersson, M. (Eds.), Proceedings of the 14th European Conference on Information Systems, Göteborg 2006, pp. 1–10.Google Scholar
  59. Oh, W. et al. (2006): The Market's Perception of the Transactional Risks of Information Technology Outsourcing Announcements, in: Journal of Management Information Systems, 2006, 22(4), pp. 271–303.CrossRefGoogle Scholar
  60. PearsonP. (2009): Taking account of privacy when designing cloud computing services, in: Proceedings of the 2009 ICSE Workshop on Software Engineering: Challenges of Cloud Computing, 2009, pp. 44–52.Google Scholar
  61. Püschel, T. et al. (2009): Revenue Optimization Through Automated Policy Decisions, in: Newell, P. et al. (Eds.), Information Systems in a Globalising World: Challenges, Ethics, and Practices, Proceedings of the 17th European Conference on Information Systems, Verona 2009, pp. 1–10.Google Scholar
  62. Rohloff, M. (2008): A Reference Process Model for IT Service Management, in: Proceedings of 14th Americas Conference on Information Systems, Madison 2008.Google Scholar
  63. Sackmann, P. et al. (2009): Selecting Services in Business Process Execution – A Risk-based Approach, in: Hansen, H. R. et al. (Eds.), Business Services: Konzepte, Technologien, Anwendungen, Tagung Wirtschaftsinformatik (WI'09), 2009, pp. 357–366.Google Scholar
  64. Saeed, K./Leitch, R. (2003): Controlling Sourcing Risk in Electronic Marketplaces, in: Electronic Markets, 2003, 13(2), pp. 163–173.CrossRefGoogle Scholar
  65. Sakthivel, P. (2007): Managing risk in offshore systems development, in: Communications of the ACM, 2007, 50(4), pp. 69–75.CrossRefGoogle Scholar
  66. Singh, C., et al. (2004): Rental software valuation in IT investment decisions, in: Decision Support Systems, 2004, 38(1), pp. 115–130.CrossRefGoogle Scholar
  67. Skillicorn, D. (2002): The Case for Data-Centric Grids, in: Proceedings of the 16th International Parallel and Distributed Processing Symposium, 2002, pp. 247–251.Google Scholar
  68. Smith, M./Kumar, R. (2004): A theory of application service provider (ASP) use from a client perspective, in: Information & Management, 2004, 41(8), pp. 977–1002.CrossRefGoogle Scholar
  69. Sury, U. (2009): Cloud Computing und Recht, in: Informatik Spektrum, 2009, 32(2), pp. 83–84.Google Scholar
  70. TheEconomist (2008): When clouds collide, in: Economist, 2008, Volume 386 (Issue 8566), pp. 69–70Google Scholar
  71. ThomsonReuters (2009): Journal Citation Reports, online:, date visited: 14.07.2009.Google Scholar
  72. Turner, J. R. (2008): Gower Handbook of Project Management, 4. Auflage, Cornwall 2008.Google Scholar
  73. Vitharana, P./Dharwadkar, R. (2007); Information Systems Outsourcing: Linking Transaction Cost and Institutional Theories, in: Communications of the Association for Information Systems, 2007, (20), pp. 346–370.Google Scholar
  74. Vykoukal, J. et al. (2009): Services Grids in Industry -On-Demand Provisioning and Allocation of Grid-based Business Services, in: Wirtschaftsinformatik, 2009, 51(2), pp. 206– 214.CrossRefGoogle Scholar
  75. Wang, L. et al. (2008): Scientific Cloud Computing: Early Definition and Experience, in: Proceedings of 10th IEEE International Conference on High Performance Computing and Communications, pp. 825–830.Google Scholar
  76. Webster, J./Watson, R. T. (2002). Analyzing the past to prepare for the Future: Writing a Literature Review, in: MIS Quarterly, 2002, 26(2), pp. xiii–xxiii.Google Scholar
  77. Weinhardt, C. et al. (2009): Business Models in the 2. Service World, in: IEEE IT Professional, 2009, 11(2), pp. 28–33.CrossRefGoogle Scholar
  78. Weiss, A. (2007): Computing in the Clouds, in: netWorker, 2007, 11(4), pp. 16–25.CrossRefGoogle Scholar
  79. Xiong, L. et al. (2007): Preserving data privacy in outsourcing data aggregation services, in: ACM Transactions on Internet Technologies, 2007, 7(3), pp. 1–28.Google Scholar
  80. Zhang, L.-J. (2008): Introduction to the Knowledge Areas of Services Computing, in: IEEE Transactions on Services Computing, 2008, 1(2), pp. 62–74.CrossRefGoogle Scholar

Copyright information

© Gabler Verlag | Springer Fachmedien Wiesbaden GmbH 2011

Authors and Affiliations

  • Benedikt Martens
    • 1
  • Frank Teuteberg
    • 1
  1. 1.University of OsnabrückOsnabrück

Personalised recommendations